Banking industry giant NCR Corp. [NYSE: NCR] late last month took the unusual step of temporarily blocking third-party financial data aggregators Mint and
Banking industry giant NCR Corp. [NYSE: NCR] late last month took the unusual step of temporarily blocking third-party financial data aggregators Mint and
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
Halting business transactions because of cybersecurity concerns should not be considered something new.
In this case, NCR recognized a cybersecurity situation in which a set of consumers were severely impacted, and took action to temporarily block certain companies from accessing an online banking platform.
In principal, some cybersecurity standards and regulations call for similar action. For example, with the Payment Card Industry Data Security Standard (globally recognized as PCI DSS), organizations failing to meet the 12 requirements to protect payment cardholder data may be subject to cease accepting card payments issued by one of the four major credit card brands (Visa, MasterCard, American Express, or Discover).
It would not be surprising if more companies (public or private) took the same approach in the future, as a response to cybersecurity incidents against its customers.
NCR’s temporary blocking of third-party financial data aggregators Mint and QuickBooks Online from accessing Digital Insight is noteworthy for three reasons: It illustrates what can happen if passwords are reused, it underscores the tremendous risk that third-parties can potentially pose to banking customers, and it demonstrates how companies such as NCR are taking steps to mitigate that risk. Password reuse is a serious cybersecurity issue, but it can be hindered through a stringent password policy, adding two-factor authentication and requiring longer and more complex passwords. The industry is moving towards a positive trend where NCR took action in relation to third party security. That said, the third-parties themselves need to learn from this incident and recognize that their security controls will have an effect on doing business with their partners. These third parties need to be able to attest to their security controls and provide needed evidence of their cyber resilience as part of doing business.
The complexity of the interconnected financial services industry is difficult for the average consumer to comprehend. This complexity provides avenues for attackers to exploit. A variety of services have grown organically from the more traditional banking system, and while security is often a top concern for each institution, the gaps between them can leave room for risk.
When you have an incident to deal with, you can only take action on the systems where you have control. It will be telling to see if this type of incident-driven access control is a recurring theme for the industry.