Could Visual Hacking Cripple a Bank’s Data Security?

With the large amount of money that financial institutions pour into cyber security every year, it is unnerving to realize that the simple click of a smartphone’s digital shutter could easily steal sensitive information. Every carefully implemented security measure can be foiled with the click of a button. A recent article in American Banker explored this concept.

The industry considers this type of cyber security risk as visual hacking, and it refers to stealing sensitive or privileged information simply by the use of sight. While low-tech, it is effective: a small, powerful smartphone camera can capture sensitive information in a picture. In doing so, it leaves no trail of the theft and becomes very difficult to impossible for security experts to detect.

Thieves have used visual hacks to steal bank information for a long time. The most prevalent example involves ATM locations where thieves have recorded the actions of ATM users as they enter PIN numbers into the ATM machine. But what if thieves applied similar practices by snapping pictures or recording bank employees?

Imagine that a supposed customer walks into a bank, pretending to need certain bank services. The bank employee assists the customer, but when the employee turns her back or leaves her office for just a moment, the “customer” snaps a picture of the employee’s computer screen with a smartphone. The visual hacking risk could grow exponentially worse if the thief plays the role of a temporary bank employee or a contractor with access to the bank’s computer systems and networks.

What Can Banks Do to Reduce These Kinds of Risks?

Banks may follow a number of simple protocols to help reduce their exposure to the risks of visual hacking. Adopting simple practices can go a long way toward reducing risk and protecting sensitive information. Consider the following protective measures:

• Positioning employee computers in orientations that limit a customer’s ability to view the screen.
• Installing privacy filters on any computer monitor that runs the risk of being easily viewed by customers or other unauthorized viewers.
• Implementing bank policy that automatically locks a computer station after short periods of non use or that requires employees to log out whenever they leave their desk or they are not actively using their computer.
• Limiting the intake of sensitive customer information to the smallest amount needed.
• Educating bank employees about the potential points of exposure where visual hackers could steal information.
• Adopting a “clean desk” policy, meaning documents and computers should be open and exposed only during their active use by an employee; when these documents and computers are not in use, they should be cleaned and stored in a protected manner.
• Implementing bank policy to limit the printing of documents that contain sensitive information and adhering to safeguard policies for any printed documents.
• Conducting periodic checks of employees and their workstations to confirm adherence to the bank’s visual hacking prevention policies.