The Immutable kBlog: thoughts on data integrity

At Kinamik we firmly believe that guarantying the trustworthiness (read: integrity) of any set of data used in a GRC implementation will very soon become a key requirement. There are many elements that show us that this is particularly true (you can read about it here and here). All these elements could be seen as a “positive” proof that reinforces our view. But not all of the signs out there are positive… quite the opposite.

We are already seeing an increasing number of data manipulation scandals on front pages, and it is fair to think that many more are to come. So we have decided to participate in this public debate by commenting each time we hear about one of these cases.

The first post of this Wall of Shame series goes to the recent $350 million (265 million euro) Lloyds TSB agreed to pay to the US authorities after being charged of tampering and falsifying records so Lloyds TSB clients from Iran, Sudan and Libya could do business within the US banking system. By doing these modifications in the records Lloyds was violating the International Emergency Economic Powers Act, which allows blocking commerce with countries that were deemed a threat to the United States.

According to US prosecutors, the bank’s misconduct took place for over 12 years, between 1995 and 2007. Lloyds’ actions -known as stripping- meant faking or completely erasing information such as customer names, bank names and addresses so wire transfers can go undetected through filters at the US banks.

Lloyds TSB declared that they fully cooperated in the investigation, and said that they were “committed to running our business with the highest levels of integrity and regulatory compliance across all of our operations, and have undertaken a range of significant steps to further enhance our compliance programs”.

Indeed, an enhancement in their compliance program could have prevented the tampering of these electronic records by Lloyds’ employees. In fact, one the best ways of actually improving a compliance program is by making electronic records tamper-evident, so they could be unquestionably trustworthy, like the Kinamik Secure Audit Vault. By having this kind of system in place, a simple check-up on audit data may have detected that there was something wrong, and these kinds of actions would not have been undetected for over 12 years.

You can read more about this case here.

It is common nowadays that banks offer different value-added services to their customers. Doing banking operations by phone or through the Internet is an everyday practice that obviously requires some kind of authentication; this matter is commonly addressed by -at the minimum- using some kind of password.

So if you go through life certain that your bank passwords are safe, and nobody can access that delicate piece of information… think again. As Bruce Schneider reports in his blog, this funny story has a bit of a worrying level underneath.

Summarizing the story up, Steve Jetley -a Lloyd’s TSB bank customer- decided to set his bank password as “Lloyd’s is pants”, just to find later that his password had been changed to “no it’s not” by a bank employee without Mr. Jetley knowing about this. The story gets worse when -after realizing the change- he tried to change it back to his original password or another similar such as “Barclays is better” on the grounds that it was “too long” (Barclays is a competitor of Lloyd’s). Even the password “censorship” wasn’t allowed.

Mr. Jetley received a full apology from the bank and the employee (I don’t know if the one that changed the password in the first place or the one that refused to accept the new ones given) was dismissed.

I think that leaving aside the possible comical side of this story, what worrying about this case is that banks are keeping their passwords in flat, non-encrypted forms in their databases. Why would an employee be able to see any client’s password? Or even further, why would an employee need to see any client’s password? So here for me there are two important issues:

1) confidentiality: makes me wonder how many of these important passwords that I have (banking, payment platforms, etc.) are still unencrypted, and

2) accountability: why would an employee see a client’s password?

I guess that the reason is that people (i.e. IT Managers, System Administrators, or even employees) access data for a plain and simple reason: because they can. If proper audit trails systems would be put in place, if there would be any kind of system that could serve as a “surveillance camera” that can prove irrefutably all the access and modification to data, there would be an automatic deterrence for this kind of behavior. People would not be sniffing around information they shouldn’t be looking at if they knew that all their actions were being audited, that these audit trails could not be tampered with and consequently they can -and probably would- be held accountable for their actions.