Over the last several years, financial institutions have spent billions of dollars and resources securing a perimeter defense system consisting of intrusion detection, intrusion prevention, firewalls, user authentication, and other layers of security all built to secure their financial systems. Due to the exponential increase in internal and external information security incidents, these investments are necessary to protect an institution’s reputation and revenue. In addition, the federal government is using regulatory means to ensure the banks take responsibility for potential losses. Of equal or even greater threat, however, are the social aspects of the Internet that cannot be controlled. For example, financial institutions need to be aware of the reputational risk that is inherent on the Internet. Each institution needs to do more than reactively protect its data; it must also proactively safeguard its reputation online, where references to its corporate name alone can number in the millions. An institution must also guard against infringements against its logo, its trademarks or other graphic representations. This risk, outside the firewall, is the other side of the coin.

1. WHITEPAPER
Internet - Threats, Risk Mitigation and Reputation Strategies
“The other side of the Coin”
Authored by:
Michael M. Kiefer, Senior Vice President
BD-BrandProtect
With insights from Susan Orr (www.susanorrconsulting.com), a leading financial services
expert with vast regulatory, risk management, and security best practice knowledge and
expertise.

2. Table of Contents
Introduction .............................................................................................................. 3
Types of Threats ........................................................................................................ 3
Is Regulatory Compliance Enough? ............................................................................... 5
Applying Best Practices ............................................................................................... 6
About the Author: ...................................................................................................... 7
Appendix: Examples of Online Threats .......................................................................... 8
2

3. It’s more than just reactively preventing unauthorized access to your data and meeting
regulatory requirements, it’s also about taking proactive steps to preserve your online
reputation.
Introduction
Over the last several years, financial institutions have spent billions of dollars and resources
securing a perimeter defense system consisting of intrusion detection, intrusion prevention,
firewalls, user authentication, and other layers of security all built to secure their financial
systems. Due to the exponential increase in internal and external information security
incidents, these investments are necessary to protect an institution’s reputation and
revenue. In addition, the federal government is using regulatory means to ensure the banks
take responsibility for potential losses.
Of equal or even greater threat, however, are the social aspects of the Internet that cannot
be controlled. For example, financial institutions need to be aware of the reputational risk
that is inherent on the Internet. Each institution needs to do more than reactively protect its
data; it must also proactively safeguard its reputation online, where references to its
corporate name alone can number in the millions. An institution must also guard against
infringements against its logo, its trademarks or other graphic representations. This risk,
outside the firewall, is the other side of the coin.
Given that criminals always go after the weakest link, layered security should be required –
for both internal and external threats. Online customers with multi-use home systems are
easily compromised and are now used to either attack institutions or as harvesters of
personal identity and/or online accounts. Years ago, it was easy for an organization to see
its brand being used locally in the yellow pages, on community signage or in an
advertisement. To address the issue, the organization simply called the company and asked
them to stop using their brand. Compliance was typically immediate. Today however, it’s
not easy for an organization to find a Web site in China or Eastern Europe that is
fraudulently using its logo, sending out e-mail messages and purportedly offering services
that unsuspecting consumers believe are being offered by their trusted institution.
Over the last several years, the number of ‘phishing’ attacks on smaller financial institutions
has escalated as the big institutions get better at fighting back. Still, they both have their
customers and their access devices located outside the multi-billion dollar security
perimeter. Yet, 90 per cent of security budgets are dedicated to building and maintaining
this perimeter while only 10 per cent is allocated to external threats, including the
protection of an institution’s online reputation. Would it not make sense to rethink this
balance of spend in preventing both types of threats to security, given that criminals have
moved to social engineering means?
Types of Threats
Most attacks to a financial institution’s Web site are referred to as phishing, which describes
any attempt to criminally and fraudulently acquire sensitive information such as user
names, passwords and credit card details. This typically happens by masquerading as a
trustworthy electronic entity such as a Web site. Two things have to transpire. One, an
alternate Web site has to be created, and second, an e-mail has to be sent with a link to
that site. Newspapers are full of stories where this tactic has led to stolen account
3

4. passwords and credit card numbers, and ultimately, unrecoverable financial loss. This risk
is an example of a social engineering nature that tricks customers into giving up their
confidential data. It is much easier to trick customers than break into an institution, given
all the money spent on its perimeter.
At the worst extreme, phishing schemes can become identity theft, a catch-all term for
crimes involving the illegal use of another individual’s information. Culprits can take over all
the personal information related to an individual, including social security number, accounts
and passwords, and credit card information; and in doing so, gain access to electronic
funds. Both Javelin Research and the most recent FTC report estimate that identify theft has
become a $45 billion-a-year problem in the U.S. alone.
Financial loss from criminal activity is only part of the equation. Increasingly, the
government and financial institutions are becoming worried about the more insidious forms
of attack to corporate names and reputations. Hence, newfound importance is being
attached to an institution’s reputation and how potential risks can be mitigated.
For example, if a customer logs on to an unauthorized Web site that falsely uses the name,
logo, trademark or online brand belonging to that institution, it can result in a range of
unintended consequences, mislead consumers and expose an organization to new forms of
liability. Possible scenarios include the following:
• Financial information. Someone uploads false financial data to an electronic
information service provider such as Google, MSN or Yahoo, and then puts a hedge
play against their stock, or publishes damaging information that may divert
investment from that stock.
• Job listings. Employment advertisements on job boards use recognized institutional
names to capture identity data from prospective job applicants including names,
addresses, e-mail accounts, social security numbers and drivers licenses.
• Online surveys. Fake e-mails sent from a Web site imitating a consumer research
organization lures recipients to a location which triggers malware. The malware turns
the user’s machine into a “zombie” or “robot” (where it surrenders control to another
computer) and is forced to send out spam e-mails that may further propagate the
malware.
• Financial services. An investment vehicle from a consumer’s favorite financial
institution may have nothing to do with that institution; it could be a link to a third-
party Web site that is targeting the institution’s customer base.
The threats are varied and often escape detection. In each case, a major institution’s
reputation is compromised and a customer is misled or defrauded. Please keep in mind that
these threats can also occur to both non-online customers and non-customers such as
investors. While threats come in a variety of forms, most represent some form of
“unauthorized linking”, the practice of trying to look legitimate or benefit from an
association with an institution through improper use of a corporate logo or trademark. In
many cases, the unauthorized use of a logo or trademark is innocuous - it could be a charity
wishing to thank its corporate sponsor.
This false link, however, could also transport a customer to a link devoted to a competitor’s
Web site, and that customer would never know it. Even worse, consumer traffic can be
4

5. diverted from its intended destination and be falsely connected to illegal or offensive
activities, such as pornography and gambling.
Last summer, the U.S. Federal Deposit Insurance Corp., issued Financial Institution Letter
(FIL 72-2007) titled “Best Practices for Preventing and Detecting Child Pornography from
the Financial Coalition against Child Pornography”. The letter warns of what could happen in
the extreme. Referring to the activity of “remote merchant capture”, essentially advising
institutions to get to know their online customers, to practice due diligence of that merchant
(defined as any business entity that has an online retail operation) and then review all
online Web sites and links before engaging that merchant’s business.
Adding new customers online carries its own risks, and increasingly, financial institutions will
be called on to not only verify the legitimacy of each customer’s business but to potentially
detect undesirable customers. The implication is clear: If financial institutions take on the
wrong customer, not only could they be propagating a crime, they could do irreparable
harm to their business.
Is Regulatory Compliance Enough?
Constantly, the U.S. federal government is seeking ways to ensure the financial institutions
are better protected against online abuse, and in some cases, make them responsible for
those losses. Increasingly though, regulatory bodies are attempting to address not only real
but perceived or so-called “foreseeable” threats. For example, Section 501 (b) of the
Gramm Leach Bliley Act mandates federal regulators to not only implement guidelines that
financial institutions must safeguard the security and confidentiality of all customer records,
but also protect against foreseeable threats to the security of customer records.
In other words, a financial institution may have to do more than protect its own data and
records. Its concerns may also extend to the Internet, where for example, the potential
exists for its images and logos to be abused. Over the last few years, the number of
phishing attacks on community institutions has continued to escalate in both intensity with
pharming and severity with malware.
Generally, the larger financial institutions are aware of the threats to their names and their
brands. They have tens of billions of dollars invested in their brands and don’t want to be
known as unsafe partners. But smaller institutions are less aware. It’s unlikely online
reputation damage alone could put any institution out of business but negative publicity
could cost in the form of lost customers, reduced market share or stock devaluation. It was
too expensive years back to reproduce an annual report with adjusted numbers or issue a
press release on earnings windfalls or shortfalls. Today, criminals use the Internet to sway
opinion one way or the other, hedging markets with false information for personal gain.
But one thing is clear, when identity theft or fraud occurs, the consequences become
apparent rather quickly and must be dealt with. And rest assured, there are hard costs
involved. If infractions occur, all parties must be notified, a cease and desist order may
need to be issued and possibly legal fees that must be taken into consideration. However, if
the damage is to a reputation, these consequences become less clear and more difficult to
measure. Further, if a customer or business partner is involved, there may be some
expectation that the institution make good even though it is not at exact fault.
5

6. The costs that are not known are the soft ones: damage to reputation, loss of new or
potential customers or declining market share. Institutions do a lot of things because they
must, whether it’s for liability or regulatory reasons. But while there may not be a law or
legal requirement to protect your brand, it could cost you business today and in the future.
Applying Best Practices
By some estimates, 90 per cent or more of financial institutions in the U.S. do not manage
their online reputations. This may be due to the difficulty of protecting a brand in the
electronic world. If an “imitation institution” is built somewhere in a downtown area
complete with a sign with a well-known brand name, it would be shut down in a matter of
days if not hours. However, if an “imitation institution” consists only of a Web site hosted in
a foreign country, it could take much longer to shut down, or even worse, it could go
completely undetected. One could decide to Google the name of the false institution but that
could generate a list of millions of links that change each week.
There is no way of managing all of this without brand protection, an emerging category of
software that helps organizations gain control over how they are represented online, both
by uncovering threats and mitigating the risks to their reputation.
Brand protection is a technique that uses advanced technology, round-the-clock monitoring,
proven best practices and exhaustive human analysis to scour millions of domains, Web
pages and Internet links to uncover potential infractions, and categorize and rank these
infractions according to severity.
Several best practices can be implemented by financial institutions in conjunction with brand
protection techniques. These include the following:
• Understanding all the competing URLs (Uniform Resource Locators, more commonly
known as Web addresses, also a means of locating that address) that exist, as well
as when similar domain names come into play. (For example, First Bank of America
could be falsely represented as First Banc of America.);
• Engaging the Internet Service Provider. It is also in their best interest to participate
in risk mitigation activities and general enforcement of safe Internet practices.
Service providers and registration firms don’t want the negative publicity, so work
with global law enforcement agencies to block unauthorized links or Web sites;
• Establishing priorities. Risks vary greatly, so the key is discerning which are critical,
which are moderate or which can be deferred to a later time;
• Creating an “abuse box” or implementing some other formal method for reporting
infractions that is accessible to customers, business partners and associates;
• Understanding that the threat is global, which means enlisting a service that
operates 24 x 7. The bad guys are everywhere and tend to locate in countries with
no extradition policies should a case proceed to trial;
• Enlisting a third party. One can deal with the problem by Googling every name, or
sound-alike name, but that can be labor-intensive. Or one can use a third-party that
already has a comprehensive process in place and is able to do a broader sweep
more quickly and cost-effectively, also eliminating the reporting of “false positives”;
• Security is obviously an IT function but mitigating reputational risk is everybody’s
business. The IT security manager will likely be kept busy just trying to log
6

7. infractions or incidents, while senior management needs to understand the big-
picture issues while providing adequate resources and ongoing support;
• Please see examples in the Appendix
The bottom line is that smaller financial institutions need to socialize reputational risk at all
levels (and departments) across the organization. Risk mitigation is at least initially a
management issue, which means management needs to be aware of it first, then
incorporate it into IT, and then ask how this can be implemented from a systems and
process point of view.
Online brand protection is an emerging technology, and as such, will continue to evolve.
New forms of misrepresentation on a Web site can and will occur. Even the act of blogging,
where critics may have negative comments, can be perceived as a threat to an organization
and could be looked as another area for potential risk mitigation.
Regardless of the threats – from reputations that are being tarnished, to damage to a firm’s
brand, to loss of confidence among customers, business partners and investors – an
institution’s brand image is one of the most valuable assets it can have and now tools are
available to mitigate the risks posed by the Internet. As a banker once told me, “I can lose
capital and people, but if I lose my reputation…I am done.”
About the Author:
Michael M. Kiefer, Senior Vice President, BD-BrandProtect
A recognized network and security expert and IT and risk visionary, Mr. Kiefer brings more
than 25 years of network, telephony, Internet and disaster recovery experience to his role
at BD-BrandProtect, where he is responsible for revenue growth and building out a world-
class team.
Prior to joining BrandProtect, Mr. Kiefer had been involved in the development of four
successful network and security technology startups. One of these ventures, SecurePipe,
was acquired in 2006 by ATW Corp after he led the delivery of the institution’s outsourced
network security solutions to over 1200 community institutions.
Previously, he was President of AVAYA North America and directed over twenty five percent
of Cisco Systems Global Business. He regularly speaks about IS and related regulatory
issues for the financial and technology industries, among others.
7

8. Appendix: Examples of Online Threats
Weblinking Issues:
In this example, clicking on Bank of forwards to the Web site Wellsfargo.com, which is a
competing banking company.
8

9. Traffic Diversion Schemes - Appears in Same Color as Background:
The first screen shows what this web page normally looks like when first viewed. However,
highlighting the page reveals text written in the same color as the background which is
invisible to the naked eye, as shown below.
9

10. Traffic Diversion Schemes - Framed Web site:
This example shows the corporate Web site for Bank of but within a frame on a third party
Web site, Onechurchsource.com.
10

11. URL Infraction - Trademark appears in third party URL
In this example, the insurance company name is in the URL, but there is no mention of it on
the page, which contains some very explicit sexual references.
11

12. Example: Phishing
Participants in a Harvard University study failed to notice that the URL given for a Bank of
the West site was: www.bankofthevvest.com
12