Conducting Secure Transactions On-the-go with VPNs

Wednesday, March 20, 2013

Patrick Oliver Graf


The safeguarding of private customer information has become a top priority for many organizations, thanks in no small part to government regulation and industry oversight, as we move toward an increasingly digital world. The Payment Card Industry Data Security Standard(PCI DSS) for credit and debit card processing and the Health Insurance Portability and Accountability Act (HIPAA) in the healthcare sector are two prominent examples.

Another longstanding privacy compliance standard was set in the banking and finance industry with the passage of the Gramm-Leach-Bliley Financial Services Modernization Act of 1999(GLBA), which applies to all companies under the purview of the Office of the Comptroller of the Currency (OCC). This act mandates that financial services companies protect the security and confidentiality of customers’ private data from “predictable external and internal threats.”

Under GLBA, these threats include insider fraud committed by employees, as well as network intrusions perpetrated by cyber criminals, to name a few. The types of data that the legislation requires companies to safeguard includes names, physical and email addresses, phone numbers, Social Security numbers, bank account and credit card information, and a range of other financial data. Simply put, there is a lot of information collected by these organizations that requires protecting, and a well-matured VPN has proven to be the best solution for doing so.

VPNs vs. Security Challenges of Online Transactions

The core challenge with regards to online financial transactions today is that individuals are using an ever-widening range of devices—from laptops to smartphones to tablet computers, made by different manufacturers running on different versions of Android, iOS, Windows Mobile and other platforms—to access their accounts.

People often conduct these transactions while connected to unsecured Wi-Fi networks in airports, coffee shops, restaurants, etc. Even with a basic out-of-the-box VPN solution, users may be opening themselves and their corporate networks to severe security vulnerabilities.

VPNs that include dynamic firewalls, which automatically adapt the configuration settings to the security level of the current connection, are the safest way to conduct transactions on-the-go, while ensuring both high usability and the security of customers’ private information. Both parties can benefit. The financial institution can be sure that no one intercepts sensitive data and the customer knows he or she is safe and secure when conducting online banking or shopping transactions.

In recent months, news has surfaced of major U.S. banks and financial institutions being targeted by Distributed Denial of Service (DDoS) attacks. Such attacks obstruct access to a company’s public servers through a massive onslaught of concurrent requests.

In order to maintain secure communications with customers and business partners, the FBI has recommended the use of robust VPNs that are immune to such threats. With DDoS cyber assaults on the rise, comprehensive VPN solutions offer protection against yet another tool in the hacker arsenal.

The Cost of Non-Compliance

Non-compliance with GLBA and other recognized standards and practices opens up organizations to significant financial losses, public relations crises, and sanctions from government and other regulatory bodies. Last year, the Ponemon Institute estimated that a U.S. company has to spend roughly $194 to recover a single stolen dataset, and when thousands or even millions of them are compromised in one attack, those numbers start to add up quickly. What’s more, the organization is then held responsible in part for the subsequent damage done to the customers, not to mention the herculean task of repairing those fractured relationships.

GLBA means that financial institutions have to define working processes and implement techniques to rule out abuse of private customer data. This includes the use of access controls and authentification, as well as data encryption and periodic audits. Firewalls, intrusion prevention systems and antivirus solutions are of no use at all if an attacker hacks the connection between the end device and bank server, right into the customer's account. In all of the scenarios we have discussed, a well-matured VPN solution protects the interests of everyone involved from both internal and external threats.

Possibly Related Articles:
PCI DSS HIPAA compliance
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.