http://www.mlive.com/business/index.ssf/2008/01/local_banks_beef_up_security.html By Tina Reed The Ann Arbor News January 09, 2008 University Bank's new computer security hardware is only the size of a typical DVD player. But the bank announced last month that it's betting the Promia Raven 1100 security system will help improve its defense against potential hackers with technology previously used only by the U.S. Navy. Within the system's first day of use, the bank was alerted that hackers were trying to enter the system from North Korea, China and Oman, said Stephen Ranzini, company president and chairman. The bank and its parent company, University Bancorp Inc. (Nasdaq: UNIB), are housed at the renovated Hoover Mansion on Washtenaw Avenue in Ann Arbor. The company employs about 30 people and reported earnings for the first nine months of 2007 of $1 million. "You hear about this stuff all the time, how people overseas are trying to break into networks, but where's the proof?'' Ranzini said. "If they're going to come after us, they'll go after everyone.'' Other local banks say they are constantly investing in new products as hacker threats continue to increase, with many of the banks upgrading their systems within the last year. And when it comes to network security, smaller banks are using more sophisticated technology - and sharing more information with other banks about combating threats - than ever before, said Larry Ponemon, founder of the Ponemon Institute, a Traverse City-based data protection research group. "Banks are seeing security not just as a cost of compliance, but also as a reputation issue,'' Ponemon said. "If they can have better security over data they are protecting, customers might actually flock to those institutions.'' Some of the most common threats to bank security are phishing and pharming schemes, which involve the use of fake bank e-mails or Web sites, and social engineering, which involves digging for information about the bank culture online to trick information out of bank employees, said Jay Patterson, vice president of information technology for United Bancorp Inc., in an e-mail. Ann Arbor's United Bank and Trust is part of United Bancorp's organization of banks. United Bank and Trust has many different layers of security that are regularly tested using simulated electronic and social engineering attacks. Last year, the bank upgraded its Web content filtering and phishing prevention service. In 2007, it made major investments in security to respond to direct attacks and was able to minimize the damage from those attacks, Patterson said. "Bank security is a 24 x 7 x 365 initiative,'' Patterson said. Chelsea State Bank also has invested in a new security system, which blacklists IP addresses that try to maliciously break in, said Scott Tanner, chief operations officer. He declined to reveal what brands of systems are in place at the bank, but said it's a full-time job monitoring all the layers of security and keeping up with new threats. One of the most reliable and credible ways to keep up is by remaining active in a national banking user group that Chelsea State Bank joined back in 1985, he said. "We found out early on we had a lot in common that we had to work on,'' including security, Tanner said. "Because banks were from around the country, we weren't sitting down with competitors from across the street, so we could really lay our cards down.'' For University Bank, investing in the Raven system seemed to be the best choice, Ranzini said, because it links the bank to other Raven users. That creates a much broader malicious IP address blacklist that keeps those addresses from ever being able to guess any of the networks' passwords again. It also tracks attacker activity for possible prosecution and can alert network administrators to unauthorized internal use and computer malfunctions. "Time is the issue for the bad guys,'' Ranzini said. "All cryptography is based on the amount of time it would take to break in. Why give them all that time?'' Despite all the efforts that banks are making, Tanner said, it's the customers' responsibility to monitor their own banking statements - especially since they are available to check almost immediately online. "No technology in the world can alert us to a problem as effectively as the consumer actually looking for it themselves.'' __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Wed Jan 09 2008 - 22:36:20 PST