Backup Anytime

Bank of Ireland stolen USB key

Subscribers and regular readers will recall the Bank Of Ireland stolen laptops story. Whatever preventative measures were put in place at the time appear to have had limited effect on protecting USB keys. The use of USB keys in itself is questionable practice outside of circumstances in which data in encrypted and the key is for convenience only and not a singular or critical copy.

Even small enterprises are moving away from the use of micro devices for unencrypted data. The affordability and convenience offered by USB keys did for a time make them a data storage solution for individuals. The extent and obviousness of the risks coupled with the scale of reported incidents have removed USB key usage from the allowed list of many responsible companies.

This particular incident relates to account numbers, names and addresses (not full address but if the wrong people have a name and a partial address they can surly work out the rest in many cases) for just under 900 clients. Financial information was not breached but this will offer little comfort to the victims (customers) of this breach.

The bank have said they have no reason to believe the information has fallen in to the wrong hands. Given that the device is lost, it could fall in to anyone’s hands. Additionally, given that USB keys have a physical value (despite this being nominal) it is likely therefore that it will not be ignored when spotted.

Given the absence of adamant and repeated claims of the data being encrypted it would appear it is possible that it was not. We do not know for sure yet. If it was not encrypted this will not instill great general confidence given previous incidents and opportunities to resolve the basic but essential tenet of encrypting confidential client and third party information. If it was encrypted, there is little to worry about from the viewpoint of data privacy and  the focus can move to asset protection.

So, the question remaining is; was the data encrypted. If so, Bank Of Ireland should speak up as they have protected their clients from inevitable circumstances as device loss or theft will take place even if security and individual responsibility is managed well.

If the data was not ensrypted, B.O.I. have much explaining to do this time round.

lAs reported earlier, a major payment card fraud took place in Ireland whereby persons entered premises where card payments were accepted under the pretence of representing payment service providers.

See http://backupanytime.com/blog/?p=134

At the time the focus was on Bank of Ireland as that bank had taken action by reducing spend limits on cards and indeed disabling ATM withdrawal on a cross section of cards. Since then the assumption that the same incidents must have affected clients of other banks has proven correct.

This writer (an Allied Irish Banks client) was contacted by AIB who told him his card was compromised. There were no unauthorised purchases r withdrawals made with the card but the details of the card had obviously got in to the wrong hands as a consequence of the weekend sting.

The card was duly cancelled and a new one (takes five working days) is on the way.

So, it would appear Bank of Ireland are due some praise this time round for making their public action and announcements ahead and more visible than other affected banks.

It should be made clear however that every bank affected suffered similar difficulties because of weaknesses in security (more specifically data protection) at card accepting shop floor presence. The major problem is the lack of training at shop manager and cashier level with regard to protection against social engineering.

Bank of Ireland, (B.O.I.) have decided they will refrain from making public the details of the report into last years laptop theft. The report received yesterday is accepted without dispute and will be acted on.

The investigation by the data protection commissioner took four months and focused on the theft of four laptops from Bank of Ireland which were from the banks life assurance division.

You may alredy know from reports here and elsewhere at the time this breach became public that the laptops contained details specific to Life Assurance and included medical and credit history along with life assurance quotations. This breach involved some 10,000 people.

The Bank has claimed that encryption is now used on company laptops. There was shock at the time that an organisation of the size and resource level of Bank of Ireland were not using encryption for such sensitive data on laptops.

There are no reports of the information having been used for fraud. While it is possible that the laptops were stolen just for their hardware value, this offers no protection for those affected. While the bank announced a level of client contact on the basis of exposure, there is little detail given as to what exact steps can and have been taken to protect all those affected. The real problem here is that while account numbers can be changed, accurate personal information such as health records can not be amended as they relate to specific facts.

Bank payment systems victim of elaborate social engineering scam.

We have heard of card details being recorded by fraudulent staff at high street level. We are all aware of the risks of using a credit card online. Indeed, we know how important it is to be vigilant when using an ATM. How about the risk of someone just walking in to a high street store and obtaining a list of card details with accompanying security requirements?
That is exactly what has happened and was uncovered over the weekend.

The criminals involved simply entered business premises where card payments were taken and under the guise of being authorised technicians for banks or payment service companies they got access to equipment and fitted reader devices.

This type of scam may appear to he high risk for the perpetrators but the rewards are rich.

The IPSO (Irish payment services organisation) has stated that those defrauded will be refunded by their bank. Bank of Ireland has reduced the daily withdrawal limit on some cards (Thousand of cards) with respect to some as of yet unspecified countries. These limits may stay in place until the card owners are issued with new cards. There are also reports on a client wide daily limit withdrawal reduction to Euro 250 for the immediate future.

If you are a B.O.I. (Bank of Ireland) customer and you are leaving the country and will depend on your credit card or debit card while away, you should contact card services immediately.

The big distinction of this case over other credit and debit card security stories is that in this case if all authorised parties to the transaction (buyer, store and Bank) conduct their business correctly, the risk still exists. A degree of responsibility however does lie with the banks given that their agents were compromised and it is more than likely that current and future retailers will have to undergo further training regarding in store card payment system security.

One possible solution (although every solution is really one further step up the security ladder which criminals also climb) would be the introduction of chip and pin and Sim whereby whenever you make a purchase with your card, an SMS requesting
authorisation (even by a further code) would be sent to your mobile phone. This would require criminals to hack phones on a per card basis making targeting far more difficult and random card details useless on their own. All of the component parts of the technology already exist and indeed some online retailers use Sim verification already.

An investigation is underway in this case and further information will be available here and just about everywhere else in the coming days.