Spate of blunders raises e-security fears

Are major firms doing enough to guard customers' information?

A number of data security problems made headlines last week, raising the question of whether major companies are doing enough to protect online customers.

Faith in the safety of online banking suffered a blow as new research found keylogging devices could easily crack the login technology used by HSBC and another major high street bank.

Cardiff University researchers discovered the flaw, which could allow hackers to break into accounts within nine attempts. Unlike some other banks, HSBC asks for a numeric-only passcode and does not always change the order of digits it requests, making it easier for hackers to obtain the code.

"They have an anti-keylogging system that doesn't work – they might as well not have it," said Cambridge University net security expert Richard Clayton. " The only reason it's a theoretical [flaw] is that they're fortunate no bad guys have got at it yet."

HSBC said in a statement that attacks of this kind are unlikely as they require "a particular and time-consuming focus on one individual", although it invited feedback from experts on its online banking service.

Meanwhile, the results of a British Computer Society survey released last week showed around a third of consumers had concerns about the security of online banking. But CA security consultant Steven Cox argued that consumers should take responsibility for securing their PCs so no keyloggers could be installed in the first place.

In other news of high-profile security problems last week, just a day after two men were charged with stealing a laptop containing sensitive data from a US Department of Veteran Affairs employee, the department announced that another computer had gone missing, this time from a subcontractor's offices.

The desktop computer reportedly contained information on up to 38,000 veterans, including names, social security numbers, dates of birth and insurance details.

Meanwhile, AOL apologised after it mistakenly released data from its search logs on over 600,000 customers' search habits. The information was intended to be used on the firm's recently launched AOL Research site, and although the usernames were changed to random identification numbers, privacy activists complained that individuals could still be identified by the information in their search requests.

In another incident last week, one IT Week reader called in to say that while using the Betfair online gambling site he discovered that he was able to see confidential user details of other members of the site, including their names and how much they bet. Despite alerting the firm, it took several hours for the problem to be rectified.

To help firms strengthen protection, analyst firm Gartner last week released a list of best practices. It said companies should deploy content monitoring and filtering tools to prevent sensitive data leaving the network, whether accidentally or maliciously, and they should encrypt backup tapes and laptops in case they are lost or stolen.

Gartner also advised firms to ensure all workstations are kept up to date with anti-spyware and that information downloaded to portable storage media should be controlled and encrypted.

"What is most appropriate for specific organisations depends on their risks – if they have a lot of mobile workers then encryption and lockable USBs is more important," said Gartner analyst Ant Allan. "It's difficult to understand firms' decisions sometimes. [Encryption] seems like the obvious thing to do; the level of awareness to prevent security breaches is less than we'd hope but not as bad as we feared."

Marc Shinbrood, chief executive of web application security vendor Breach Security, said the biggest risk to firms from security breaches is not that they will break the law or lose intellectual property, but that they will suffer bad publicity which may damage brands and undermine customers’ trust.

“Compliance with the law is a necessary evil but it isn’t the driving force for good security,” Shinbrood said. “If you talk to [IT security chiefs] their job is to keep the company off the front page of the Wall Street Journal, or from appearing in front of a government regulatory committee, or having their customers doubting whether they should do business with them.”