GonzoBanker mothership Cornerstone Advisors holds a few company-wide meetings at the Scottsdale, Ariz., headquarters during the year. The most recent meeting was our educational event known as Gonzopalooza, in which we … well, the first rule of Gonzopalooza is “don’t talk about Gonzopalooza.”
Given that this is an event about understanding gritty industry trends and I am Cornerstone’s resident cyber-geek, I decided to give my colleagues a first-hand lesson on white-hat hacking.
It was my first time visiting the corporate office since it was renovated. While my colleagues were taking advantage of the new corporate spa facilities (just kidding), I couldn’t wait to check out the new network infrastructure upgrades (not kidding).
I planned to treat Gonzopalooza like any hacker would treat the typical coffee shop scene. I would go to the meeting, blend in, and no one would have a clue what I was doing. As people peck-peck-pecked away at their laptop keyboards, I confidently thought, “piece of cake.” What I didn’t count on, however, was el presidente kicking off the proceedings by saying, “Laptops off, everyone! Shut ’em down!” Can you say buzzkill?
Sure enough, everyone stopped using their laptops (we’re an obedient group) … and started using their mobile devices (OK, maybe not).
This just got a bit more difficult, right? Not really. Mobile devices like to chat it up on the network. Ever notice your data usage when the bill comes due? Me neither. As I sat through the meeting, every now and then I’d take a look at my iPad. I had set it up to control some wireless “sniffing” software on my laptop. Various pieces of information started rolling in: Some folks were watching YouTube videos, some were researching Quicken Rocket Mortgage, and one person was trying to find analogies for the word pimple (he or she is paying $50 to keep his/her name out of this post).
After a few minutes, a scan of my iPad revealed that I had obtained private information from a number of people without their knowledge. My unsuspecting colleagues are like many bank customers. They don’t understand how these things work, and they don’t fully realize the potential – and very real – “e-dangers” out there. What they want is to feel a certain level of privacy, and they generally trust their banks to do everything they can to protect their information, protect them from a real hacker.
After the meeting, I came clean to those who were affected. Secrets are harmful in the security practice. It’s important as a white-hat to be ethical and trusted. Yes, I was able to collect credentials on a modern wireless network, but I didn’t use them for malicious intent. Instead, I used them to help my colleagues understand and address weaknesses in their own personal technology usage in order to strengthen the company’s wireless network and strengthen their mobile devices’ security settings.
Cornerstone’s wireless network was among the best I’ve seen. Yet, my exploits took half a day to pull off. This wireless network, like many others, would have easily passed an FFIEC or general assessment with flying colors. Everything is new, name brand, with no current end-of-support issues.
Here’s the rub Gonzobankers: if a mobile device’s communications security is weak, it doesn’t matter how modern the wireless network is that it’s connecting to. In a wireless network, application security becomes more critical than ever. And I don’t mean simply verifying that a teller account can be audited for unauthorized account viewing. I’m talking about application security from the standpoint of secure communications to and from a server (e-mail, banking, etc.); in other words, using proper security to communicate over a wireless network.
Most assessments are one-sided and only question the network, not the vulnerability at the edges. They don’t look at the mobile and PC data that’s passing through it, or the applications communicating on it. As a result, those assessments don’t find the weaknesses that may exist. This is where hackers will start, but sadly, it’s the point where most assessments end.
The FFIEC’s guidelines include recommendations that address secure telecommunications protocols, encryption to minimize the interception of traffic, and encryption of personal information stored on mobile devices.
This is all well and fine, but once these recommendations are implemented, who is going to verify that everything is functioning as it should?
Can your mobile banking application be fooled into communicating at a lower level of security (easier to “hack”) if the higher security levels are not available? How do you find the answer to that question? These are the things you need to think about – otherwise you’re just diagnosing a problem by looking at the surface.
-ts
Cornerstone Advisors offers mobile application security and other in-depth security assessments.
Contact us today to learn more.
