IT Security for banks also includes Desktop Phone Security!
financial sector security

IT Security for banks also includes Desktop Phone Security!

Last year, PWC published its global report Retail Banking 2020. It is a forecast of how retail banks will look like in 2020. From an ICT perspective two major trends are important. First, the use of technology to bring bank transactions literally to the fingertip of the customer. Second, that using these technological innovations, banks are going to be lean and mean. They will more and more operate as internet banks without the need for a branch network. Let’s dig a little deeper on that topic. Technology nowadays enables banks to go online. There is less need for the traditional branch model for daily transactions. Cash usage has dropped dramatically and all basic activities and transactions can be done online. Banks have substantially reduced their staff levels and experiment with new branch concepts. Some banks for example run flagship store type of branches, where customers are served with education, financial advice and other full-service capabilities. In a nutshell, it means that transactions will become an online commodity, while specialized services will remain an interactive process that can be done via channels like video chat, but also in flagship branches with high-qualified staff.

Increased focus on banking security

The use of IT solutions for the automation of transactions and customer support means also an increased focus on IT security. Research among US Bankers clearly illustrates this. Nearly 80% of all bank executives planned to invest in more security. As such, it was the top technology investment category, far ahead of topics like online banking and mobile banking. If I elaborate on these security investments, it seems to me as if the  key focus of many IT security strategies and plans is on the external channels. So, banks focus on securing their online transactions, both between their customers and their own systems, as well as the transactions between banks and their peers. Many innovations and new techniques are used to increase the security levels. This is very understandable since most of the attacks come from the outside and from external, anonymous sources. We therefore see many innovations in this domain. For example, in the area of authorization, where bio-metrics like fingerprint and voice recognition may become commonplace in transaction authorization.

banks and financial institutes (credit: Kevin Jarrett)

IT and telephony security are of crucial importance to banks and financial institutes.

At the same time the new online banking model doesn’t mean that the internal security will become less important. If a bank changes from a model with large number of branches and staff numbers for the daily operations, towards a smaller number of branches and fewer, but highly skilled staff, this creates a risk. In the new situation fewer people are involved in daily banking operations and in general this means that they have more responsibilities, and more authority to access systems and information. In a world where the external channel security is brought up to Fort Knox level, getting access to and manipulating key staff employees may become the easiest way to have access to the bank and its systems. Getting access to the desktop of staff members and social engineering techniques may become the most effective ways to get access to the bank.

Banks forget enterprise telephony as part of IT security

And there we see something interesting. Everybody sees IT as something that has to be secured and everybody understands that also the internal IT environment, the employee’s work-space, computers, laptops and tablet or smartphone have to be secured. But one way or the other, we tend to forget the desk phone. Many of today’s desktop phones are not secured and if they are, the security is often not used. Today’s enterprise telephony provides business users with desktop phones with enormous capabilities. The complete user profile is linked to a specific phone extension, providing the private business contacts, the call history and other data. But most of all, it provides a trusted contact to other employees in your bank. If you receive a phone call from an internal colleague, calling from the financial department and knowing your name, you may be less cautious if you provide him with the information he is looking for, even if he asks a bit more than you would expect. Trust works to colleagues and it works to customers.

Let’s give an example of the potential damage. In October 2015, the Evening Standard published the article ‘Nine arrested over ‘£60 million fraud’ targeting bank customers’. It describes a fraud where criminals targeted business banking customers by purporting to be from their bank in order to dupe them into revealing personal information to allow them to gain access to their accounts. These criminals used technology to disguise the number they called from to make it appear as though they were a legitimate bank. This example clearly illustrates the potential value it has to have access to phone lines with some ‘authority’. For making calls to external relations this could also be done via black-hat type technology, but for internal calls to other departments the use of an existing desktop phone may be the preferred or only way. Specifically, since in the war against these phone fraud attempts, specialized security companies not only check the calling number, but also other call characteristics like noise and frequencies to check the real origin of a calling party.

How is your desktop security organized?

It’s an example and it wasn’t your bank, we hope.. But looking at your office, how is your VoIP desk phone secured? What if at your department a key account manager leaves the office with an ‘open’ desktop phone? How easy is it for a colleague, a visitor or an employee of the cleaning service to access that phone and download the account manager’s entire customer list. Or worse, to contact a client and provide him with some ‘special advice’. Or to call on a regular basis some escort service and make your account manager vulnerable for blackmail. The number of fraud and abuse scenarios with free accessible desktop phones is large, and we will elaborate on some of these VoIP security threats in upcoming blogs.

Often the reaction to the question above is as expected. The responsible IT department states that the desktop telephone is secured via a username and password and that it is impossible to access a phone without these account data. This is true, but it is in no way a solution. Where logging in to a laptop or computer has become common practice, logging in to a telephone definitely isn’t. Entering a username and password on a telephone with a rudimentary keypad isn’t practical and the reality is that staff often deliberately ‘forgets’ to log out. Not just to have a hassle-free start the next morning, but also since most of the people don’t see any risk in leaving their desktop phone ‘open’. They simply don’t see their desk phone as a security risk. Three roads to your data are closed. The fourth one is open…

Single Sign On for enterprise telephony

Ideally, logging in to a desktop phone should be as common as logging in to a PC or laptop. And even better would it be if logging in to the phone and the computer would be a single activity. And that’s where RSconnect comes in. Our Active Login Manager is a Single Sign-On (SSO) solution which automatically logs in to a Cisco enterprise telephone when the user logs in to his office environment. And automatically logs off when the user leaves his desk or workplace and even the office. With the Active Login Manager you are 100% sure that whenever your employee is not at his or her desk, the desk phone cannot be used either. Active Login Manager provides the level of security for your office environment and extends it to your desktop telephony. As such, the Login Manager is a must-have for companies using Cisco IP Telephony, Cisco Unified Communications (CUCM) and Cisco Call Manager technology (CCM).

The software is easy to use and improves the internal security policies within your company, optionally on top of your current Active Directory integration. So, the question I would like to ask you, as a banking executive: Is the level of attention your bank pays to your external channels and access to computer systems, in balance with the level of attention you pay to the security of your desktop phones? If yes, I congratulate you. If not, it is perhaps good to have a chat and discuss our Active Login Manager. It will block the fourth road to sensitive company data and potential cybercrime.

Try ALM single sign-on

Download ALM Pro