REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Tech experts look to establish facial recognition software
guidelines - A group of technology industry experts will meet this
Thursday to discuss facial recognition technologies and take the
first steps toward establishing guidelines for future technology. An
agency within the U.S. government's Commerce Department invited the
group of privacy advocates, technical experts and industry
professionals to come together.
Visa pushes credit card industry to enhance security measures - Visa
is urging card issuers to adopt chip cards instead of cards relying
on magnetic stripes after a slew of retail stores' data breaches,
including Target and Neiman Marcus.
Watch at four minute video interview that my friend John Moynihan
gave regarding the Target breach saying that the breach was
"completely undetectable" for major security products.
The need for a national cyber breach notification standard - It is a
well-known fact that cyber attacks pose a significant risk to
businesses. Most recently, we have seen how the cyber attack on
Target resulted in lower sales, higher costs, and a loss of customer
SEC examiners to review how asset managers fend off cyber attacks -
U.S. regulators said Thursday they plan to scrutinize whether asset
managers have policies to prevent and detect cyber attacks and are
properly safeguarding against security risks that could arise from
vendors having access to their systems.
Strict Hacking Definition Doesn't Touch IT Misuse - Accessing a
firm's proprietary information with customer login credentials does
not qualify as hacking under state and federal computer fraud laws,
a federal magistrate ruled.
Yet Another Data Breach Bill Introduced - Latest Proposal to Create
National Requirement for Notification - Yet another bill to create a
federal requirement for data breach notification has been
introduced, this time by Democratic leaders of the Senate Commerce,
Science and Transportation Committee.
PCI Council Responds to Critics - Council's GM Says No Standards
Changes Needed - The PCI Security Standards Council has no plans to
modify its standards for payment card data security in response to
high-profile payment card breaches at Target and Neiman Marcus.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Target traces security breach to stolen vendor credentials - The
hackers who stole millions of credit card numbers from Target have
been tracked back to electronic credentials stolen from a vendor.
arget's investigation of the massive security breach which allowed
hackers to take millions of credit and debit card numbers has
revealed a stolen vendor's credentials as a source of access.
Yahoo! Mail! users! change! your! passwords! NOW! - Web giant blames
'third-party database compromise' - Yahoo! is urging users of its
Mail service to change their passwords to something secure and
unique to the web giant – after a security breach exposed account
login details to theft.
Calif. high schoolers expelled after using keylogger, doctoring
grades - Eleven students at a California high school have been
expelled for bugging teachers' computers with a keylogger and later
doctoring online grades.
Canada's largest telecom firm Bell Canada hit with 22k password
breach - Bell Canada, the country's largest communications firm, is
alerting its small business customers that 22,421 usernames and
passwords were posted online.
Wisconsin health insurer loses hard drive, 41K members impacted -
About 41,000 members of Wisconsin-based Unity Health Insurance are
being notified that their personal information may be at risk after
a portable hard drive was reported missing from the University of
Wisconsin-School of Pharmacy.
Coding error on hundreds of NHS sites redirects users to dodgy pages
- Hundreds of NHS websites have been redirecting web users to pages
hosting advertising or malware, due to a "coding error".
Hackers access 800,000 Orange customers' data - Orange reveals an
attack on its website exposed details for three percent of its
French customer base. Orange customers in France could see a spike
in phishing attempts after hackers nabbed hundreds of thousands of
customers' unencrypted personal data in an attack on the operator's
US hotels look into data security breachKeyboard and mouse - It is
not yet clear how payment card data went astray from computers at
White Lodging - Thousands of guests at US hotels may have had their
credit and debit data stolen, suggests a security researcher.
French mobile provider breach affects 800,000 - A French mobile
provider, Orange, admitted that the personal information of 800,000
customers was breached in mid-January.
Social Security numbers of 14K Texas students on stolen devices -
Roughly 14,000 current and former Midland Independent School
District students in Texas may have had personal information –
including Social Security numbers – compromised after a laptop and
unsecured external hard drive were stolen from a district
Texas health system attacked, data on more than 400K compromised -
More than 400,000 patients and employees of St. Joseph Health System
in Texas are being notified that their personal information –
including Social Security numbers and, in some cases, bank account
information – may have been accessed following an attack on the
health system's computer system.
- Health workers' personal info compromised after breach - More than
1,000 Minnesota-based healthcare workers' personal information might
have been compromised after an attack on a medical center's employee
- Home Depot staffers arrested, stole employee info and opened
fraudulent credit cards - Three former human resources associates
with Home Depot have been arrested for accessing the personal
information – including Social Security numbers – of employees and
attempting to use that data to open fraudulent credit cards.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Disclosures/Notices (Part 1 of 2)
Several regulations require disclosures and notices to be given at
specified times during a financial transaction. For example, some
regulations require that disclosures be given at the time an
application form is provided to the consumer. In this situation,
institutions will want to ensure that disclosures are given to the
consumer along with any application form. Institutions may
accomplish this through various means, one of which may be through
the automatic presentation of disclosures with the application form.
Regulations that allow disclosures/notices to be delivered
electronically and require institutions to deliver disclosures in a
form the customer can keep have been the subject of questions
regarding how institutions can ensure that the consumer can "keep"
the disclosure. A consumer using certain electronic devices, such as
Web TV, may not be able to print or download the disclosure. If
feasible, a financial institution may wish to include in its on-line
program the ability for consumers to give the financial institution
a non-electronic address to which the disclosures can be mailed.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our
series on the FFIEC interagency Information Security Booklet.
SECURITY CONTROLS - IMPLEMENTATION -
TCP/IP is a packet - based communications system. A packet consists
of a header and a data payload. A header is analogous to a mail
envelope, containing the information necessary for delivery of the
envelope, and the return address. The data payload is the content of
the envelope. The IP packet header contains the address of the
sender (source address) and the intended recipient (destination
address) and other information useful in handling the packet. Under
IP, the addresses are unique numbers known as IP addresses. Each
machine on an IP network is identified by a unique IP address. The
vast majority of IP addresses are publicly accessible. Some IP
addresses, however, are reserved for use in internal networks. Those
addresses are 10.0.0.0 - 10.255.255.255, 172.16.0.0 -
172.31.255.255, and 192.168.0.0 - 192.168.255.255. Since those
internal addresses are not accessible from outside the internal
network, a gateway device is used to translate the external IP
address to the internal address. The device that translates external
and internal IP addresses is called a network address translation
(NAT) device. Other IP packet header fields include the protocol
field (e.g., 1=ICMP, 6=TCP, 7=UDP), flags that indicate whether
routers are allowed to fragment the packet, and other information.
If the IP packet indicates the protocol is TCP, a TCP header will
immediately follow the IP header. The TCP header contains the source
and destination ports, the sequence number, and other information.
The sequence number is used to order packets upon receipt and to
verify that all packets in the transmission were received.
Information in headers can be spoofed, or specially constructed to
contain misleading information. For instance, the source address can
be altered to reflect an IP address different from the true source
address, and the protocol field can indicate a different protocol
than actually carried. In the former case, an attacker can hide
their attacking IP, and cause the financial institution to believe
the attack came from a different IP and take action against that
erroneous IP. In the latter case, the attacker can craft an attack
to pass through a firewall and attack with an otherwise disallowed
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
35. Does the institution deliver
the privacy and opt out notices, including the short-form notice, so
that the consumer can reasonably be expected to receive actual
notice in writing or, if the consumer agrees, electronically?