[BreachExchange] The eyes have it: How to prevent visual hacking in financial institutions

Audrey McNeil audrey at riskbasedsecurity.com
Thu May 25 19:07:44 EDT 2017


High-powered miniature cameras were once the stuff of spy movies. Today,
they’re popular features on devices that millions of people bring into
banks and offices every day.

Smartphone cameras now offer anywhere from 12- to 23-megapixel resolution
for detailed picture taking. Many smartphones can also record 4K-quality
video and have powerful zoom features. Meanwhile, smartwatches often either
include a camera in the device itself or can remotely operate a smartphone

These technologies can be a joy for consumers, but they can be a nightmare
for privacy and security professionals. As banks further fortify their
cyber defenses against remote hackers, these powerful but discreet cameras
can provide a conduit for a new kind of attack: visual hacking.

Setting Sights on Sensitive Data

Visual hacking is the viewing or capturing of private, confidential or
sensitive information for unauthorized use. It can take place in a bank
lobby, back office, headquarters or any public place where an employee
might view sensitive information.

A visual hack could involve someone posing as a customer and taking a
picture of account information displayed on a computer screen. Or it could
be an overnight cleaning person recording video of documents left on a
printer tray. In reality, it can be any individual seeing and remembering
sensitive customer information or network login details left in open view
on a screen, on a desk or in a printer or fax tray. If it can be seen it
can be stolen.

The 2016 Global Visual Hacking Experiment [1], found that visual hacking is
a woefully under-addressed global threat. The combined 2015 and 2016
studies included 157 trials in 46 participating companies across China,
France, Germany, India, Japan, South Korea, the United Kingdom and the
United States. In each trial, a white hat visual hacker assumed the role of
a temporary office worker and was assigned a security badge worn in visible
sight. The white hat hacker then entered each facility and performed three
overt tasks: view and log sensitive information visible on a computer
screen, desk or printer; grab a stack of business documents labeled as
“confidential” off a desk and put them in a briefcase; and take a picture
of sensitive information displayed on a computer screen with their

On average, the visual hacker was successful in accessing sensitive
corporate information in 91 percent of global trials with 52 percent of the
visual hacks occurring via an unprotected employee computer screen.
Globally, 27 percent of data breaches involved sensitive information, such
as login credentials, attorney-client privileged documents, and financial
information, and happened in less than 15 minutes in nearly half of all

The ease with which a visual hack can be carried out should be alarming to
financial institutions, especially given the consolidation of confidential
customer information that is currently taking place.

A New Era of Data Access

Financial institutions are constantly discovering new ways to use and
access data within the enterprise to protect both customers and the
company, to better serve customers and discover new sources of revenue. In
this new era, bankers have greater access to customer data than ever
before. Growing pressure from regulators regarding anti-money laundering
(AML) are driving financial companies to remove traditional “product”
specific data silos – creating a single pool of data that provides a more
holistic view of each customer. This practice, often originating in support
of “Know Your Customer (KYC)” requirements, creates data-rich environments
used to monitor the overall activity of individual customers and track for
unusual changes in their banking activities that could link to money
laundering or fraud. However, as this data lake widens, critical privacy
issues arise.

The banking employees trained to monitor customer behavior now have access
to these data-rich environments that hold sensitive customer data. This
makes administrative oversight problematic and visual privacy becomes
increasingly difficult to control. Financial organizations must be aware of
each employee’s access level to sensitive customer data and take proper
steps to secure it.

Employee access to big data now requires that a third security pillar is
added beyond digital and physical security. Administrative measures address
security in new ways through human behavior and workspace considerations.

Administrative Security

Administrative security begins with understanding the risks inherent in the
new data-rich environments.  Identify areas and opportunities where company
workers or other individuals can see sensitive customer information that
they shouldn’t. These could include workstations, ATMs and mobile devices
used to access sensitive information in the office or in public places.

>From there, implement a visual privacy policy that outlines the procedures
and best practices for employees.

Key procedural changes could include only printing sensitive information in
"locked print" mode, keeping sensitive information out of plain view, and
logging out of computers when stepping away from workstations.

Employee behaviors can be difficult to change. That’s why it’s important
that training refreshers be provided at least once per year. Audits can
also help test employee compliance, while rewards and recognition can help
ensure that policies and training are well-received.

Privacy filters are also important. They obstruct the angled view of
onlookers or “shoulder surfers,” and should be considered for use on
workstation and teller screens that are exposed to windows or customers.
They should also be used on laptops or mobile devices that can access
sensitive data outside the organization’s walls.

Finally, privacy and security should be ongoing, collaborative efforts. The
privacy, corporate security, information security and risk management teams
should make a concerted effort to cooperate. Privacy and security threats
will only continue to evolve – it’s important that everyone responsible for
stopping them work together as a cohesive unit and toward the same goals.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170525/b6c65e07/attachment.html>

More information about the BreachExchange mailing list