Have you ever felt like your data is at risk?
Well, it is; unless you take the precautionary steps to prevent it.
The Case:
In November of 2021, Bank of America was hacked by the LockBit ransomware group, and the sensitive data of thousands of accounts was compromised [1]. Although the methods the hackers used are unknown, what is known is they infiltrated Infosys McCamish’s system, and 57,028 accounts were affected [3]. The breach occurred on November 3rd, and Infosys McCamish notified Bank of America of the breach on November 24th, several weeks later.
The worst part of the situation is that they did not notify the customers that their data had been leaked for several weeks after it occurred. In fact, they weren’t notified until February 2nd, which is 90 days after the data breach [3]. Most states (including Maine) have a policy on companies notifying customers within 30 days of discovering the breach unless a hold is placed on the case for legal investigatory reasons, so legal implications are still in play.
The Harms Caused:
The information contained in the data breach included things like names, addresses, dates of birth, social security numbers, and business email addresses, among other forms of personal information [2]. These forms of information being released out in the open puts people at risk for identity theft and other terrible circumstances.
However, Bank of America did propose a solution for those affected. In response, they offered a free two-year membership to Experian IdentityWorks, which is an identity theft protection program. This company offers many services, including but not limited to daily credit report monitoring from Experian, Equifax, and Transunion, identity theft resolution, and internet surveillance [2]. To accept the free opportunity, all customers had to do was enroll online. Now, the bank has an award-winning cybersecurity team [1], as well as 24/7 security monitoring, among other protection services.
How to Deal With Them:
While there are several different routes when it comes to how to protect your personal information, some of the best ways to do it include two-factor authentication, VPNs, and penetration testing. But what do all these things mean, and how can they help?
Two-Factor Authentication
Two-factor authentication, or 2FA, is a security system that requires two forms of authentication before allowing access to whatever data is being protected [6]. For example, requiring a password or PIN (personal identification number) as well as a code sent to the users smartphone, can be sufficient; even a fingerprint works in some cases. This latter example comes from a form of verification known as biometric authentication, which can use your face, fingerprint, or retina to verify the user's identity [6]
There are many forms of authentication factors, however, and each one should be used for maximum security if you want your system to be as protected as possible. These forms include the knowledge factor, possession factor, biometric factor, location factor, and time factor. Knowledge factors are something only the user would know, like a password or PIN. A possession factor is something that the user would have, like an ID card or cellphone. A biometric factor is something that is a part of the user's physical identity, like their face or fingerprint. A location factor is typically where the authentication request is being made; access can be limited to some parts of the world in some circumstances. Finally, the time factor restricts access to a specific time window during the day, which can be useful in some cases [7].
VPNs
VPNs, or virtual private networks, allow you the browse data in a way that is anonymous and untraceable, so your history surrounding sensitive information cannot be traced or tampered with. By connecting you to a remote server, it encrypts your activities and disguises your IP address [4]. Hackers can gain access to your personal data using your search history, so having it protected while you browse is not such a bad thing to consider.
When it comes to choosing the right VPN, there are many factors to consider. Those concerns may divided into categories as follows: price, data allowance, reputation, servers, locations, and privacy policy. When it comes to price, it usually comes in the form of annual or monthly subscriptions, so picking the right one based on your payment plan matters. As for data allowance, some VPN companies cap your data usage at a certain point, making you unable to do things like stream movies or listen to music; to do things like this, you will need a premium membership. You must also choose one based on the company's reputation; since they have access to your data, you want to have the security of knowing they will not misuse it. In that same respect, always check the privacy policy you are signing up for; you don’t want your data sold or worse. Having good servers is also a necessity. Without them, the connection speed will be slow; so choose one with good technological standing. And finally, choose a VPN with servers across the globe; location matters [8].
Penetration Testing
“Penetration testing” is another way to protect your system, and it is something that Bank of America should maybe look into. It is when a cybersecurity expert (a.k.a an “ethical hacker” tests your system's security by quite literally hacking into it and searching for weaknesses that real hackers could and would use to gain access to your information [5]. They utilize methods such as phishing, or even direct attacks on the system, to identify any gaps in the system security that they can. Naturally, after all the tests have concluded they report back to the company what kind of improvements they could make to their systems defenses.
The best analogy I heard to describe the definition of penetration testing would be a “bank hiring a burglar to rob them” [9];
By testing the system's security in the form of simulated attacks, the system will be better prepared if a real hacker comes along to test the system's capabilities. As for how the tests are conducted, there are many different forms of pen tests (penetration tests). The first would be an open-box pen test. This is when the hacker is provided some basic information about the company’s security system beforehand, giving them an advantage. The second would be a closed-box pen test, which is also known as a “single-blind” pen test. This occurs when a hacker is given nothing but the name of the company. The third is a covert pen test, also known as the “double-blind” pen test. This is where almost no one in the company knows the pen test is occurring, including the security personnel who will be responding to the said attack. This is a difficult pen test. The fourth, an external pen test, is when the focus is placed on the publicly available systems, or the companies external-facing technology. In certain situations, the hacker cannot even enter the premises of the building, and must hack from an undisclosed location nearby. The fifth and final pen test is known as an internal pen test, which is similar to an external pen test, only the hacker is testing the company’s internal network, usually from within the building; this is useful for determining what damage an “insider” could cause, or an angered employee [5].
REFERENCES
[1]https://www.twingate.com/blog/tips/Bank%20of%20America-data-breach (Two-Factor Authentication, ORIGINAL)
[2]https://www.forbes.com/advisor/personal-finance/data-breach-affects-bank-of-america-customers/ (Solution Article)
[3]https://www.americanbanker.com/news/data-breach-affects-57-000-bank-of-america-accounts (Harms Caused, Extra 1)
[4]https://surveillanceguides.com/avoiding-internet-surveillance-the-complete-guide/ (VPN)
[5]https://www.uptech.team/blog/mobile-app-security (Penetration Testing)
[6]https://www.investopedia.com/terms/t/twofactor-authentication-2fa.asp (Two-Factor Authentication, 1st)
[7]https://www.techtarget.com/searchsecurity/definition/two-factor-authentication (Two-Factor Authentication, 2nd)
[8]https://usa.kaspersky.com/resource-center/definitions/what-is-a-vpn?srsltid=AfmBOoo7Sflipde6FG93Z7Tq4NrGdEu_Vr8KXOQEM3egRkYNpo1Rl-H6 (Choosing a VPN)
[9]https://www.cloudflare.com/learning/security/glossary/what-is-penetration-testing/#:~:text=Penetration%20testing%20 (pen test types)
Credits:
Created with images by • zodar - Blue Acrylic Pour Color Liquid marble abstract surfaces Design.