Security of Secondary Financial Service Systems

In the US several “secondary financial services” exist. They range from check cashing/money transfer to short-term lenders and various other financial services. Many of these organizations also offer additional services like payroll check loans, check “floats”, tax preparation and a variety of services. In many cases these organizations aim their marketing for immigrant workers, people sending money to foreign countries and the economically challenged.

Unlike traditional banks and credit unions, these organizations are loosely regulated, if at all. In many states few rules for their operation exist and certainly they do not face the security and regulatory requirements of traditional financial services organizations. Several cases have been made about the predatory, aggressive and border-line criminal activities that seem to abound in this industry.

Recently, Panda, an anti-virus vendor, completed a study of the check cashing centric businesses associated with this tier of financial services. Their study found that thousands of machines in these businesses were running out of date security software, including anti-virus trial versions. They observed more than 1500 machines running these out of date basic security tools. Of those, they found more than 60 percent to be actively infected by some form of malware. 80 percent of the machines studied were actively being used to process financial transactions.

Basically, this demonstrates a true lack of concern for information security in this sector. By not providing for even the most basic of security functions, anti-virus, they leave the identity and financial data of their clients vulnerable to theft and tampering.

To make matters worse, in many locations in our state, Ohio, the check cashing organizations require a lot of information about you to obtain their services. Normal contact information, plus social security number, driver’s license and other identity details are often maintained in their databases. In more than one case of calling around various locales near us, several of the companies asked for a “client number” and when pressed, we were told this was the same as our social security number and could be found on our “membership card”. Needless to say, this very fact that SSN is being used so carelessly, gave us more than a chill. We truly hope that those consumers choosing to use these organizations for financial services take note of the insecurity and risks to which they may be exposing themselves.

Ohio has just passed new laws to regulate the practices of these organizations and to prevent some of their more abusive tactics. Let’s hope that additional regulatory oversight and attention to information security is also coming for these businesses. Until then, they and the consumers who choose them, remain in the low hanging fruit category for cyber-criminals and identity thieves.

This entry was posted in End-user Focused, General InfoSec by Brent Huston. Bookmark the permalink.

About Brent Huston

I am the CEO of MicroSolved, Inc. and a security evangelist. I have spent the last 20+ years working to make the Internet safer for everyone on a global scale. I believe the Internet has the capability to contribute to the next great leap for mankind, and I want to help make that happen!

Leave a Reply