Financial Services in Turmoil: Who Can We Trust?

Posted by Steve Gilde on December 4, 2018

It was another bad week for in the press for the financial services industry, which means it was also another bad week for consumers (i.e. you and me). We have entrusted our banks, retailers, e-tailers, and other organizations with whom we do business to protect us and our data — and they have failed yet again.

First, there was a new report issued by the UK Financial Conduct Authority. I have talked about the problems within the UK banking community before, but the FCA has recently completed a detailed survey and analysis of the industry. They surveyed nearly 300 companies during 2017 and 2018 “to assess their technology and cyber capabilities.”

Among the key findings:

  • Firms reported significantly more outages and cyber-attacks over the last year
  • Nearly half of firms do not upgrade or retire old IT systems in time
  • Only 56% of firms say they can measure the effectiveness of their information asset controls
  • Cyber security is not just a technology risk, it is a human risk

It seems clear that an industry that cannot regulate itself will get even more regulation and oversight. The FCA will use the data gathering in the survey to make additional recommendations in 2019.

No Reservations

Next, we heard from Marriott about the massive data breach at their Starwood guest reservation database. This database holds records containing personal and payment information on some 500 million guests and according to the Marriott press release: “For approximately 327 million of these guests, the information includes some combination of name, mailing address, phone number, email address, passport number, Starwood Preferred Guest (“SPG”) account information, date of birth, gender, arrival and departure information, reservation date, and communication preferences." In other words, just about everything about an individual guest.

Marriott also pointed out: “For some, the information also includes payment card numbers and payment card expiration dates, but the payment card numbers were encrypted using Advanced Encryption Standard encryption (AES-128).” Not sure why all the data was not encrypted, but it may not matter anyway. Marriott also included this caveat:  “There are two components needed to decrypt the payment card numbers,” but “Marriott has not been able to rule out the possibility that both were taken.”   

If you find it mind-boggling that encryption keys were apparently stored in the same manner and location as the data they were supposed to be protecting, I share your concern. Perhaps even more disturbing was the amount of time the data was accessible, by Marriott’s own account, more than 4 years. Wouldn’t you expect that even an annual security review would have revealed the problem long before now?

Unfortunately, this is now the world we live – i.e. you can’t actually trust anybody.

After the Marriott breach announcement, Brian Krebbs covered the event in detail on his KrebbsOnSecurity Blog: What the Marriott Breach Says About Security.

The overall assessment from Krebbs is chilling:

“..for individuals, it pays to accept two unfortunate and harsh realities:

Reality #1:

Bad guys already have access to personal data points that you may believe should be secret but which nevertheless aren’t, including your credit card information, Social Security number, mother’s maiden name, date of birth, address, previous addresses, phone number, and yes — even your credit file.

Reality #2:

Any data point you share with a company will in all likelihood eventually be hacked, lost, leaked, stolen or sold — usually through no fault of your own. And if you’re an American, it means (at least for the time being) your recourse to do anything about that when it does happen is limited or nil.”

It Gets Worse

Finally, if you want to have some real fun, have a look at this video put together by The Guardian:

For those of you not keeping a scorecard, the Australian Banking industry has been in turmoil for some time now, with the Aussie government just finishing up Royal Banking Commission hearings investigating misconduct within the banking industry which “was driven by greed and short-term profits."

Of course, the US market is not immune to this sort of problem. While perhaps, not as pervasive as the current troubles in Australia, it seems that Wells Fargo, one of our largest financial institutions, has been in continual turmoil for the past 4 or 5 years.

So how did we actually get to this point? Not so long ago, we really could and did trust our banks to protect our money and our personal information. I know that this was back in the days before mega-bank mergers and financial services conglomerates, but this decline did not happen by accident.

The banks had all the cards (no pun intended), they had all the money, they had all the trust. And they let it slip away.

In her speech to announce its report on Cyber and Technology Resilience, Megan Butler, executive director of supervision, FCA, says: “there is a clear problem at the moment in recruiting the right skills at the top level; to steer, set strategy and oversee the armies of semi-permanent contractors, and unregulated third parties running bank IT platforms." I am sure that this is a very valid point, but I believe that there are deeper, more fundamental issues at play here.

So in their quest for short-term profits, banks have actually opened the door, to not only competition, but to further government regulation and oversight. This will make it even harder to for them to make investments in new technology necessary so that they can innovate to stay relevant for the future.

I am not sure where the story will end, but I sure don’t like where the plot has taken us so far. There are a lot more losers than winners and the reputation of an entire industry has been tarnished, perhaps to the point that it will never fully recover.

Let me know if you agree/disagree, have additional thoughts to add or would like to set-up a time to talk.

What are your thoughts? (Email Me)

Topics: Risk, Payments Testing