Data Breaches are Headline News
A Multifaceted Approach to Security
The Worst Possible Scenario
Biometrics: The New Security Frontier?
References & Notes
Businesses are under
siege from cybercriminals
bent on stealing sensitive
data, and there is perhaps
no greater target than
banks and other financial
institutions.2
Reports of massive cybersecurity data breaches have become a seemingly regular part of the news cycle. In recent years, a variety of major companies have suffered attacks that resulted in hundreds of millions (and in one case, billions) of accounts being compromised. The breaches have spanned industries—from Internet services to hospitality, and from retail to banking.
With each new revelation of such a
breach, consumers are reminded
that their personal information is
potentially vulnerable to theft at
any number of companies and institutions.2 When sensitive information like names, birthdates, social security numbers, and passwords fall into the wrong hands,
they pose significant risks for individuals. Victims of identity theft face
nightmarish scenarios that often
stretch on for years. According to a
recent Javelin Strategy & Research
study, identity theft resulted in
$16.8 billion in losses in 2017.3
For the companies involved, data
breaches bring a toxic mix of problems. Plunging revenues and stock
value, significant brand reputation
damage, increased liability exposure, and mass customer attrition
are all possible in the wake of such
a breach.
4
Kaitlyn Kiernan
Financial Industry Regulatory Authority
February 28, 2017
Headline-grabbing account breaches since 20131:
Marriott
Equifax
eBay
Target
JP Morgan
Yahoo!
CoMIS Case Competition 2019
Yet businesses have little choice but to grapple
with the risks posed by cybersecurity challenges.
Digital is the way of business today. It’s how companies and consumers interact, and it’s powered
by data. Customer accounts are created using personal data, and that data is used to verify an individual’s identity. This mechanism facilitates the
transactions at the core of the modern customercompany relationship. Trying to avoid this kind of
data exchange and still participate in the modern
economy is nearly impossible—about as easy as
traveling back to a time before credit cards, online
shopping, and smartphones.
While consumers change their passwords, check
their credit reports, and cross their fingers, cybersecurity professionals like Cynthia Bahr and her
team at U.S. Bank tackle the problem at scale. For
companies like U.S. Bank, that challenge is complex, rapidly evolving, and mission-critical.
Carlson School of Management
5
Bahr heads a team of 400 at U.S. Bank, the fifthlargest commercial bank in the United States. Her
organization includes Identity and Access Management, Customer Authentication, and Fraud Risk
Prevention Services (IAM, CA & FRPS). This multidisciplinary group performs a variety of functions
to protect bank and customers alike.
Identity and Access Management handles key control, provisioning, and other traditional identity
management functions. The Customer Authentication unit focuses on how customers prove their
identity before using the bank’s systems. The third
component of Bahr’s organization, Fraud Risk Prevention Services, works to protect U.S. Bank from
fraudulent activities, such as account breaches
and unauthorized electronic funds transfers.
Digital identity is the unique
representation of a subject
engaged in an online
transaction.
The Minneapolis-based bank depends on Bahr’s
combined teams to protect millions of customers
across different business lines. In addition to retail
banking for individuals, the bank provides business, wealth management, payment, commercial
and corporate, and investment services to customers across the country and around the world.
National Institute of Standards and Technology
Special Publication 800-63B: Digital Identity Guidelines
U.S. Department of Commerce • June 2017
6
CoMIS Case Competition 2019
Carlson School of Management
7
When it comes to cybersecurity, “Account takeovers are the worst possible scenario,” says Bahr.
An account takeover refers to instances where
someone gains enough information to break into
another person’s account and take control. The
Javelin study found that takeovers tripled from
2016 to 2017, driving record growth in identity
fraud.4 According to the study’s authors:
Account takeover continues to be one of
the most challenging fraud types for consumers with victims paying an average of
$290 in out-of-pocket costs and spending
16 hours on average to resolve. This
translates to more than 62.2 million hours
of time consumers lost in 2017. That is
enough time for more than three million
people to binge watch the first and
second season of Stranger Things.
Account takeovers can happen in a number of
ways. For example, a couple of pieces of personal
information—say an account number and an
email address—fall into the wrong hands. That
can be enough to begin the con. The perpetrator
uses those pieces of information to request a
password reset, or perhaps convince a customer
8
service representative that they are the true account owner. If successful, the perpetrator gains
access to a bank customer’s account … and everything in it.
Obviously, funds in a compromised account are
easily transferred and lost. In addition, linked accounts may be breached and other personal information stolen. That can lead to a snowball effect
of damage for the consumer. Their stolen identity
may be used to open new credit cards or other
fraudulent activities, for example.
Again, the fraud has negative effects for the business as well. If a fraudster takes over a bank account, that bank likely incurs expenses related to
tracking down the fraud and helping the customer
recover. Moreover, the ripple effect can be damaging for the company involved.
“After all, people want peace of mind. Especially
when it comes to a financial institution,” says
Bahr. “That’s really important.”
CoMIS Case Competition 2019
To make matters even more challenging, the
fraudsters keep finding ways to use people’s personal information against them. “What used to be
secure just isn’t anymore,” Bahr notes. Answers to
traditional security questions such as “mother’s
maiden name” or “where you went to high school”
are easily sleuthed and found in today’s hyperconnected world, according to the Financial Industry Regulatory Authority (FINRA).5
Less obvious methods are also on the rise, often
unknowingly assisted by the victims themselves.
Bahr points to seemingly harmless quizzes,
games, and memes on services like Facebook.
Pet names, home towns, birth dates, or other
more obscure personal trivia can all be captured,
combined with other bits and pieces, and used to
break through account security. The information
might end up for sale on the dark web in venues
set up for nefarious purposes.
“Quizzes that ask things like, ‘what countries have
you visited’ are trolling for personal info,” says
Bahr. “Companies all have layers of security, but
the fraudsters are getting more creative. There’s a
social engineering component now.”
Carlson School of Management
9
In order to combat account takeover attempts,
security experts have developed—and continue to
refine—authentication guidelines. Because traditional twofactor systems,
such as receiving a code via
SMS, are no
longer considered sufficiently secure in
many instances, authentication guidelines
now focus on
multi-factor
approaches
based on the
“something
you know,
something you
have, something you are"
model. 6
The “something you are” part of that model, which
uses biometrics, is a big category of interest as
cybersecurity threats morph and grow more complex. Broadly defined, biometrics refers to the use
10
of physiological characteristics to identify and
differentiate one human from another. Bahr and
her team believe biometric methods and technologies could
help protect
U.S. Bank and
its customers
from attacks.
Fingerprints,
facial scans,
and voice
recognition are
all traditional
types of biometrics that
can be used for
identity verification. For example, Walt
Disney theme
parks have for
years used biometrics to deter ticket sharing. Visitors to the parks are likely to
encounter finger scanners at various gates and
attractions. According to the company’s privacy
policy:
CoMIS Case Competition 2019
The system, which utilizes the technology
of biometrics, takes an image of your finger, converts the image into a unique numerical value and immediately discards
the image. The numerical value is recalled
when you use Ticket Tag with the same
ticket to re-enter or visit another Park.
Ticket Tag does not store fingerprints.7
Another example can be seen in major airports,
where the company CLEAR has made its presence
known in recent years. CLEAR promises to ease
airport stress through biometric identification. Fingerprint and iris scans allow travelers who use the
service to move more quickly through long security lines.8 The company also has a presence in
sports stadiums and other venues, with plans to
expand. As CLEAR CEO Caryn Seidman-Becker explained in an interview, “we started at the security
checkpoint, because that’s where identity and security collide in the hardest way. But when you
look at what Clear is, Clear is a biometric identity
platform to make things safer and easier.” 9
Indeed, the company’s website promises expansion of the service on the horizon: “We’re always
thinking about new applications that can be powered by biometrics, from checking into a doctor’s
office to paying at checkout with a tap of your fingers.”10
U.S. Bank’s Bahr offers a third example, one based
on voice recognition. Bahr says her team has begun piloting a program that uses the technology
to verify the identity of people calling into customer support centers. The goal of such a program is
to prevent fraudsters from smooth-talking their
way past customer service representatives and
into user accounts.
“One of our goals,” explains Bahr, “is to take the
onus off the customer. Right now, they have to
produce things—an identification card, a password, a code. Can we make it easier for them? Especially if they don’t have their ID or cell phone
when they need to engage with the bank.”
Biometric identification and authentication seems
to offer a solution to Bahr’s question, all while presumably making it harder for identity thieves to
gain access. And yet, other factors complicate the
matter, including an entire category of issues
around consumer acceptance.
Consumers have come to expect easy, fast, and
seamless service interactions with companies
across industries. Self-service options through digital applications are part of that expectation. But
what happens when the demand for convenience
collides with the desire for privacy? Bahr suspects
at least some portion of the U.S. Bank customer
population is likely to resist biometric identification, at least at first.
“There’s some speculation that reactions will vary
across generations,” says JoAnn O’Rourke, senior
manager of information security and a member of
Bahr’s team. Despite the convenience, there’s a
risk that customers won’t be comfortable using a
biometric-based system. That could be a big problem, “especially if older generations, who have a
lot of the country’s wealth, are skeptical or slower
to adopt,” says O’Rourke.
Carlson School of Management
11
Another potentially skeptical population might be
technology-savvy customers. Although they may
be comfortable using the tech, they may also be
more sensitive to the data risks involved. Biometric data is still data, and as O’Rourke says,
“Giving away data has risks and dangers.”
Along with that perception comes the potential
“creep factor.” In other words, just how accepting
are modern consumers when it comes to biometric identification? How far is too far, and when
does it become creepy enough to drive customers
away?
“For some, looking into an eye scanner in a bank
branch might feel odd,” in Bahr’s view. “Whatever
we do has to be logical, and to an extent, comfortable to our customers.” Ideally customers will
want to increase the security of their accounts,
and the argument for using biometrics to do that
should be easy to explain and understand.
When it comes to how the bank might implement
biometric identification, more issues await. In particular, customers engage with the bank in different ways. What works in one channel may be impractical or unacceptable in another.
According to Bahr, the bank is considering the way
biometrics might factor into three primary customer service experiences:



On web and mobile applications. Many
modern computing devices are equipped with
technology that supports biometrics, amping
up interest in the topic. 11
Over the phone in call centers. A call center
interaction is fundamentally different from a
web app, and includes more of a human element.
In person at bank branches. As Bahr noted
above, what might work in an online interface
could prove otherwise in person. In addition,
equipment installation and training costs must
be justified with a strong business case.
“Like so many of the projects we do, there are
multiple components to consider,” says Bahr.
“We’re open to all kinds of biometrics, but we have
to consider any solution from multiple angles.”
12
CoMIS Case Competition 2019
In banking, regulatory compliance is one such angle and a reality of operating in the industry. Anything U.S. Bank implements will have to adhere to
the proper guidelines and regulations. The Federal
Financial Institutions Examination Council (FFIEC)
provides detailed guidance on topics related to
information security, customer authentication,
and electronic payment systems. 12
“Europe is taking a slightly different approach on
this,” notes Bahr, citing the European Union General Data Protection Regulation (GDPR) that went
into effect in May 2018.13 In general, the GDPR
takes an aggressive stance to protect the individual privacy of EU citizens. The measure includes
provisions related to consent, breach notification,
right to access, right to be forgotten, data portability, and the concept of “privacy by design.”14 Such
concepts are likely to shape the future of cybersecurity along with data privacy.
“With facial recognition and finger scans, biometrics are gaining ground,” says Bahr. “Any strategy
or plans we adopt will have to look at the issue
holistically in order to strike the right balance between efficacy and acceptance.”
Here Bahr returns to the question of data security.
“We don’t want the responsibility of storing more
data, like camera images,” she explains. “A solution that uses customers’ personal phones can get
around an issue like that. But then again, not all of
our customers have smartphones.”
Despite the challenges, Bahr is hopeful about the
potential in biometrics. With data breaches on the
rise, the cost of waiting on security could prove to
be enormous. Tackling the issues head-on and
exploring strategic options is how Bahr’s team intends to stay one step ahead of the fraudsters.
Bahr would like you to help advance a biometrics strategy at U.S. Bank. At this point,
she is looking for a broad assessment of the
biometrics landscape, given the context of
how the bank interacts with its customers.
Keep in mind:
1. Analysis and recommendations should
encompass the breadth of U.S. Bank's
product and service offerings, channels,
markets, and customer segments.
2. Analysis and recommendations should
include detailed action steps within a solid strategic view. Specific vendors are of
less interest, unless they offer something
unique and industry-leading.
3. Proposals should provide specific evidence to support the security, regulatory
compliance, and customer acceptance
(among all demographics) of recommended technologies.
Bahr has invited your firm to present ideas
and recommendations on this topic. Bahr's
colleagues and direct reports will evaluate
the work of multiple firms in an initial round
of presentations. Based on the outcome of
the initial round, top performing teams will
be invited to present directly to Bahr.
Carlson School of Management
13
1.
https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html
2.
http://www.finra.org/investors/5-ways-make-your-financial-accounts-more-secure
3.
https://www.javelinstrategy.com/press-release/identity-fraud-hits-all-time-high-167-million-usvictims-2017-according-new-javelin
4.
https://www.javelinstrategy.com/press-release/identity-fraud-hits-all-time-high-167-million-usvictims-2017-according-new-javelin
5.
http://www.finra.org/investors/7-ways-you-are-accidentally-revealing-your-password
6.
https://pages.nist.gov/800-63-3/sp800-63b.html
7.
https://disneyworld.disney.go.com/faq/my-disney-experience/my-magic-plus-privacy/
8.
https://www.clearme.com/how-it-works
9.
https://www.cntraveler.com/story/caryn-seidman-becker-ceo-of-clear-on-never-needing-id-again
10.
https://www.clearme.com/about-us
11. http://www.finra.org/investors/no-password-no-problem-banks-bank-biometric-authentication
12. https://ithandbook.ffiec.gov/it-booklets/retail-payment-systems/retail-payment-systems-riskmanagement/operational-risk/information-security.aspx?prev=1
13. https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018reform-eu-data-protection-rules_en
14. https://eugdpr.org/the-regulation/
U.S. Bank
Lee C. Thomas, University of Minnesota
Norman Chervany & Ken Reily
Carlson School of Management
Cynthia Bahr, JoAnn O’Rourke, & Murray Kenyon
U.S. Bank
© 2019 by the University of Minnesota.
All rights reserved.
Created exclusively for the 2019 CoMIS Case Competition.
No part of this material may be copied, shared, or distributed without express permission.
Information & Decision Sciences Department
Carlson School of Management, Suite 3-365
321 Nineteenth Avenue South
Minneapolis, MN 55455
Phone: (612) 624-8030
14
CoMIS Case Competition 2019
Carlson School of Management
15