The eyes have it: How to prevent visual hacking in financial institutions
High-powered miniature cameras were once the stuff of spy movies. Today, they’re popular features on devices that millions of people bring into banks and offices every day.
Smartphone cameras now offer anywhere from 12- to 23-megapixel resolution for detailed picture taking. Many smartphones can also record 4K-quality video and have powerful zoom features. Meanwhile, smartwatches often either include a camera in the device itself or can remotely operate a smartphone camera.
These technologies can be a joy for consumers, but they can be a nightmare for privacy and security professionals. As banks further fortify their cyber defenses against remote hackers, these powerful but discreet cameras can provide a conduit for a new kind of attack: visual hacking.
Setting Sights on Sensitive Data
Visual hacking is the viewing or capturing of private, confidential or sensitive information for unauthorized use. It can take place in a bank lobby, back office, headquarters or any public place where an employee might view sensitive information.
A visual hack could involve someone posing as a customer and taking a picture of account information displayed on a computer screen. Or it could be an overnight cleaning person recording video of documents left on a printer tray. In reality, it can be any individual seeing and remembering sensitive customer information or network login details left in open view on a screen, on a desk or in a printer or fax tray. If it can be seen it can be stolen.
The 2016 Global Visual Hacking Experiment [1], found that visual hacking is a woefully under-addressed global threat. The combined 2015 and 2016 studies included 157 trials in 46 participating companies across China, France, Germany, India, Japan, South Korea, the United Kingdom and the United States. In each trial, a white hat visual hacker assumed the role of a temporary office worker and was assigned a security badge worn in visible sight. The white hat hacker then entered each facility and performed three overt tasks: view and log sensitive information visible on a computer screen, desk or printer; grab a stack of business documents labeled as “confidential” off a desk and put them in a briefcase; and take a picture of sensitive information displayed on a computer screen with their smartphone.
On average, the visual hacker was successful in accessing sensitive corporate information in 91 percent of global trials with 52 percent of the visual hacks occurring via an unprotected employee computer screen. Globally, 27 percent of data breaches involved sensitive information, such as login credentials, attorney-client privileged documents, and financial information, and happened in less than 15 minutes in nearly half of all attempts.
The ease with which a visual hack can be carried out should be alarming to financial institutions, especially given the consolidation of confidential customer information that is currently taking place.
A New Era of Data Access
Financial institutions are constantly discovering new ways to use and access data within the enterprise to protect both customers and the company, to better serve customers and discover new sources of revenue. In this new era, bankers have greater access to customer data than ever before. Growing pressure from regulators regarding anti-money laundering (AML) are driving financial companies to remove traditional “product” specific data silos – creating a single pool of data that provides a more holistic view of each customer. This practice, often originating in support of “Know Your Customer (KYC)” requirements, creates data-rich environments used to monitor the overall activity of individual customers and track for unusual changes in their banking activities that could link to money laundering or fraud. However, as this data lake widens, critical privacy issues arise.
The banking employees trained to monitor customer behavior now have access to these data-rich environments that hold sensitive customer data. This makes administrative oversight problematic and visual privacy becomes increasingly difficult to control. Financial organizations must be aware of each employee’s access level to sensitive customer data and take proper steps to secure it.
Employee access to big data now requires that a third security pillar is added beyond digital and physical security. Administrative measures address security in new ways through human behavior and workspace considerations.
Administrative Security
Administrative security begins with understanding the risks inherent in the new data-rich environments. Identify areas and opportunities where company workers or other individuals can see sensitive customer information that they shouldn’t. These could include workstations, ATMs and mobile devices used to access sensitive information in the office or in public places.
From there, implement a visual privacy policy that outlines the procedures and best practices for employees.
Key procedural changes could include only printing sensitive information in "locked print" mode, keeping sensitive information out of plain view, and logging out of computers when stepping away from workstations.
Employee behaviors can be difficult to change. That’s why it’s important that training refreshers be provided at least once per year. Audits can also help test employee compliance, while rewards and recognition can help ensure that policies and training are well-received.
Privacy filters are also important. They obstruct the angled view of onlookers or “shoulder surfers,” and should be considered for use on workstation and teller screens that are exposed to windows or customers. They should also be used on laptops or mobile devices that can access sensitive data outside the organization’s walls.
Finally, privacy and security should be ongoing, collaborative efforts. The privacy, corporate security, information security and risk management teams should make a concerted effort to cooperate. Privacy and security threats will only continue to evolve – it’s important that everyone responsible for stopping them work together as a cohesive unit and toward the same goals.
About the Author:
Dan Burks is an operations risk management consultant with over 30 years of experience. He has developed and sustained risk oversight for major financial institutions in privacy, data protection, information security, incident response management, enterprise assessments and third-party risk management. Burks has successfully led teams to design and integrate oversight of process and risk indicators into an enterprise governance, risk and compliance framework.
Burks most recently served as Senior Vice President and Enterprise Privacy Officer with U.S. Bank where he championed customer-focused solutions across the company in compliance with multi-country regulatory requirements and industry control frameworks. He also acts as a privacy consultant for 3M and receives compensation from 3M in connection with his participation as a consultant.
Notes:
[1] Average based on global trials conducted by Ponemon Institute during the “Visual Hacking Experiment,” 2015, and the “Global Visual Hacking Experiment,” 2016, both sponsored by 3M