AKS - Fotolia
The story you are about to read regarding a cybersecurity threat is real; only the names and places have been changed to respect the privacy of those involved. When this happened, I had spent a good part of my 30-year career dealing with large-scale, complex global operations and technology and thought that I had seen and heard most, if not all, that there was to see and hear.
I was on the job as CIO of the Global Consumer Group at the BigWorldBank for about two weeks. There I was, responsible for the operations and technology health and well-being in support of about 200,000 staff and 150 million customers distributed throughout 54 countries. I was administratively responsible for an annual budget of approximately $2.5 billion. For those first couple of weeks, I actually had moments of feeling like I was in control, almost.
Whoever said that in a new executive role you have 100 days to find your legs and establish yourself was clearly never a CIO.
It was late on Friday afternoon of my second week and the phone rang. Sonali Kumar, the manager of our flagship branch in Kafiristan, was calling with a question. I glanced at my watch and noticed that it was 5:45 p.m. in New York, which meant that it was 4:45 a.m. Saturday morning in Kafiristan. I had a feeling my first 100 days had just ended.
"A customer called and said that he had found a security flaw in our online banking system," Kumar said. "He made a video of the technique that he used, he is willing to turn it over to us, and he would like to be paid a consulting fee for his efforts. What should we do?"
I could feel my heart race and my mouth go dry. A cybersecurity threat. I asked him if he had met with the customer or seen the video. He indicated that he had not. Serendipitously, I looked up and saw Fred Simon, the business head of our Middle Eastern business region, passing by my door. I put Sonali on hold, called out to Fred and quickly explained the situation. He advised me to instruct Sonali to call the local police and inform them that the integrity of our branch had been breached. He assured me that the perpetrator would be in jail within two hours, turned and left my office as quickly as he appeared.
I thought about Fred's advice for a moment and pondered two additional considerations: First, jailing a customer did not seem like a good service for a bank to provide, especially in Kafiristan where caning was still commonly practiced by their criminal justice system; and, second, if we went commando on this guy out of the gate we might never find out what, if any, security vulnerabilities he may have actually found in our online system. I returned to my call with Sonali and instructed him to request a meeting with the customer and see what he could find out through friendly conversation. I additionally made it clear that payment of a consulting fee (or any form of payment) was not to be discussed. We agreed to speak again following Sonali's conversation with the customer.
Per procedure, any cybersecurity threat needed to be escalated, so my next call was to my boss, the CEO. I quickly briefed her on the situation and we agreed that I would follow up with our team in Kafiristan over the weekend, coordinate with our cybersecurity and risk management teams, and inform her of latest status on Monday morning. I wished her a good weekend.
I then coordinated a conference call with my CISO, the head of Global Risk Management and with the head of BigWorldBanking online technology. I briefed them on the little that I knew about the cybersecurity threat and we discussed the scope of currently known online banking issues (there is always something) to see if there was a possibility that we could be dealing with a known vulnerability. We all agreed that, based upon known facts, we did not have enough information to reach any conclusions. I assured the team I would keep them in the loop, glanced at my watch and realized that I was late for dinner, again. Fortunately (or unfortunately), my family was already accustomed to my rather unpredictable office hours, but I still felt bad.
15 hours later
My phone rang at 3:00 a.m. Saturday morning, 2:00 p.m. in Kafiristan. It was Sonali calling with the latest update, roughly 15 hours after the cybersecurity incident began.
Sonali apologized for waking me and then told me that he had just spoken to the customer who had agreed to an in-person meeting where he would be willing to reveal the vulnerability that he had discovered. There was no further mention of a consulting fee.
I thanked Sonali for the update and asked him to call me with outcomes from the meeting. Feeling somewhat encouraged that the situation seemed to be heading in the right direction, I was able to get some additional much-needed sleep.
At about 10:00 p.m. Saturday evening, 9:00 a.m. Sunday morning in Kafiristan, Sonali called to inform me that he had met with the customer, saw the video and that the customer had actually given him a copy. Thankfully, there was again no discussion of a consulting fee or any other form of remuneration. I commended Sonali on his skillful handling of the situation and asked him to send me a copy of the video. Half an hour later I was watching the video with great interest. What I was seeing was a fairly typical BigWorldBanking online session and everything looked normal.
Then I saw it -- the customer finished his transaction and instead of logging out of the session, he simply closed the online banking window (not the browser) by pressing the "X" in the upper right corner. He then opened the browser history window, found the address of the last page of the online banking session that he was viewing and when he clicked on the address of the page, "as if by magic," it reopened to the exact place where he had left off.
Was this the vulnerability for which the customer had originally requested payment of a consulting fee for discovering? To be absolutely sure, I called Sonali back to review and confirm my understanding of what I was watching. My understanding was correct. What the customer had discovered was not a vulnerability, but rather how his browser worked: Close a window and it disappears, open the same window and it reappears.
I sent a copy of the video to my CISO, the head of Global Risk Management and the head of BigWorldBanking online technology for their review and evaluation. Cybersecurity threat scare, closed.
During a follow-up call with my team later Sunday morning, we reconfirmed that no vulnerability actually existed since no personally identifiable information could be displayed, no financial transactions could be executed without the customer re-entering his password, and if the window was left closed for more than 30 seconds the customer's online session would automatically time out. I thanked my team and ended the call determined to relax and enjoy what remained of a beautiful summer day.
The next morning I met with my boss, as planned, to brief her on the situation. We were both relieved, me especially for not putting our customer in jail. Instead, we agreed to send him a 46-inch flat-screen television as a gift for being so highly engaged and for taking the initiative in helping us to improve our products and services.
Dealing with this potential cyberthreat incident taught me a couple of very valuable lessons: When you need to make an important decision, especially when customers and jail are involved, precede important acts with actual facts; and: When you think that you have seen and heard it all, think again.
Let me know what you think. Post a comment or drop me a note at firstname.lastname@example.org. Discuss, debate or even argue -- let's continue the conversation.
About the author:
Harvey R. Koeppel is the president of Pictographics Inc., a management and technology advisory and consulting services firm. He is also vice chairman of the World BPO/ITO Forum. From May 2004 through June 2007, Koeppel served as the CIO and senior vice president of Citigroup's Global Consumer Group.
Recent columns from Harvey Koeppel:
The 3D printing payoff
ITSM roadmap for digital business