|
March 2, 2003
FYI
- How to get an ATM PIN in 15 guesses - Cambridge
researchers have documented a worrying PIN cracking technique
against the hardware security modules commonly used by bank
ATMs. http://www.theregister.co.uk/content/55/29425.html
FYI - Introduction to
Information Security and Risk Management - http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=543
FYI- A
former network administrator for a Los Angeles airport
transportation company was arrested on charges that he hacked into
his ex-employer's computers and wiped out critical data -- allegedly
as revenge for his termination from the company. http://www.securityfocus.com/news/2567
FYI- A series of recent court battles have highlighted the importance
of clear policies governing the use of an organization’s
information systems. While the majority of media coverage has
focused on the use of email to send lurid or offensive messages, the
ramifications go far beyond the need for 'acceptable use' policies
and show a weakness in an organization’s information security and
monitoring at work efforts. http://www.infosecnews.com/opinion/2003/02/26_01.htm
FYI - FBI Called in as Credit
Card Hack Escalates - The Visa/Mastercard hack reported by CNN last
week appears to be a lot bigger than first thought and is possibly
the largest credit card systems hack in history. Media reports from
around the world suggest that significant numbers of American
Express and Discover card account details were accessed, with at
least 100,000 card accounts in Canada and several hundred in Korea
affected. http://www.infosecnews.com/sgold/news/2003/02/24_01.htm
FYI - Credit card hack traced to
outsider - Break-in at Nebraska company exposes millions of
accounts. A hacker who gained access to millions of credit
card numbers apparently did it by breaking into a computer system at
a company that handles transactions for catalog companies and other
direct marketers. http://www.msnbc.com/news/874907.asp?0si=-&cp1=1
FYI - Treasury's
Office of Foreign Assets Control has amended its list of Specially
Designated Nationals and Blocked Persons. - On February 12, 2003, the
Department of the Treasury's Office of Foreign Assets Control (OFAC)
amended its list of Specially Designated Nationals and Blocked Persons by
adding OBURSATILES S.A. www.fdic.gov/news/news/financial/2003/fil0314.html
FYI - PNC cancels 16,000 cards
after hacking theft incident - PNC Bank was forced to deactivate
some 16,000 ATM/debit/check cards that carry the Visa logo after
being notified by Visa that the cards were compromised by a computer
hacker. http://www.post-gazette.com/businessnews/20030220pnc0220p4.asp
INTERNET
COMPLIANCE - Electronic
Fund Transfer Act, Regulation E (Part 1 of 2)
Generally, when online banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction
involving stored value products is covered by Regulation E when the
transaction accesses a consumer's account (such as when value is
"loaded" onto the card from the consumer's deposit account
at an electronic terminal or personal computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule
was issued on March 20, 1998 that allows depository institutions to
satisfy the requirement to deliver by electronic communication any
of these disclosures and other information required by the act and
regulations, as long as the consumer agrees to such method of
delivery.
Financial institutions must ensure that consumers who sign up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not specifically mentioned in the commentary, this
applies to all new banking services including electronic financial
services.
The Federal Reserve Board Official Staff Commentary (OSC) also
clarifies that terminal receipts are unnecessary for transfers
initiated online. Specifically, OSC regulations provides that,
because the term "electronic terminal" excludes a
telephone operated by a consumer, financial institutions need not
provide a terminal receipt when a consumer initiates a transfer by a
means analogous in function to a telephone, such as by a personal
computer or a facsimile machine.
INTERNET SECURITY - We continue our
coverage of the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Customer Access."
Part II. Risks Associated with Wireless Internet Devices
As wireless Internet devices become more prevalent in the
marketplace, financial institutions are adopting wireless
application technologies as a channel for reaching their customers.
Wireless Internet services are becoming available in major cities
across the United States. Through wireless banking applications, a
financial institution customer could access account information and
perform routine non-cash transactions without having to visit a
branch or ATM.
The wireless Internet devices available today present attractive
methods for offering and using financial services. Customers have
access to financial information from anywhere they can receive
wireless Internet access. Many of the wireless devices have built-in
encryption through industry-standard encryption methods. This
encryption has its limits based on the processing capabilities of
the device and the underlying network architecture.
A popular standard for offering wireless applications is through the
use of the Wireless Application Protocol (WAP). WAP is designed to
bring Internet application capabilities to some of the simplest user
interfaces. Unlike the Web browser that is available on most
personal computer workstations, the browser in a wireless device
(such as a cell phone) has a limited display that in many cases can
provide little, if any, graphical capabilities. The interface is
also limited in the amount of information that can be displayed
easily on the screen. Further, the user is limited by the keying
capabilities of the device and often must resort to many key presses
for simple words.
The limited processing capabilities of these devices restrict the
robustness of the encryption network transmissions. Effective
encryption is, by nature, processing-intensive and often requires
complex calculations. The time required to complete the encryption
calculations on a device with limited processing capabilities may
result in unreasonable delays for the device's user. Therefore,
simpler encryption algorithms and smaller keys may be used to speed
the process of obtaining access.
WAP is an evolving protocol. The most recent specification of WAP (WAP
2.0 - July 2001) offers the capability of encrypting network
conversations all the way from the WAP server (at the financial
institution) to the WAP client (the financial institution customer).
Unfortunately, WAP 2.0 has not yet been fully adopted by vendors
that provide the building blocks for WAP applications. Previous
versions of WAP provide encryption between the WAP client and a WAP
gateway (owned by the Wireless Provider). The WAP gateway then must
re-encrypt the information before it is sent across the Internet to
the financial institution. Therefore, sensitive information is
available at the wireless provider in an unencrypted form. This
limits the financial institution's ability to provide appropriate
security over customer information.
PRIVACY
- We continue our coverage of the various issues in the "Privacy of
Consumer Financial Information" published by the financial
regulatory agencies.
Consumer and Customer:
A "customer" is a consumer who has a "customer
relationship" with a financial institution. A "customer
relationship" is a continuing relationship between a consumer
and a financial institution under which the institution provides one
or more financial products or services to the consumer that are to
be used primarily for personal, family, or household purposes.
For example, a customer relationship may be established when a
consumer engages in one of the following activities with a financial
institution:
1) maintains a deposit or investment account;
2) obtains a loan;
3) enters into a lease of personal property; or
4) obtains financial, investment, or economic advisory
services for a fee.
Customers are entitled to initial and annual privacy notices
regardless of the information disclosure practices of their
financial institution.
There is a special rule for loans. When a financial institution
sells the servicing rights to a loan to another financial
institution, the customer relationship transfers with the servicing
rights. However, any information on the borrower retained by the
institution that sells the servicing rights must be accorded the
protections due any consumer.
Note that isolated transactions alone will not cause a consumer to
be treated as a customer. For example, if an individual purchases a
bank check from a financial institution where the person has no
account, the individual will be a consumer but not a customer of
that institution because he or she has not established a customer
relationship. Likewise, if an individual uses the ATM of a financial
institution where the individual has no account, even repeatedly,
the individual will be a consumer, but not a customer of that
institution.
IN CLOSING - Would you like an
affordable means of advertising to your Internet customers?
Then Savvy Thoughts is what you
are looking for. We do all the work such as write the
e-newsletter, email the e-newsletter, collect the subscribers, etc.
Visit http://www.savvythoughts.com/
for more information.
|
