I SMiShed a girl (and I liked it)

Aug 27, 2014 | Random

Banks and bankers have a reputation for being stodgy, stiff and bland. That’s probably a well-deserved and duly earned descriptor for most of them. Those of you who bank with us, however, know that global perception does not apply here. We’re regular folks with regular lives, just like you. Our kids play city league sports, participate in dance and Taekwondo; we see you in the grocery store and at high school football games. We are Community Bankers, your friends and neighbors. A lot of JPSCB employees even listen to popular music, which of course inspired the title of this post.

If you’ve been following us on Facebook, Twitter or reading this blog, you know that our bank has been hard at work to roll out Mobile Banking. I’ve gotta tell you, we’re PUMPED about this new product! Our world is becoming much more of a mobile one. The days of sitting at a computer to do computer stuff are…well not over by any means…let’s just say they’re facing some serious competition. Just like most of you don’t need to go home or back to the office to make a phone call, you won’t have to be in front of a computer to do your banking business. Your computer travels with you and easily fits into your purse or pocket. Even the most rudimentary cell phones contain more powerful computers than the ones I used at the beginning of my career…the ones that took up a large, windowless room (Of Mice and Men).

We know that not everyone is into gizmos and gadgets, so our Mobile Banking service works in four ways, to accommodate the entire spectrum: Tele-Banking, Text Banking, Mobile Web Banking and (my personal favorite) the Mobile App for Android, iPhone/iPad , and Blackberry (Yes, we know, poor beleaguered Blackberry users, that RIM is going out of business any day now, but until it does…)

First, Tele-Banking. You can use your cell phone the way it was originally intended! Call a local number and enter your account information and PIN. You can get your balance, recent transactions, and move money around your existing accounts with us. This tried and true method is one of our most popular ones due to its stability, reliability and longevity. We’ve had this for a long time, and it works just fine.

Next, and new, the Mobile Banking Suite!

Now, before I go into details, I want to talk security. Studies show that most bank customers across the nation are very concerned about using smart phones and mobile devices to do banking business.

In short, they’ scared. Good. They should be, and I hope you are, too. I’ll be frank with you: I’m scared. But fear, the right kind of fear, is a good thing…a healthy thing that leads to a wise course of action. Just as panicked, uncontrolled or irrational fear can lead to stupid decisions, the right kind of fear keeps us from doing stupid things. In the Information Security business, a person who isn’t afraid all the time will not be in business very long. Sooner, rather than later, familiarity with danger will lead that person into creating what we in IT call an RGE: Resume’ Generating Event. This is a dangerous business that does not suffer the incautious to survive.

Mobile banking has been around for several years, and the first time I heard about it, my immediate answer was, “NO WAY!” And I was right. (Just ask me, and I’ll tell you!) The first mobile applications were rushed into production by the big banks (the same ones that caused much of the financial mess our nation is in today), and they were filled with security holes. Personal information, including transaction history, usernames, passwords, etc. was actually stored on the mobile devices themselves. If the phone was stolen or hacked remotely, the attacker had access to all kinds of sensitive information.

I am proud to say that the applications we are rolling out do not contain those design flaws. We followed mobile banking for years before deciding it was ready for consideration. After eighteen months of study, looking at the mistakes that were made and evaluating security vulnerabilities and their mitigation, after conducting a thorough risk assessment, my department presented it to our Board of Directors for approval. That was in May, 2011. Five months later, we began testing, and during the many months since, we continued to evaluate and study, making sure everything was in order before we rolled it out to you, our customers.

That process of continuous evaluation continues today, and will continue as long as we offer ANY electronic product. As proud, card-carrying members of PETS (the Perpetually Exceptionally Terrified Society), we NEVER stop looking for security vulnerabilities in ANY of our products. As long as our adversaries remain, we shall remain ever-vigilant.

Despite the very best efforts, any electronic product has vulnerabilities and is susceptible to compromise. Your computer, your phone, your car (yes, your car), and even the power grid (the mythical Ice-Nine and the very real Stuxnet) are at risk of being hacked. Knowing this, and taking the right kinds of preventative measures, makes you safer.

And to that end, after a long hiatus (one much longer than I ever hope to again endure), I sit to pen this post.

As I put these words to virtual parchment, sitting outside on a beautiful New Mexico evening, kicking it old school by using my laptop (the iPad, unused today, comfortably resting), I ponder the actions of our adversaries, those who will attempt to use our new products to steal from you. Undoubtedly, they are out there tonight (or for them in the early morning hours) diligently honing their craft.

What many people fail to realize is that most successful hackers are professionals. Generally speaking, our intelligence sources tell us they are not drug-addicted college dropouts. Many of them are Eastern European, working in the ruins of the failed Soviet Empire: highly educated, highly skilled and highly paid. They do not see you as hard-working, diligent members of the greatest nation on earth. To them, you are just another mark. And they watch you with detached indifference, much as a cobra might regard a field mouse.

But we are not required to be as they suppose: piteous and helpless beings, scurrying about in our menial lives, oblivious to the gaze of their watchful eye. We are not fated to succumb to their wares or fall prey to their schemes…unless we so choose by embracing ignorance, proverbially burying our heads in the sand. Dear Readers, this need not be.

Even the cobra has enemies.

We IT people are not especially creative when it comes to naming things, and we spell words pretty much how we want to. Some of the first attempts to fraudulently gain information from bank customers came in the form of a phishing (pronounced “fishing”) attack. In these attacks, the hackers send out email messages to bank customers. The emails look legitimate; they have the bank logo and even the actual names of bank presidents and personnel. In the one that targeted our institution, it had the name of our Chairman of the Board in the signature line. Phishing emails contain a link that may even look exactly like the actual link to the bank’s website. However, when the unsuspecting individuals click on it, it actually directs them to a rogue site that tries to trick them into putting in confidential information that the hackers use to gain access to their accounts or to steal their identity.

Other methods of doing this are Vishing (short for “voice phishing”, calling customers on the phone, purporting to be from the bank, and having the victims give out information) or SMiShing (pronounced just like it sounds (rhymes with “fishing”) sending fraudulent SMS (text) messages to cell phones.) Unbeknownst to most of you, the first hacker attack against our bank customers was a SMiSh, but it failed because the text went to over 40,000 landlines in the Clovis/Portales area. Of course, landlines cannot receive text messages, so our customers never got it.

That, my friends, is going to change. Once we start rolling out mobile products, you WILL become targets once again, and at some point, you WILL get a text claiming to be from the bank and asking you to reply with confidential information. THE BANK WILL NEVER CALL, EMAIL OR TEXT YOU FOR PERSONAL INFORMATION! Remember, we’re the bank and we already have it! Now, if YOU INITIATE the contact, say you call an office, we WILL ask you to confirm certain information to establish that you are who you say you are, but remember: in these cases YOU initiated the contact, so you know it’s the bank and not some hacker! We also may ask you to call the bank or come in to update information, but again, YOU will have to initiate the conversation where information is exchanged!

Almost without fail, communications from hackers will try to pressure you to ACT NOW; they use pressure or the wrong kind of fear to push you into making a quick decision. “If you don’t do this, your debit card will not work!” or “Your account may be deactivated”…folks, don’t fall for this. We are a community bank, and we are going to do all we can to help you and take care of you. We don’t scare you with the wrong kind of fear, and we do not pressure you into making decisions. Remember, “The purpose of our bank is to help our customers grow and prosper.” Randomly disabling your access to your money is not consistent with who we are and what we do.

So, on the fateful day when you get an unsolicited text or email (or call or whatever the bad guys come up with next), slow down and picture in your mind’s eye your adversary, calm, confident and collected. See him in a nice office, sitting in a comfortable chair in front of a bank of computer screens, as a Katy Perry tune plays somewhere in the background, your enemy humming or keeping time with her fingers. Don’t react. Don’t give her the opportunity to strike.

Be a mongoose, not a mouse.

Share this post