17 Hoosier Banker May 2016 It’s happening. Possibly right now, somebody in one of your branches could be divulging private customer information, setting up your bank for legal issues, compliance violations and lost customers. With all the recent focus on cybersecurity, let’s not lose sight of the most likely threat vector: pretext calling. This is when social engineers call our branches and breach information merely by asking for it. It may seem benign, but it’s actually the most likely threat vector. Banks often find themselves in the middle of domestic disputes, and may even face moral dilemmas, for example in the case of an illegal request for the account information of an ex-spouse in an attempt to force a child support payment. These requests, along with any requests for NPI (non-public information) or PII (personally identifiable information), must be properly authenticated with what the Federal Financial Institutions Examination Council refers to as “out-of-wallet questions.”* Out-of-wallet questions seek information that cannot be found in a lost wallet or purse, or on social media sites, in order to confirm a caller’s identity. But we have to be creative in how we pursue this verification information, and we need to teach our employees how to engage the customer in the process. How do you teach out-of-wallet questions? From three primary principles: 1. Reduce and isolate those needing to ask the questions; 2. Create an appropriate policy (educate); 3. Motivate and activate awareness. Reduce and isolate. While policy should be kept in a document that reaches all users (typically your acceptable use policy), the bank should also consider tactics that will reduce the number of people typically needed to ask out-of-wallet questions. For example banks that funnel all incoming calls through a call center or help desk can focus training and testing on those employees. Create an appropriate policy. A sample policy title is: Authenticating Nonpublic Customer Information Requests.” Below is sample policy language: Confidential client information assets include any information that has any or all of the following: • Name (any name on an account); • Address (any or all addresses for any account); • Phone numbers (any or all, including fax); • Tax ID numbers; • Social Security numbers; • Account numbers (any or all); • Email addresses; • Account balances. When a customer calls asking for any of the above information, you must confirm the identity of the caller prior to giving any of the information listed above. If you do not know the customer, ask the customer to provide “out-of-wallet” authentication information. Outof-wallet questions seek validation information that cannot be found in a person’s lost wallet or purse, or on social media. Rather than rely on a stock list of out-of-wallet questions, be creative as you authenticate callers. Not every customer will know the answer to every out-of-wallet question, and thus you must seek the customer’s help in finding legitimate questions. To enlist the customer’s help, start by explaining: “For your protection, I need to ask some questions to Teaching Out-of-Wallet Questions About the Author Dan Hadaway, CRISC, CISA, CISM, has been working with banks on their security awareness programs since he founded Infotex in 2000. He writes for Hoosier Banker, the American Bankers Association’s Compliance Magazine, BankNotes and other industry publications; speaks regularly at conferences and conventions; and facilitates the Indiana Bankers Association’s annual Cybersecurity Conference. The author can be reached at 800-466-9939, email: dhadaway@infotex.com. Infotex is an IBA Preferred Service Provider. SECURITY / FRAUD Continued on page 18.
RkJQdWJsaXNoZXIy MTg3NDExNQ==