Personal data isn’t just about your name, phone number, credit cards and social security numbers. It’s also about your online habits, like where you are physically when you are online, what you do when you are online, and how you do certain things. All of that is recorded, filed and analyzed by various companies, including your employers. It can identify who you are and are as much a part of your digital identity as your user name and password. In fact, that data might be more accurate than your password.
That may seem creepy but collecting that kind of data protects you from fraud.
Often the companies collecting that data also analyze it – to make sure you are you and not someone using your user name and password. One might think this is widely practised in the financial industry. That is wrong.
Robinhood gets robbed
Remember Robinhood? No not the guy in green tights. The online company presented itself as a democratized brokerage where low-income people could participate in the stock market. They leapt onto the news first as investors used it to drive up the stock prices of failing companies its like GameStop. They made the headlines again in November when they announced that cybercriminals had stolen a third of their users’ account information putting their portfolios in danger. No one lost any money because the company shut down the hack before it was really damaging.
The industry niche for this tech is Identity Management (IDM) and it is primarily software. At the very base of the niche is two-factor authorization (2FA), which has proven eminently hackable. Back in 2011, only government contractors like Lockheed-Martin used 2FA. Hackers stole the master key from RSA in a well-known data breach. To this day no one knows if sensitive data was stolen.
On the other end of the spectrum are dynamic collection processes already mentioned. One technology implemented widely is Callsign, used by many major financial institutions.
WFH makes it worse
The work-from-home paradigms are a driving force behind the adoption of this technology, according to Bill Sytsma, senior vice president for Callsign.
“Whether it’s brokerage accounts, banking, crypto wallets how do you protect the customers from data breaches or social engineering (phishing)? If I log in from a different location than I normally do, or use a different device, or my online behaviours are not normal, that should cause some type of red flag to go up.”
And that’s really the issue. Customers take little responsibility and freely give up their data for the convenience of online activity. Five years ago more than 70 per cent of online users said the companies they do business with have more responsibility to protect data than the user. Last year, more than 90 per cent of users believed that.
This is a marketing crisis, especially for financial services. A study by Opinium showed 45% of consumers don’t trust banks, retailers, mobile network operators and delivery companies to keep their data safe. Consumers want them to do more to stop scammers using their platforms.
Not surprisingly, the marketing and customer service organizations are driving the adoption of identity management systems, bypassing IT. Last year, Cyber Protection Magazine reported on the disaster that was the California state COVID relief program. The IT departments of some financial institutions are unaware that they were customers of the security technologies required to use. They refused to allow customers to connect to the state until bank management told them they could.
Even with the most cutting edge IDM technology, customers are not totally protected. Customers still give up the patterns companies like Callsign are monitoring. “The fraudsters out there are very creative,” Sytsma stated. “They’re always creating new tools. You can rent bots and call centers.”
Whether a criminal can bypass the system also depends on the level of integration in the system, Sytsma explained. Callsign might be partially integrated with a competing system or the customer organization may not have purchased the right module. The only way a user can know is to find out what their bank is doing to secure their information.
Robinhood, Sytsma confirmed, is not a Callsign customer. It isn’t really forthcoming that they use any sophisticated cybertech to protect the accounts. In fact, they make it clear they sell and share user data to a vague group they call affiliates. That means customers have to be extra vigilant.
And that’s the problem. You may think it’s your banks responsibility. If you do, you may be a target.
Lou Covey is the Chief Editor for Cyber Protection Magazine. In 50 years as a journalist he covered American politics, education, religious history, women’s fashion, music, marketing technology, renewable energy, semiconductors, avionics. He is currently focused on cybersecurity and artificial intelligence. He published a book on renewable energy policy in 2020 and is writing a second one on technology aptitude. He hosts the Crucial Tech podcast.