Data Breaches are Headline News A Multifaceted Approach to Security The Worst Possible Scenario Biometrics: The New Security Frontier? References & Notes Businesses are under siege from cybercriminals bent on stealing sensitive data, and there is perhaps no greater target than banks and other financial institutions.2 Reports of massive cybersecurity data breaches have become a seemingly regular part of the news cycle. In recent years, a variety of major companies have suffered attacks that resulted in hundreds of millions (and in one case, billions) of accounts being compromised. The breaches have spanned industries—from Internet services to hospitality, and from retail to banking. With each new revelation of such a breach, consumers are reminded that their personal information is potentially vulnerable to theft at any number of companies and institutions.2 When sensitive information like names, birthdates, social security numbers, and passwords fall into the wrong hands, they pose significant risks for individuals. Victims of identity theft face nightmarish scenarios that often stretch on for years. According to a recent Javelin Strategy & Research study, identity theft resulted in $16.8 billion in losses in 2017.3 For the companies involved, data breaches bring a toxic mix of problems. Plunging revenues and stock value, significant brand reputation damage, increased liability exposure, and mass customer attrition are all possible in the wake of such a breach. 4 Kaitlyn Kiernan Financial Industry Regulatory Authority February 28, 2017 Headline-grabbing account breaches since 20131: Marriott Equifax eBay Target JP Morgan Yahoo! CoMIS Case Competition 2019 Yet businesses have little choice but to grapple with the risks posed by cybersecurity challenges. Digital is the way of business today. It’s how companies and consumers interact, and it’s powered by data. Customer accounts are created using personal data, and that data is used to verify an individual’s identity. This mechanism facilitates the transactions at the core of the modern customercompany relationship. Trying to avoid this kind of data exchange and still participate in the modern economy is nearly impossible—about as easy as traveling back to a time before credit cards, online shopping, and smartphones. While consumers change their passwords, check their credit reports, and cross their fingers, cybersecurity professionals like Cynthia Bahr and her team at U.S. Bank tackle the problem at scale. For companies like U.S. Bank, that challenge is complex, rapidly evolving, and mission-critical. Carlson School of Management 5 Bahr heads a team of 400 at U.S. Bank, the fifthlargest commercial bank in the United States. Her organization includes Identity and Access Management, Customer Authentication, and Fraud Risk Prevention Services (IAM, CA & FRPS). This multidisciplinary group performs a variety of functions to protect bank and customers alike. Identity and Access Management handles key control, provisioning, and other traditional identity management functions. The Customer Authentication unit focuses on how customers prove their identity before using the bank’s systems. The third component of Bahr’s organization, Fraud Risk Prevention Services, works to protect U.S. Bank from fraudulent activities, such as account breaches and unauthorized electronic funds transfers. Digital identity is the unique representation of a subject engaged in an online transaction. The Minneapolis-based bank depends on Bahr’s combined teams to protect millions of customers across different business lines. In addition to retail banking for individuals, the bank provides business, wealth management, payment, commercial and corporate, and investment services to customers across the country and around the world. National Institute of Standards and Technology Special Publication 800-63B: Digital Identity Guidelines U.S. Department of Commerce • June 2017 6 CoMIS Case Competition 2019 Carlson School of Management 7 When it comes to cybersecurity, “Account takeovers are the worst possible scenario,” says Bahr. An account takeover refers to instances where someone gains enough information to break into another person’s account and take control. The Javelin study found that takeovers tripled from 2016 to 2017, driving record growth in identity fraud.4 According to the study’s authors: Account takeover continues to be one of the most challenging fraud types for consumers with victims paying an average of $290 in out-of-pocket costs and spending 16 hours on average to resolve. This translates to more than 62.2 million hours of time consumers lost in 2017. That is enough time for more than three million people to binge watch the first and second season of Stranger Things. Account takeovers can happen in a number of ways. For example, a couple of pieces of personal information—say an account number and an email address—fall into the wrong hands. That can be enough to begin the con. The perpetrator uses those pieces of information to request a password reset, or perhaps convince a customer 8 service representative that they are the true account owner. If successful, the perpetrator gains access to a bank customer’s account … and everything in it. Obviously, funds in a compromised account are easily transferred and lost. In addition, linked accounts may be breached and other personal information stolen. That can lead to a snowball effect of damage for the consumer. Their stolen identity may be used to open new credit cards or other fraudulent activities, for example. Again, the fraud has negative effects for the business as well. If a fraudster takes over a bank account, that bank likely incurs expenses related to tracking down the fraud and helping the customer recover. Moreover, the ripple effect can be damaging for the company involved. “After all, people want peace of mind. Especially when it comes to a financial institution,” says Bahr. “That’s really important.” CoMIS Case Competition 2019 To make matters even more challenging, the fraudsters keep finding ways to use people’s personal information against them. “What used to be secure just isn’t anymore,” Bahr notes. Answers to traditional security questions such as “mother’s maiden name” or “where you went to high school” are easily sleuthed and found in today’s hyperconnected world, according to the Financial Industry Regulatory Authority (FINRA).5 Less obvious methods are also on the rise, often unknowingly assisted by the victims themselves. Bahr points to seemingly harmless quizzes, games, and memes on services like Facebook. Pet names, home towns, birth dates, or other more obscure personal trivia can all be captured, combined with other bits and pieces, and used to break through account security. The information might end up for sale on the dark web in venues set up for nefarious purposes. “Quizzes that ask things like, ‘what countries have you visited’ are trolling for personal info,” says Bahr. “Companies all have layers of security, but the fraudsters are getting more creative. There’s a social engineering component now.” Carlson School of Management 9 In order to combat account takeover attempts, security experts have developed—and continue to refine—authentication guidelines. Because traditional twofactor systems, such as receiving a code via SMS, are no longer considered sufficiently secure in many instances, authentication guidelines now focus on multi-factor approaches based on the “something you know, something you have, something you are" model. 6 The “something you are” part of that model, which uses biometrics, is a big category of interest as cybersecurity threats morph and grow more complex. Broadly defined, biometrics refers to the use 10 of physiological characteristics to identify and differentiate one human from another. Bahr and her team believe biometric methods and technologies could help protect U.S. Bank and its customers from attacks. Fingerprints, facial scans, and voice recognition are all traditional types of biometrics that can be used for identity verification. For example, Walt Disney theme parks have for years used biometrics to deter ticket sharing. Visitors to the parks are likely to encounter finger scanners at various gates and attractions. According to the company’s privacy policy: CoMIS Case Competition 2019 The system, which utilizes the technology of biometrics, takes an image of your finger, converts the image into a unique numerical value and immediately discards the image. The numerical value is recalled when you use Ticket Tag with the same ticket to re-enter or visit another Park. Ticket Tag does not store fingerprints.7 Another example can be seen in major airports, where the company CLEAR has made its presence known in recent years. CLEAR promises to ease airport stress through biometric identification. Fingerprint and iris scans allow travelers who use the service to move more quickly through long security lines.8 The company also has a presence in sports stadiums and other venues, with plans to expand. As CLEAR CEO Caryn Seidman-Becker explained in an interview, “we started at the security checkpoint, because that’s where identity and security collide in the hardest way. But when you look at what Clear is, Clear is a biometric identity platform to make things safer and easier.” 9 Indeed, the company’s website promises expansion of the service on the horizon: “We’re always thinking about new applications that can be powered by biometrics, from checking into a doctor’s office to paying at checkout with a tap of your fingers.”10 U.S. Bank’s Bahr offers a third example, one based on voice recognition. Bahr says her team has begun piloting a program that uses the technology to verify the identity of people calling into customer support centers. The goal of such a program is to prevent fraudsters from smooth-talking their way past customer service representatives and into user accounts. “One of our goals,” explains Bahr, “is to take the onus off the customer. Right now, they have to produce things—an identification card, a password, a code. Can we make it easier for them? Especially if they don’t have their ID or cell phone when they need to engage with the bank.” Biometric identification and authentication seems to offer a solution to Bahr’s question, all while presumably making it harder for identity thieves to gain access. And yet, other factors complicate the matter, including an entire category of issues around consumer acceptance. Consumers have come to expect easy, fast, and seamless service interactions with companies across industries. Self-service options through digital applications are part of that expectation. But what happens when the demand for convenience collides with the desire for privacy? Bahr suspects at least some portion of the U.S. Bank customer population is likely to resist biometric identification, at least at first. “There’s some speculation that reactions will vary across generations,” says JoAnn O’Rourke, senior manager of information security and a member of Bahr’s team. Despite the convenience, there’s a risk that customers won’t be comfortable using a biometric-based system. That could be a big problem, “especially if older generations, who have a lot of the country’s wealth, are skeptical or slower to adopt,” says O’Rourke. Carlson School of Management 11 Another potentially skeptical population might be technology-savvy customers. Although they may be comfortable using the tech, they may also be more sensitive to the data risks involved. Biometric data is still data, and as O’Rourke says, “Giving away data has risks and dangers.” Along with that perception comes the potential “creep factor.” In other words, just how accepting are modern consumers when it comes to biometric identification? How far is too far, and when does it become creepy enough to drive customers away? “For some, looking into an eye scanner in a bank branch might feel odd,” in Bahr’s view. “Whatever we do has to be logical, and to an extent, comfortable to our customers.” Ideally customers will want to increase the security of their accounts, and the argument for using biometrics to do that should be easy to explain and understand. When it comes to how the bank might implement biometric identification, more issues await. In particular, customers engage with the bank in different ways. What works in one channel may be impractical or unacceptable in another. According to Bahr, the bank is considering the way biometrics might factor into three primary customer service experiences: On web and mobile applications. Many modern computing devices are equipped with technology that supports biometrics, amping up interest in the topic. 11 Over the phone in call centers. A call center interaction is fundamentally different from a web app, and includes more of a human element. In person at bank branches. As Bahr noted above, what might work in an online interface could prove otherwise in person. In addition, equipment installation and training costs must be justified with a strong business case. “Like so many of the projects we do, there are multiple components to consider,” says Bahr. “We’re open to all kinds of biometrics, but we have to consider any solution from multiple angles.” 12 CoMIS Case Competition 2019 In banking, regulatory compliance is one such angle and a reality of operating in the industry. Anything U.S. Bank implements will have to adhere to the proper guidelines and regulations. The Federal Financial Institutions Examination Council (FFIEC) provides detailed guidance on topics related to information security, customer authentication, and electronic payment systems. 12 “Europe is taking a slightly different approach on this,” notes Bahr, citing the European Union General Data Protection Regulation (GDPR) that went into effect in May 2018.13 In general, the GDPR takes an aggressive stance to protect the individual privacy of EU citizens. The measure includes provisions related to consent, breach notification, right to access, right to be forgotten, data portability, and the concept of “privacy by design.”14 Such concepts are likely to shape the future of cybersecurity along with data privacy. “With facial recognition and finger scans, biometrics are gaining ground,” says Bahr. “Any strategy or plans we adopt will have to look at the issue holistically in order to strike the right balance between efficacy and acceptance.” Here Bahr returns to the question of data security. “We don’t want the responsibility of storing more data, like camera images,” she explains. “A solution that uses customers’ personal phones can get around an issue like that. But then again, not all of our customers have smartphones.” Despite the challenges, Bahr is hopeful about the potential in biometrics. With data breaches on the rise, the cost of waiting on security could prove to be enormous. Tackling the issues head-on and exploring strategic options is how Bahr’s team intends to stay one step ahead of the fraudsters. Bahr would like you to help advance a biometrics strategy at U.S. Bank. At this point, she is looking for a broad assessment of the biometrics landscape, given the context of how the bank interacts with its customers. Keep in mind: 1. Analysis and recommendations should encompass the breadth of U.S. Bank's product and service offerings, channels, markets, and customer segments. 2. Analysis and recommendations should include detailed action steps within a solid strategic view. Specific vendors are of less interest, unless they offer something unique and industry-leading. 3. Proposals should provide specific evidence to support the security, regulatory compliance, and customer acceptance (among all demographics) of recommended technologies. Bahr has invited your firm to present ideas and recommendations on this topic. Bahr's colleagues and direct reports will evaluate the work of multiple firms in an initial round of presentations. Based on the outcome of the initial round, top performing teams will be invited to present directly to Bahr. Carlson School of Management 13 1. https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html 2. http://www.finra.org/investors/5-ways-make-your-financial-accounts-more-secure 3. https://www.javelinstrategy.com/press-release/identity-fraud-hits-all-time-high-167-million-usvictims-2017-according-new-javelin 4. https://www.javelinstrategy.com/press-release/identity-fraud-hits-all-time-high-167-million-usvictims-2017-according-new-javelin 5. http://www.finra.org/investors/7-ways-you-are-accidentally-revealing-your-password 6. https://pages.nist.gov/800-63-3/sp800-63b.html 7. https://disneyworld.disney.go.com/faq/my-disney-experience/my-magic-plus-privacy/ 8. https://www.clearme.com/how-it-works 9. https://www.cntraveler.com/story/caryn-seidman-becker-ceo-of-clear-on-never-needing-id-again 10. https://www.clearme.com/about-us 11. http://www.finra.org/investors/no-password-no-problem-banks-bank-biometric-authentication 12. https://ithandbook.ffiec.gov/it-booklets/retail-payment-systems/retail-payment-systems-riskmanagement/operational-risk/information-security.aspx?prev=1 13. https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018reform-eu-data-protection-rules_en 14. https://eugdpr.org/the-regulation/ U.S. Bank Lee C. Thomas, University of Minnesota Norman Chervany & Ken Reily Carlson School of Management Cynthia Bahr, JoAnn O’Rourke, & Murray Kenyon U.S. Bank © 2019 by the University of Minnesota. All rights reserved. Created exclusively for the 2019 CoMIS Case Competition. No part of this material may be copied, shared, or distributed without express permission. Information & Decision Sciences Department Carlson School of Management, Suite 3-365 321 Nineteenth Avenue South Minneapolis, MN 55455 Phone: (612) 624-8030 14 CoMIS Case Competition 2019 Carlson School of Management 15