Financial institutions today spend hundreds of millions of dollars and dedicate hundreds of employees to combatting cybercrime. The ultimate insult to these defenses would be to have security breached by a simple picture taken on a smartphone.
The idea that this technique could topple banks’ massive cybersecurity regimes may sound absurd. But as banks tighten security, attackers are seeking new ways to gain access to sensitive information. One such approach is visual hacking.
A visual hack could involve someone inside a bank branch or back office, such as a customer or delivery person, taking a picture of an employee’s computer screen. It could also involve capturing information from documents left in open view on a desk or printer tray. It could even involve someone outside a bank using a high-powered camera to record drive-up teller and ATM transactions.
Technological advancements have made visual hacking easy to carry out. Nearly everyone has a smartphone, and cameras are increasingly powerful and sophisticated. Wearable technology continues to proliferate. We even have drones that can be mounted with cameras and glide by windows unnoticed—once the stuff of science fiction.
Rethinking the Scope of Security Priorities
Visual hacking can be a powerful technique. Anexperiment recently conducted by the Ponemon Institute found that a white-hat visual hacker was able to obtain sensitive information 88% of the time. The experiment involved an actor playing the role of a temporary office worker or contract worker with a temporary security badge. They went into 43 different office facilities to see what kind of information they could obtain through visual hacking.
The hackers were able to collect confidential information in less than 15 minutes in half of the attempts, and an average of five pieces of private information were hacked per trial.
Although this experiment was not conducted solely at financial institutions, such results should lead banks to bolster administrative security. Organizations need to consider human behavior, workspace organization and new security technologies in order to thwart visual hackers.
A good first step in addressing administrative security is to identify your bank’s risks. Consider every opportunity unauthorized individuals have to view sensitive information, whether it’s at an employee workstation, at a teller’s desk, through an office window or on a device that mobile employees or executives might use in public places.
If possible, information security officers should also consider doing “walkabouts” at different branches and back-office locations. This initial assessment can help officers to identify existing risks and make continuous improvements as part of an ongoing security program. Think through possible scenarios in which mobile employees might work out of coffee shops, commuter trains or planes.
Industry guidance and standards largely focus on physical and digital security, but they do include some guidance in the administrative realm. For example, the Federal Communications Commission’s “Cyber Security Planning Guide” advises that computer monitors with sensitive information should not be oriented toward publicly accessible spaces and recommends minimizing and safeguarding printed materials that contain sensitive information.