Cambridge Savings Bank, a $3.2 billion community institution in Massachusetts, is incorporating biometrics into its online and mobile banking platforms as a way to limit, and in some cases remove, the need for username and password authentication. Dan Mercurio and Mark Tracy, executives at this community bank, say customers are embracing this enhanced security feature.

Eight months ago, the bank launched the use of Apple Touch ID for authentication, and it recently deployed Android Fingerprint ID, says Mercurio, the bank's senior vice president of consumer banking, in an interview with Information Security Media Group.

The bank's biometrics authentication leveraging both mobile platforms is provided by Digital Insight, an NCR company.

Security risks posed by the potential of a biometric fingerprint being compromised are not a worry for customers and are not overly concerning for the bank, says Tracy, the bank's senior vice president and chief technology officer.

"We also use device ID, and, obviously, what the biometrics does is add another layer," Tracy says "It uses the 'who you are' aspect of multifactor authentication. ... And as our customers, again, are familiar with using the fingerprint to log into their phones, this is kind of a natural extension. And those people who are comfortable with that type of authentication are the ones who are more drawn to incorporate it into their app use."

Mercurio adds that customer feedback related to Touch ID has focused more on the ease of use than any worry about security risks. "That is something that allows us to feel comfortable about exploring other biometric solutions as we look out across the next few years," he says.

Not a Cure-All

But Tracy stresses that biometrics is not a cure-all; it must be used as one of many layers to authenticate users.

"We try to take a layered approach, try to present options to the customers to consider," he says. "And from that perspective, biometrics makes it a better environment."

In this interview (see audio link below photos), Mercurio and Tracy also discuss:

Work they are doing with their core processor Fiserv to expand biometrics offerings beyond fingerprints; How the number of Touch ID users has grown in the last eight months; and Why community banks and credit unions are in some cases leading the pack when it comes to enhanced authentication deployments.

Mercurio manages Cambridge Savings Bank's consumer banking group and oversees all the operations related to the bank's branches, customer contact center and residential, consumer and small business lending groups. Previously, he held management positions at Fleet Bank in Boston and the former Wachovia Bank, now part of Wells Fargo, in Charlotte.

Tracy, who has been with Cambridge Savings Bank for 17 years, oversees information technology management, strategic vendor management/engagement and operational oversight. The bank has been a leader in adopting new technologies, including advanced statement imaging and paperless back-office processing, which have been deployed under Tracy's oversight. Previously, Tracy worked at Salem Five Bank in Massachusetts.

The White House has yet to announce who will be the government's first chief information security officer, a position President Obama announced six weeks ago.

If that person is to be effective, the administration should act swiftly, says Mark Weatherford, a former Department of Homeland Security deputy undersecretary for cybersecurity who also served as CISO for California's state government. That's because the new federal CISO only has until next Jan. 20, when the next president is inaugurated, to make a mark.

"There needs to be a sense of urgency here ... the clock's ticking," Weatherford says in an interview with Information Security Media Group. "They need to get somebody into the role and they need to pick somebody who has experience and somebody who has respect to the community. If you put somebody in this job who is not a recognized security expert, then [the new CISO] probably is never going to have the kind of credibility ... needed to be successful."

The White House has not responded to ISMG's repeated requests for comment on when the federal CISO will be appointed.

In this audio report (click on player beneath image above), you'll hear:

Weatherford describe what the new federal CISO could do in shaping the federal government's cybersecurity agenda for the years after Obama leaves the White House; Former DHS Deputy Undersecretary Philip Reitinger, speaking with the Steptoe Cyberlaw Podcast, question how effective a federal CISO would be; and Federal CIO Tony Scott describe the responsibilities of the new federal CISO.

Weatherford is chief cybersecurity strategist at data center security provider vArmour. Besides his roles at DHS and in California state government, Weatherford also served as CISO for the state of Colorado and vice president and chief security officer at the North American Electric Reliability Corp. He also is a former principal at the security consultancy The Chertoff Group.

Reitinger leads the Global Cyber Alliance, a global, not-for-profit organization with a mission of helping to prevent malicious cyber activity.

Scott is the former CIO at Microsoft and The Walt Disney Co. and had been serving as CIO at the cloud and virtualization software and services company VMware when Obama tapped him to be federal CIO in February 2015.

Fraud

POS Remote Access: A Worry for Merchants Some POS Vendors Put Payments at Risk with Poor Security Practices Tracy Kitten (FraudBlogger) • March 20, 2016    

Risks posed by third parties are an ongoing problem for U.S. merchants because some point-of-sale vendors are overlooking basic security measures.

See Also: CISO Discussion: Secure Code

Last week, in the wake of an alert from American Express about the breach of a third-party service provider, I pinged security experts and card issuers to see if I could determine which provider may have been referred to in the AmEx alert. The notice from AmEx, which first appeared on the California Attorney General's website March 10, turned out to be a mistake and was taken down. An AmEx spokesperson told me that the breach referred to in the alert, which affected California card holders, actually involved a merchant and not a third party, but declined to share further details.

Nevertheless, fraud-fighting experts and issuers stress that risks posed by third parties are an ongoing problem for U.S. merchants. That's why POS vendors and service providers need to be held more accountable for merchant-level security.

Tracking Fraud

Some banks tell me that for the last six months, they've seen fraud linked to several Asian restaurant chains on the West Coast that are served by the same third-party point-of-sale integrator based in California.

What's more, numerous fraud-fighting sources report that POS service provider breaches are increasingly targeting smaller restaurant chains throughout the country. And it's becoming increasingly challenging for issuers to trace fraud back to a single point of compromise.

"There have been a ton of breaches for some time, and the trend we are seeing right now is more attacks against restaurant groups," one leading card issuer on the West Coast tells me.

Most of these breaches, the issuer says, are tied back to the breach of POS integrators or other types of service providers - typically those that uses remote access tools such as LogMeIn to access POS devices and systems used by numerous merchants.

Third-party breaches generally stem from the compromise of log-in credentials, usually through a phishing attack. In some cases, the log-in credentials to access the POS are easy to guess.

Lessons Not Learned

As one fraud-fighting source told me: "The lessons of IS&S have not been learned by all integrators of the world. Phishing emails still seem to be a vulnerability."

IS&S refers to Vancouver, Wash.-based food-service POS and security systems provider Information Systems & Supplies Inc., which in June 2014 notified restaurant customers of a remote-access compromise that may have exposed card data linked to POS transactions conducted between Feb. 28 and April 18, 2014 (see POS Vendor: Possible Restaurant Breach).

IS&S is an independent reseller of POS products sold by software vendor Future POS Inc.

The breach was linked to the compromise of IS&S's LogMeIn account, likely because of a phishing attack that led to the compromise of administrator credentials, IS&S President Thomas Potter told me shortly after the breach was exposed.

What's Going Wrong?

POS service providers need to ensure that they are not using default passwords for remote access login to POS systems and devices, and that the same login credentials are not used to access POS systems at multiple merchants. Unfortunately, however, these types of basic security measures are too often skipped.

Clearly, both POS vendors and service providers need to be held more accountable for compliance with basic security standards, including the PCI Data Security Standard.

Breach Preparedness , Data Breach , Risk Management

GAO Cites More than 300 Security Incidents Involving Obamacare Marketplace Marianne Kolbasuk McGee (HealthInfoSec) • March 24, 2016    

The Centers for Medicare and Medicaid Services reported more than 300 security incidents involving Obamacare's HealthCare.gov website over an 18-month period, according to a new Government Accountability Office report. But the study notes: "None of the incidents included evidence that an outside attacker had successfully compromised sensitive data, such as personally identifiable information."

See Also: CISO Discussion: Secure Code

The report, which recommends numerous security and privacy control enhancements for the federal health insurance marketplace, says that between October 2013 and March 2015, CMS reported 316 security-related incidents affecting the Obamacare Web portal and its supporting systems. CMS is the unit of the Department of Health and Human Services responsible for overseeing HealthCare.gov.

"The majority of these incidents involved such things as electronic probing of CMS systems by potential attackers, which did not lead to compromise of any systems, or the physical or electronic mailing of sensitive information to an incorrect recipient," the report notes.

Only one incident, the GAO reports, "involved a confirmed instance of an attacker gaining access to a HealthCare.gov-related server. In that incident, the attacker installed malware on a test server that held no PII." (See: HealthCare.gov Hack: How Serious?).

Reacting to the report, eight GOP Senate and House committee chairmen sent a letter on March 23 to HHS Secretary Sylvia Mathews Burwell and CMS Acting Administrator Andy Slavitt seeking more details about each of the 316 HealthCare.gov security incidents reported by CMS.

Dan Berger, CEO of security consulting firm Redspin, says it's not surprising that there have been multiple attempts to break into HealthCare.gov "given this is a website with a large 'bullseye' painted on it. In addition to the amount of [personal information] it stores and processes, many hackers are motivated by the infamy that would result from hacking HealthCare.gov."

This is not the first time that a government watchdog agency has spotlighted HealthCare.gov security weaknesses. Previous reports by the GAO and HHS Office of Inspector General in 2014 and 2015 have also noted a variety of security shortcomings.

HealthCare.gov Security Shortcomings

In its latest report, the GAO says CMS has taken steps to protect the security and privacy of data processed and maintained by the systems and connections supporting Healthcare.gov, including the Federal Data Services Hub, which is a portal for exchanging information between the federal marketplace and other federal agencies.

But the GAO says it identified weaknesses in technical controls protecting the data flowing through the data hub. These included:

Insufficiently restricted administrator privileges for data hub systems; Inconsistent application of security patches; and Insecure configuration of an administrative network.

The GAO also says it identified additional weaknesses in technical controls "that could place sensitive information at risk of unauthorized disclosure, modification or loss."

GAO Recommendations

To address the various shortcomings, the GAO recommends that CMS:

Define procedures for overseeing state-based Obamacare insurance marketplaces, including day-to-day activities of the relevant offices and staff; Require continuous monitoring of the privacy and security controls of state-based marketplaces and the environments in which those systems operate to more quickly identify and remediate vulnerabilities; Develop and document procedures for reviewing the State Based Marketplace Annual Reporting Tool, or SMART, including specific follow-up timelines and identifying corrective actions to be performed if deficiencies are identified. SMART is intended to collect information to be used as the basis for evaluating a state-based Obamacare marketplace's compliance with regulations and CMS standards.

In a separate report with limited distribution, the GAO says its recommended 27 actions to mitigate the various identified security and privacy weaknesses.

Also, the GAO notes that it separately "identified significant weaknesses in the controls at three selected state-based marketplaces" that were reported to the three states in September 2015. These included insufficient encryption and inadequately configured firewalls, among others. The GAO says the three states "generally agreed [to the agency's recommendations] and have plans in place to address the weaknesses."

HHS concurred with all of the GAO's recommendations, the report notes. "Further, it also provided information regarding specific actions the agency has taken or plans on taking to address these recommendations," the GAO states. "We also received technical comments from HHS, which have been incorporated into the final report as appropriate."

Common Problems

The HealthCare.gov security weaknesses the GAO identified are common problems faced by many private sector organizations, says Mac McMillan, CEO of security consulting firm CynergisTek. And if not addressed, these flaws can put data at risk, he contends.

"These are absolutely consistent with the challenges that other healthcare entities are dealing with, and more importantly creating a high percentage of our risk today," he says. "Studies by several organizations showed that many of the attacks last year took advantage of missing patches, for instance, for vulnerabilities that were well known."

McMillan says the 316 security incidents, which included attempted hacker attacks, highlight the urgency for the assorted weaknesses to be addressed.

"Given that this number represents the incidents that CMS reported officially, likely not the total number of events they experienced, it is significant and demonstrates a concerted interest in these sites by potential cybercriminals," he says. "Most concerning to me is the lack of active oversight and the periodicity of testing. In this environment, testing is a must to identify the very kinds of problems that they discovered - lack of patching, configuration errors - to resolve them before they can be exploited."

Lack of Oversight?

Jay Trinckes, senior practice lead at the security consulting firm Coalfire, says that of the weaknesses identified, the most concerning is the lack of oversight CMS has for the state-based insurance marketplaces. "In the report, GAO indicated that three of these marketplaces were identified with 'significant weaknesses that placed the data they contained at risk of compromise.' As more health information is digitized, it is more important than ever that these systems are maintained in a secure manner," he says.

It is important that Healthcare.gov "stays vigilant in its monitoring efforts and ensure they maintain a multitude of layers of defenses. Ensuring that they are capable of responding to security incidences immediately and mitigate identified issues will go a long way in keeping the site secure," he adds.

HHS did not immediately respond to Information Security Media Group's request for comment.