Banking, FDIC and Instant Messaging
US Banks, which are overseen by the
Federal Deposit Insurance Corporation (FDIC) will from time to time receive
guidance in the form of "Financial Institution Letters". In 2004,
they received FIL-84-2004, "Guidance on Instant Messaging".
It is unclear why banks would need special guidance on this topic more
so than other business entities, but they did receive it. Here is the summary
from the document:
"This guidance identifies risks associated with public Internet instant
messaging (IM) and how they can be mitigated through an effective management
program. Public IM may be used by employees both officially and unofficially
in work environments. The use of public IM may expose financial institutions
to security, privacy, and legal liability risks because of the ability
to download copyrighted files. Technology vendors have released IM products
for corporate use that authenticate, encrypt, audit, log and monitor IM
communication. These new corporate enterprise products help financial institutions
use IM technology in a more secure environment and assist in compliance
with applicable laws and regulations."
The very first footnote states that
this does not apply to private instant messaging networks. As such, the
guidance is fairly straightforward and common sense. But it is not without
contradiction. The guidance says that firewalls should be configured to
prohibit inbound and outbound IM. At the same time by technical notes,
the accept that firewalls can easily be bypassed. (An example they do
not include relates to Lotus Notes shops. Trillian can be used to access
AOL Instant Messenger via Port 1352 rich is normally opened for Lotus Notes
clients.)
A key risk the guidance identifies is hijacking:
Information received by IM is not authenticated. There is no way to verify
that a message really originated from the sender with whom the recipient
believes he or she is communicating during the session. Chat sessions can
be hijacked and users can be impersonated.
Unfortunately, they couch this in nonstandard information and data integrity
terminology (Non-Repudiation, identification, etc). But this also falls
short that this also applies to customers that use freeware e-mail clients
or other methods that cannot establish identity and provide for non-repudiation.
In reverse, customers are falling victim to phishers disguised as real
banks or other financial institutions. Unfortunately, there is no easy
fix for this outside of extensive user education and awareness campaigns.
Related Links (opens in a new browser window)
