Two years ago, a man with a handgun walked into a branch of Happy State Bank and Trust Co. in the dusty cowtown of Amarillo, Texas, and demanded cash. "This is no joke," he told the teller. He stuffed the money in a backpack and fled. But bank employees spotted the robber's getaway car -- a blue four-door sedan -- and police picked him up a few weeks later.
There aren't many places to hide in a small city surrounded by prairie.
Earlier this summer, a young man set up a phishing scheme to steal the identities of Happy State Bank's customers and hijack their accounts. Working off a tip from a friendly stranger in San Antonio, Texas, IT employees uncovered the ruse before it reached the bank's 4,500 online customers. They shut down the false front within four hours. The feds tracked down the culprit, who was holed up somewhere in the Bronx.
Whether a thief plies his trade on foot or online, the point is clear: Don't mess with Texas. "Banks have been around a long time, since Jesse James and his gang were robbing them," says Jason James, senior vice president of technology at Happy State Bank (and no relation to the infamous outlaw). "Security is nothing new to this industry."
But what is unusual in banking is the high-touch approach to online customer service that sets Happy State apart from its bigger competitors. The advent of Web banking has pulled James and his four IT staffers into a trailblazing position with the bank's most critical business ambition. This IT department handles all security in-house and even conducts one or two site visits a week, traveling to customers' homes to clean their computers of viruses, spam and spyware.
"High customer touch is what really brought us to the dance," says bank President Gary Wells. "In the Texas panhandle, relationships are key. People out here still want to sit down face to face and talk, go have coffee, play golf, hunt."
Taming the Security Frontier
Happy State Bank's three-story brick fortress stands tall in the outskirts of Amarillo. High ceilings, wooden staircases and walls adorned with cowboy art all nod to the Old West. There's a circular steel vault door on display that a half-dozen sticks of dynamite couldn't blow a hole through. In many ways, Happy State Bank and other midsized banks are struggling to tame a frontier of their own. Instead of iron safes and double-barreled shotguns, banks today rely upon an arsenal of technology tools -- everything from firewalls to vulnerability assessments to fraud detection and customer authentication -- to protect themselves from Internet outlaws.
It's a high-stakes poker game, for sure. Customers will desert a bank in droves if they think it can't keep their money safe. Meanwhile, regulators can and will shut down a bank that fails to meet tough Internet security requirements. By the end of this year, the Federal Financial Institutions Examination Council (FFIEC) -- a group that defines standards for financial services providers in the U.S. and is backed by the Federal Reserve System as well as other notable bodies -- will require banks to use more than one form of online customer authentication. Research firm Gartner Inc. foresees cease-and-desist orders for noncompliant banks arriving on the first banking day of 2007.
Yet for CIOs at midsized banks, there is a silver lining. The rise of Web banking and related security regulations have given IT executives a more prominent role in their companies. This is especially true at Happy State Bank, where the brass pinned the proverbial tin star on James and his four-man crew earlier this year. The 33-year-old James was promoted to senior VP, making him the youngest bank officer with the lofty title. "They do a great job," the bank president says of his IT group. "I sleep better at night knowing they're in control."
Happy State Bank isn't just a façade of the Old West. The bank opened its wooden doors nearly a century ago in 1908. J. Pat Hickman led a group of investors to purchase the single-branch bank, then called First State Bank, in 1990. Chairman and CEO Hickman grew the bank throughout the tristate region of New Mexico, Oklahoma and the Texas panhandle by guiding it through a series of acquisitions.
Some newly competing banks carried the First State name, which led to the renaming of Happy State Bank a few years ago. (The bank takes its name from a nearby town called Happy, made famous in 1999 by the eponymous film Happy, Texas.) Today, Happy State claims 18,000 customers, a dozen branches, $470 million in assets and $40 million in annual revenue. That's still small potatoes compared with its biggest competitor, Amarillo National Bank. The latter holds more than half the market share in Amarillo, whereas Happy State Bank has a mere 3%. Throughout the panhandle, Happy State Bank can claim around 8% market share.
Despite high transaction fees and a large employee-to-asset-dollar ratio, good ole customer service helps Happy State hold its own. It caters to the country crowd, as is evident one day recently when a customer sporting a droopy mustache, blue jeans, leather boots with spurs, a bandana, and a cowboy hat stepped out of history and toward a teller to make a deposit. "Now, that's a real cowboy," James says. "These are our type of customers."
In 1999, old-fashioned banking executives begrudgingly poured resources into launching a Web banking service. "We had to do it," says Wells, adding that his two college-age children prefer banking online over traditional paper checks and printed statements. Even Wells is making the move to the Web. "My wife and I decided to start paying bills online at the first of the year," he says.
With the advent of its Web banking service, Happy State finally rode into the technology era. The bank expanded its IT department from one employee to five, which included hiring Duane Hall, a network coordinator and security sharpshooter, and promoting James, a local boy who started at the bank in 1993. Over the past few years, the bank has spent roughly $500,000 annually on technology equipment alone.
In its first year, some 500 customers enrolled in Happy State's Web banking service; today that number has grown to more than 4,500. The IT department constantly jockeys with online thieves who try to punch holes in the system with everything from pharming, phishing and spoofing schemes to malware and domain name server poisoning. "As we get bigger, security is going to become a primary function of the IT department," says Hall.
In response the bank has deployed a number of security measures to keep its online customers safe. Customers are mailed a logon ID and password, and banking sessions employ Netscape Secure Sockets Layer to secure transactions between a customer's browser and the bank's firewall-protected Web server. Cookies are used as an additional layer of authentication and identification.
But cookies are just one way of authenticating a customer. Other methods range from costly biometric devices to smart tokens to public-key infrastructure credentials. Banks often choose authentication methods that best fit their customer profile. Technology Credit Union, a midsized financial cooperative in Silicon Valley, deployed biometric fingerprint readers to customers a couple of years ago, citing its technology-savvy members as being agreeable to such devices. Cookies, on the other hand, run behind the scenes often without the user's knowledge.
Meanwhile, software vendors continue to circle the wagons with new offerings and outsourcing partnerships for financial institutions. Leading players include RSA Security Inc., which was recently acquired by EMC Corp.; it offers a transaction anomaly detection application that flags transactions that don't match a customer's historical behavior. An authentication platform from PassMark Software supports 14 million online banking customers. Many banking IT vendors have also partnered with outsourcers such as Certegy Inc., which provides Web banking services to midsized banks.
The Del Rio Incident
Back in Texas, Happy State Bank was fighting on another front: internal fraud detection. In 2002, regulators required third-party assessments of a bank's internal security measures, so James scanned the horizon for options. He found that an auditor would charge $9,000 to conduct a basic assessment of the bank's single Internet server, while inexpensive Linux software could reveal the number of open ports. Both would satisfy regulators, but James wanted more. "This is my career on the line," he notes.
The IT executive chose "a more invasive" testing product from Core Security Technologies, at a cost of $3,000 for a year's worth of testing. The product identifies problems through massive simulated attacks, assigns a level of risk to each vulnerability and provides remediation advice. "We try to take a proactive approach to security rather than a reactive one," says James. "After the horse is out of the barn, there's not a whole lot you can do."
So far nary a horse has gotten loose; that is, Happy State Bank claims it hasn't had a single incident of identity theft yet. That's impressive considering that the bank doesn't use an outsourcer to serve up its Web banking capabilities. Most midmarket banks rely on third parties that can bring greater resources and skills to bear. But as part of its lone-star tradition, Happy State Bank keeps practically everything in-house.
Outsourcers are usually a better bet for midmarket banks, contends Gartner Inc. analyst Avivah Litan. When a suspicious transaction comes over the wires, an outsourcer can assign one of its fraud analysts to weed out fraudulent transactions. "A small bank really doesn't have a fraud analyst," Litan says, adding, "If they come under attack and their outsourcer isn't dealing with it, then the bank is at a severe disadvantage because they don't have the resources to deal with it."
James disagrees. With an outsourcer, he says, "you're putting your reputation in someone else's hands. It would take me a year to prove it, but I think outsourcing is more expensive if you take into account customer service loss and reputation risk."
In fact, James was glad he wasn't beholden to an outsourcer earlier this year. A confused customer and his wife called the bank, wondering why they'd received a letter providing a logon and password for the Web banking service even though they'd never signed up. "They were one of our older customers, real technophobes who were freaking out about it," recalls network security pro Hall.
James believes an outsourcer serving many midmarket banks wouldn't have given this incident a second thought. But Hall cared enough to spend a few hours checking logs and dates. The address listed on the online enrollment form wasn't the same as that on the original account, which surprised the heck out of Hall. After a few telephone calls, Hall tracked the address to a library in Del Rio.
Hall relayed the news to the customers on the account, and they immediately saw the connection. Their daughter had just moved to Del Rio, where she was apparently up to no good. "We assumed the daughter was trying to transfer money from their account" via the Web banking service, Hall says. It was a family affair, so the bank ended its investigation without filing charges. The man and wife remain loyal Happy State Bank customers.
Prior to launching the Web banking service, the IT department had little direct customer contact. But that has changed dramatically. The group regularly posts pages of security-related definitions and best practices on the bank's Web site to educate online customers and also conducts customer satisfaction surveys. CEO Hickman is on board with the program. Today he's well known for emailing customers directly and answering their questions quickly, even on a Sunday night.
"If a customer calls up with a problem, like they can't get to our page or a pop-up keeps coming up, I'll go out there and clean the machine myself," James says. The IT department handles an average of eight telephone calls a day from Web banking customers. Happy State is a regional bank with customers who are geographically close, so James and his team can travel to customers' homes when necessary. "This is unusual and doesn't sound scalable at all," notes Gartner's Litan.
But James and Wells defend the labor-intensive practice because it goes hand in hand with the bank's customer service credo. "My fear initially was that everyone would be calling, but we've been doing this for five or six years now even though online enrollments have grown," James says. "I also think on-site visits will be less down the road, as the next generation who's more educated about computers comes up. For example, we were catching 10,000 viruses a month but are now reporting 300. Why the drop-off? Because people are getting educated about virus scans and spyware removals."
Wells is a bit more straightforward. "We know it costs us money and that we may have to get some help as we grow," he says. "But we'll continue to do it; we have to for our customers."
How to Hook a Phish
Wells admits that ramping up his spending on technology was tough to stomach at first. Before Web banking, the bank used only a handful of computers for wire transfers, word processing and limited networking. James had to fight for every IT security-related dollar he got. The battle reminded him of the Y2K spending of yesteryear. "The execs complained, 'You spent all that dad-gum money and nothin' happened,'" he recalls. "I told them, 'Maybe nothing happened because you spent all that money.'"
It also helps that James is part of an association of noncompeting midsized banks. The group gets together a couple of times a year and shares best security practices. That insider exchange ensures that Happy State Bank isn't on the bleeding edge of certain technologies and practices. But it wasn't until recently that business leaders like Wells really saw the value of the IT department's security prowess.
This summer, James received a call from a stranger in San Antonio who pointed him to a Web site that looked like Happy State Bank's own. "The guy told me that he was tired of all this and that he hopes we nail them," James says. Hall telephoned the service provider and got the fake site shut down within four hours. The next call went out to federal authorities. Then the bank's customer service department got into the act and called every one of the bank's 4,500 Web banking customers, warning them about the threat even though the fake Web site hadn't been "phished" to them yet.
The real reward came when James showed the fake site to Wells and other executives. "It was unbelievable how authentic it looked," Wells marvels. "I darn-near logged in myself. It was scary."
James has had a harder time explaining Web banking security to Happy State Bank's board of directors, many of whom are farmers. The board wanted a promise from James that there would never be a security breach. That's unrealistic, of course. In addition to fighting off a wild world full of Internet bandits (not to mention internal thieves), James and his crew might someday encounter a zero-day exploit whereby a tech vendor's patch lags behind a new attack. "There's nothing you can do about it," James says.
Such is life on the Web banking frontier.
"I told the board that a security exploit is like a dog that digs a hole in the backyard and that it's dang-near impossible to prevent him," says the IT chief. "That dog is going to dig somewhere -- but we'll do all we can."
Tom Kaneshige was a senior features editor at CIO Decisions. To comment on this story, email [email protected].