Internet Banking News

January 20, 2013

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - A reminder for good IT security from CSIS - Twenty Critical Security Controls for Effective Cyber Defense: Consensus Audit Guidelines. http://www.sans.org/critical-security-controls/

FYI - Algerian 'bank hacker' wanted by FBI held in Thailand - An alleged Algerian computer hacker wanted by the FBI on suspicion of stealing millions of dollars from US banks to fund a life of luxury has been arrested in Bangkok, Thai police say. http://www.bbc.co.uk/news/world-asia-20937024

FYI - Global Payments now expects to pay $94M for breach costs - Atlanta-based payment processor Global Payments will pay more than anticipated for a 2012 breach in which hackers accessed 1.5 million credit and debit card numbers. http://www.scmagazine.com/global-payments-now-expects-to-pay-94m-for-breach-costs/article/275832/?DCMP=EMC-SCUS_Newswire

FYI - Banks seek NSA help amid attacks on their computer systems - Major U.S. banks have turned to the National Security Agency for help protecting their computer systems after a barrage of assaults that have disrupted their Web sites, according to industry officials. http://www.washingtonpost.com/world/national-security/banks-seek-nsa-help-amid-attacks-on-their-computer-systems/2013/01/10/4aebc1e2-5b31-11e2-beee-6e38f5215402_story.html

FYI - Monitoring Bank DDoS Attacks Tough Task For Third Parties - While data is not readily available on the attacks hitting financial institutions, defenders dealing with the incidents say that the attacks are effective and costly. http://www.darkreading.com/security-monitoring/167901086/security/attacks-breaches/240146155/monitoring-bank-ddos-attacks-tough-task-for-third-parties.html.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Drake International the latest victim of hacking, extortion scheme against companies - Drake International, the Canadian-based job placement firm, confirmed Wednesday that it has been the victim of a hacking scheme by a group seeking to extort payment in exchange for not releasing the personal information of people who have used Drake’s services. http://business.financialpost.com/2013/01/09/drake-international-confirms-database-with-user-information-hacked/

FYI - Hackers Steal 3,000 Classified Japanese Government Documents - Several of the confidential documents were related to negotiations over the TPP free trade agreement. A recent cyber attack on Japan's Ministry of Agriculture, Forestry and Fisheries apparently resulted in the theft of more than 3,000 classified documents, including several related to negotiations over the Trans-Pacific Partnership (TPP) free trade agreement. http://www.esecurityplanet.com/hackers/hackers-steal-3000-classified-japanese-government-documents.html

FYI - Cybersleuths Uncover 5-Year Spy Operation Targeting Governments, Others - An advanced and well-orchestrated computer spy operation that targeted diplomats, governments and research institutions for at least five years has been uncovered by security researchers in Russia. http://www.wired.com/threatlevel/2013/01/red-october-spy-campaign/

FYI - Canada student loan record breach affects 583k - A federal agency in Canada lost an unencrypted external hard drive containing the personal information of half a million student loan recipients. http://www.scmagazine.com/canada-student-loan-record-breach-affects-583k/article/276083/?DCMP=EMC-SCUS_Newswire

FYI - Hackers raid systems at 100 fast-food restaurants - A chain of Southern fast-food restaurants is warning customers that their credit card information may have been been stolen by hackers who seeded computer systems with malware. http://www.scmagazine.com/hackers-raid-systems-at-100-fast-food-restaurants/article/276534/?DCMP=EMC-SCUS_Newswire

FYI - Florida juvenile agency loses device containing data of 100k - An unencrypted mobile device was stolen from the Florida agency responsible for handling juvenile delinquency cases. It contained the personal information of tens of thousands of employees and minors. http://www.scmagazine.com/florida-juvenile-agency-loses-device-containing-data-of-100k/article/276547/?DCMP=EMC-SCUS_Newswire

FYI - Patient data revealed in medical device hack - Researchers have exploited critical vulnerabilities in two popular medical management platforms used in a host of services, including assisting surgeries and generating patient reports. http://www.scmagazine.com/patient-data-revealed-in-medical-device-hack/article/276568/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 4 of 5)

PROCEDURES TO ADDRESS SPOOFING - Spoofing Incident Response

To respond to spoofing incidents effectively, bank management should establish structured and consistent procedures. These procedures should be designed to close fraudulent Web sites, obtain identifying information from the spoofed Web site to protect customers, and preserve evidence that may be helpful in connection with any subsequent law enforcement investigations.

Banks can take the following steps to disable a spoofed Web site and recover customer information. Some of these steps will require the assistance of legal counsel.

* Communicate promptly, including through written communications, with the Internet service provider (ISP) responsible for hosting the fraudulent Web site and demand that the suspect Web site be shutdown;
* Contact the domain name registrars promptly, for any domain name involved in the scheme, and demand the disablement of the domain names;
* Obtain a subpoena from the clerk of a U.S. District Court directing the ISP to identify the owners of the spoofed Web site and to recover customer information in accordance with the Digital Millennium Copyright Act;
* Work with law enforcement; and
* Use other existing mechanisms to report suspected spoofing activity.

The following are other actions and types of legal documents that banks can use to respond to a spoofing incident:

* Banks can write letters to domain name registrars demanding that the incorrect use of their names or trademarks cease immediately;
* If these demand letters are not effective, companies with registered Internet names can use the Uniform Domain Name Dispute Resolution Process (UDRP) to resolve disputes in which they suspect that their names or trademarks have been illegally infringed upon. This process allows banks to take action against domain name registrars to stop a spoofing incident. However, banks must bear in mind that the UDRP can be relatively time-consuming. For more details on this process see http://www.icann.org/udrp/udrp-policy-24oct99.htm; and
* Additional remedies may be available under the federal Anti-Cybersquatting Consumer Protection Act (ACCPA) allowing thebank to initiate immediate action in federal district court under section 43(d) of the Lanham Act, 15 USC 1125(d). Specifically, the ACCPA can provide for rapid injunctive relief without the need to demonstrate a similarity or likelihood of confusion between the goods or services of the parties.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

SECURITY MEASURES

Certificate Authorities and Digital Certificates

Certificate authorities and digital certificates are emerging to further address the issues of authentication, non‑repudiation, data privacy, and cryptographic key management. A certificate authority (CA) is a trusted third party that verifies the identity of a party to a transaction . To do this, the CA vouches for the identity of a party by attaching the CA's digital signature to any messages, public keys, etc., which are transmitted. Obviously, the CA must be trusted by the parties involved, and identities must have been proven to the CA beforehand. Digital certificates are messages that are signed with the CA's private key. They identify the CA, the represented party, and could even include the represented party's public key.

The responsibilities of CAs and their position among emerging technologies continue to develop. They are likely to play an important role in key management by issuing, retaining, or distributing public/private key pairs.

Implementation

The implementation and use of encryption technologies, digital signatures, certificate authorities, and digital certificates can vary. The technologies and methods can be used individually, or in combination with one another. Some techniques may merely encrypt data in transit from one location to another. While this keeps the data confidential during transmission, it offers little in regard to authentication and non-repudiation. Other techniques may utilize digital signatures, but still require the encrypted submission of sensitive information, like credit card numbers. Although protected during transmission, additional measures would need to be taken to ensure the sensitive information remains protected once received and stored.

The protection afforded by the above security measures will be governed by the capabilities of the technologies, the appropriateness of the technologies for the intended use, and the administration of the technologies utilized. Care should be taken to ensure the techniques utilized are sufficient to meet the required needs of the institution. All of the technical and implementation differences should be explored when determining the most appropriate package.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Opt Out Right and Exceptions:

The Right

Consumers must be given the right to "opt out" of, or prevent, a financial institution from disclosing nonpublic personal information about them to a nonaffiliated third party, unless an exception to that right applies. The exceptions are detailed in sections 13, 14, and 15 of the regulations and described below.

As part of the opt out right, consumers must be given a reasonable opportunity and a reasonable means to opt out. What constitutes a reasonable opportunity to opt out depends on the circumstances surrounding the consumer's transaction, but a consumer must be provided a reasonable amount of time to exercise the opt out right. For example, it would be reasonable if the financial institution allows 30 days from the date of mailing a notice or 30 days after customer acknowledgement of an electronic notice for an opt out direction to be returned. What constitutes a reasonable means to opt out may include check-off boxes, a reply form, or a toll-free telephone number, again depending on the circumstances surrounding the consumer's transaction. It is not reasonable to require a consumer to write his or her own letter as the only means to opt out.