Originally published on CUInsight.com
The previous part of our Privacy discussion covered your devices and regular activities on them. Cookies, ads, and what’s changing in this realm. Plus, we looked at how norms are shifting to more data sharing.
With the overnight explosion in work-from-home, many of those practices became commonplace. Services like Zoom got themselves caught on the wrong side of the privacy conversation. And then made the right efforts to get better.
Some of the places your data goes have your best interests in mind. Others…less so. This post will cover some of those technologies for credit unions, while also exposing some risks you may not know about.
Of course, we’ll discuss options to protect your data and self (sadly, some of this is used to control and instill fear in others).
Let’s start with the network you’re using.
When on public wifi networks, consider everything visible. Your banking connection might be encrypted, but some data can still be seen if someone is “watching” network activity.
Surprise, there’s a solution for it! A technology called VPN (Virtual Private Network) encrypts your traffic and “tunnels” it through trusted servers. Now no one can see anything you do online.
Since all your traffic goes through their systems, it’s good to trust the provider. I use Windscribe, a company out of Canada that is well-reviewed by those in the know. Plus, their marketing is stellar.
You can use a VPN on any connected device, so desktop or mobile activities can be private.
Ironically, LTE (and 5G for some) traffic is among the most secure in our country. If you don’t trust the wifi (Name: “FreeWifiConnectNow”), don’t have a VPN, and need to do some banking, just use LTE.
Other Privacy Challenges
The original draft of this post then went into depth on a really scary kind of location tracker: the license plate scanner. It’s really a discussion upon itself. When I have time, I’ll give it the treatment it deserves.
The rest of this post shares challenges as well as opportunities for your credit union, then further expose privacy risks we can mitigate.
Between Open Banking and the general expectation of users, you’re under higher obligation to share data than ever before. And that doesn’t include what your members share on their own!
How are we ever going to keep this stuff locked-down?
To answer the question: Most of the time, you guys do a great job with security! It’s everyone else causing issues. Can I get an, “I know, right?”
So there’s a few forms of data sharing. The first is really blatant. It’s when you provide your card number to a merchant to buy something. If it’s in person, I hope you’re using the chip (EMV) or contactless (NFC, like Apple Pay or the card itself). Why? Go here. Read it.
Security in that form is tough, because you’re depending on the merchant. And that’s where most “breaches” occur, costing your institution time and money (though consumers seem to consider it normal now).
It’s not normal. It doesn’t have to be a regular occurrence. Now that the tech is available, the challenge is in member education.
Chances are, you have at least one connection to some financial service using an API (Application Programming Interface). These are secured links between systems that don’t require sharing passwords.
The handshakes that happen are in the background. It’s like “Log in to this site with Facebook”. You don’t give them your Facebook credentials; you just say “sure, share my data.” (Those have their own privacy implications…)
Your members are used to this type of system. If you present your own solution, they’ll use it (assuming it promises and delivers on a value proposition).
Trusted partners will have strict controls on what they can do with the data you send to them. I’m sure that was decided during the agreement stage.
Having a standardized process for this is at the core of Open Banking. Yes, it will let members connect banking data to other, perhaps cooler, platforms. Yet they’re still with you. And your institution can market this easy integration.
Privacy & Functionality
Data is the new currency. Companies want it. And with the technologies of today (and tomorrow), they can gather more of it than ever before.
Your goal is to help maintain your members’ privacy and security, while also engaging them through interesting personalized experiences.
Risks From Outside
Sometimes, ok, most of the time, the privacy risks to your credit union and members come from outside. There’s not much you can do about them besides being aware, having good security policies, and educating members.
But there is one thing every hacker wants…access to your device. What are the two best tools to prevent this?
- Biometric authentication (TouchID or FaceID)
- Long passcode only you know
Yeah, that means not sharing access. It also means never sharing passwords (I’m referring to those streaming services logins you absolutely never give to family and friends).
Whether directly or remotely, hackers long to access your information (be it financial, personal, or business). Locking down your phone and computer is your best first line of defense.
Sometimes the “hacker” isn’t a hacker, but someone close to a member. They may install software called “stalkerware” that tracks usage and activities, just as much as any other hack. Go here to get tips for detecting and removing these programs.
This is a concern for people escaping abusive relationships. It also can be a disgruntled (possibly) former employee attacking your computers.
Do they have deep access to your systems? Can they plug devices into your computers and add/remove data? Think of every spy movie character plugging the thing into the network to download all those blinking folders.
You don’t want that. Lock down your systems so this kind of data extrication cannot occur. (but don’t get too aggressive, or employees will resort to less secure means of moving files).
Here’s a company which might make you a bit more eager to lock down your social media accounts. Surprise, surprise, they got hacked.
Clearview AI Facial Image Hack
Here’s a scary and timely hack (based on when I wrote this piece) I hope never happens again. Though, given the information is already out, does it even matter? Yes, yes it does.
A company called Clearview AI was just minding their own business, providing quality services to other companies…sorry, none of that is true. Here’s what they were doing:
Stealing all photos of your face visible online. Then keeping them in their own systems permanently. Even when you deleted your copies on Facebook, Twitter, LinkedIn, or elsewhere, they had you saved.
Already, that’s…not great. It gets worse. They sell this image data (with associated AI recognition capabilities) to law enforcement, governments, and, oh, yeah, banks.
Presumably, it’s used to match your identity to photos of unknown people. For what reasons? To find wanted people, sure. To discover those who aren’t paying the loans? Your guess is as good as mine.
The hack? Their entire client list was stolen. So while there’s no way to remove your photos from their system, someone else has access to who they’ve sold them to.
What You Can Do
In this case, your strategy is just empowering members with clear and concise information. Then share pieces of a regularly-updated guide on maximizing safety and security online and in the real world.
Include mention of privacy settings on social media, the potential risks of friending people you don’t know, and the typical “your credit union will never ask for any personal information”.
Keep Dark Web In Mind
For your own institution’s protection, realize some of your member data might be on the Dark Web. Brainstorm the most effective and unobtrusive ways to verify member activity and identity.
PS – Make sure security questions never include maiden names, pets, street/city where you were born, or first car. Embrace 2FA and answers to questions that are less likely to be found in public record searches. Say, favorite movie or breakfast. Again, be creative! (Yes, these are vulnerable to social engineering, but it’s a start.)
Privacy Talks Continue
These two posts may have felt like a lot. And you’d be right. But it’s still just the beginning. I could talk about nothing else on here and stay busy. I won’t, because there’s more to cover.
Just keep these ideas in mind and ensure they are built into your mission, so it’s always considered.
You have your member’s trust. Use it wisely and share your own wisdom to help them live safer, more productively, and happier.
Be sure to Subscribe to the Credit Union Geek to get more posts like this delivered straight to your inbox.