|
The Del Rio Incident
Back in Texas, Happy State Bank was fighting on another front: internal fraud detection. In 2002, regulators required third-party assessments of a bank's internal security measures, so James scanned the horizon for options. He found that an auditor would charge $9,000 to conduct a basic assessment of the bank's single Internet server, while inexpensive Linux software could reveal the number of open ports. Both would satisfy regulators, but James wanted more. "This is my career on the line," he notes.
The IT executive chose "a more invasive" testing product from Core Security Technologies, at a cost of $3,000 for a year's worth of testing. The product identifies problems through massive simulated attacks, assigns a level of risk to each vulnerability and provides remediation advice. "We try to take a proactive approach to security rather than a reactive one," says James. "After the horse is out of the barn, there's not a whole lot you can do."
So far nary a horse has gotten loose; that is, Happy State Bank claims it hasn't had a single incident of identity theft yet. That's impressive considering that the bank doesn't use an outsourcer to serve up its Web banking capabilities. Most midmarket banks rely on third parties that can bring greater resources and skills to bear. But as part of its lone-star tradition, Happy State Bank keeps practically everything in-house.
Outsourcers are usually a better bet for midmarket banks, contends Gartner Inc. analyst Avivah Litan. When a suspicious transaction comes over the wires, an outsourcer can assign one of its fraud analysts to weed out fraudulent transactions. "A small bank really doesn't have a fraud analyst," Litan says, adding, "If they come under attack and their outsourcer isn't dealing with it, then the bank is at a severe disadvantage because they don't have the resources to deal with it."
James disagrees. With an outsourcer, he says, "you're putting your reputation in someone else's hands. It would take me a year to prove it, but I think outsourcing is more expensive if you take into account customer service loss and reputation risk."
In fact, James was glad he wasn't beholden to an outsourcer earlier this year. A confused customer and his wife called the bank, wondering why they'd received a letter providing a logon and password for the Web banking service even though they'd never signed up. "They were one of our older customers, real technophobes who were freaking out about it," recalls network security pro Hall.
James believes an outsourcer serving many midmarket banks wouldn't have given this incident a second thought. But Hall cared enough to spend a few hours checking logs and dates. The address listed on the online enrollment form wasn't the same as that on the original account, which surprised the heck out of Hall. After a few telephone calls, Hall tracked the address to a library in Del Rio.
Hall relayed the news to the customers on the account, and they immediately saw the connection. Their daughter had just moved to Del Rio, where she was apparently up to no good. "We assumed the daughter was trying to transfer money from their account" via the Web banking service, Hall says. It was a family affair, so the bank ended its investigation without filing charges. The man and wife remain loyal Happy State Bank customers.
|
