The Financial Institution Website: Where Community Meets Cyber Crime?

 Author: Jenny Roland-Vlach, JRoland-Vlach@jackhenry.com

I have developed a bit of a habit over the years in my role as a Compliance Analyst: I like to regularly check out my FI client’s website.  I have found that it gives me a great visual representation of what that institution is all about. This helps me understand the FI’s products/services, business culture, and face to the community. I also like to check for staff pictures on the chance that I can put a face with a name for the particular employee that I am working with on IT regulatory compliance and risk management efforts.

During my reviews of financial institution websites, I have noticed a certain propensity that does give me reason for concern, though. With the increase in spear phishing attacks and concern in accessing systems and data, I have often observed biographical information that could potentially be used to stage spear phishing attacks to access systems and data for harm against the institution. Information that I believe is being shared in an effort to better establish connections with the FI’s customer base. Detailed biographical information is a veritable gold mine for cyber criminals. By visiting a financial institution’s website they can begin to glean the information they need to build a phishing attack, perhaps as an email from the President’s college alumni association or the favorite charity of the Chief Technology Officer. The more detailed information that an institution provides about their staff, the more ammunition cyber criminals have to use against the FI. Often times FI management educates employees about sharing too much on social media sites, such as Facebook, but forgets about the FI’s website as a source of personal information.

Now may be a good time to step back and re-evaluate the level of detail provided. Be cognizant of how the detail could be utilized in a spear phishing attack. For example, an FI President has a Master’s degree in Finance, but do not list the college; or, the Chief Technology Officer is active in numerous community charities, but do not include specific names. Another idea is to introduce common spear phishing scenarios in your employee information security training. Providing specific examples of how a cyber attacker may use biographical information in an email will help employees identify potential red flags in a spear phishing email, and to understand the need to qualify all emails before opening and clicking on links. Hosting a formal Social Engineering Assessment may also provide a good indication of your employees’ awareness of these types of schemes.

Metadata from MS Word and PDF documents and forms are another source of information on your website that could provide details that are ideal for launching a social engineering attack. Metadata is the supporting detail for these types of documents. Financial institutions often post rate sheets or forms to their website in either a Word or PDF format that reveals the user who created it and what version of the program it was created in. If this information is not removed (scrubbed) from the document prior to being posted on the website, it has the potential to be used against the financial institution. While visiting the website of a community FI, a cyber criminal that discovers a document that has not been scrubbed of metadata will now have at least two critical pieces of information to assist in their schemes. Just by knowing the version of the program the document was created in, a criminal can then determine the vulnerabilities known for that particular program. The criminal can then create an attack based on those vulnerabilities and target this attack toward the employee who created the document. One simple step to scrub metadata from these types of documents will go a long way in preventing this scenario.

Websites continue to be a vital part of every community FI’s online presence. We only need to look to the news reports of the past couple of years to see the multitude of spear phishing and DDoS attacks targeting FIs to realize that cyber criminals understand this criticality all too well. In your efforts to prepare for potential attacks against your website and against your online banking systems, be sure not to overlook the type of information illustrated above. Detail gleaned from biographies and metadata from documents may provide cyber criminals with enough information to help them create an attack that could have impact on your institution. Use this as an opportunity to further address your risk and compliance efforts for online services. A review of your website today could save your FI a lot trouble down the road.