Swedish Bank Stops Digital Theft - A gang of Swedish criminals was
seconds away from completing a digital bank heist when an alert
employee literally pulled the plug on their brazen scam,
Increasing security breaches worry Energy IG - Inspector General
Gregory Friedman hopes to lock down security on the Energy
Department's interconnected computer networks, after auditors called
132 security breaches serious enough to report to law enforcement in
fiscal 2006 - 22 percent more than in the prior year.
French Bank Rocked by Rogue Trader - $7.2 Billion in Losses - On a
Quiet 31-Year-Old - The rogues' gallery of banking has a new
candidate for membership: 31-year-old trader Jérôme Kerviel.
French bank could stopped $7 billion insider fraud - Societe
Generale might have been able to prevent a year-long binge of
fraudulent transactions by one of its mid-level traders - which the
French banking giant confirmed this week has cost it more than $7
billion in losses - simply by instituting stricter password controls
and applying available software that tracks transactions to
individual workstations, analysts told SCMagazineUS.com.
Societe Generale's 'Hacker' Trader Had Only Limited Computer Skills
- The French banker accused of operating a multibillion-dollar
fraudulent trading scheme apparently knew Microsoft Office, Visual
Basic, and little else. The Societe Generale banker accused of
operating a multibillion-dollar fraudulent trading scheme had only
basic computing and programming skills -- a fact that deepens the
mystery of how he managed to circumvent layers of highly
sophisticated security software designed to prevent unauthorized
NIST to release SCAP FDCC scanner list - On Feb. 1 the National
Institute of Standards and Technology will release a list of
validated scanners that check for Federal Desktop Core Configuration
compliance. The scanners all use the Security Content Automation
Protocol (SCAP) to automatically scan desktop computers and return
the results, said Peter Mell, NIST's SCAP validation program
manager, at an FDCC workshop held yesterday in Gaithersburg, Md.
Bush Order Expands Network Monitoring - President Bush signed a
directive this month that expands the intelligence community's role
in monitoring Internet traffic to protect against a rising number of
attacks on federal agencies' computer systems.
ChoicePoint Settles Data Breach Lawsuit - Will pay $10 million to
settle class action - Data broker ChoicePoint has agreed to pay $10
million to settle a class-action lawsuit brought against it over the
2004 theft of 163,000 personal information records by a ring of
Nigerian identity thieves.
US government workers fired for visiting adult sites - Sackings
follow month-long investigation - Nine employees in the US District
of Columbia have been given their marching orders for watching adult
websites on government PCs during work hours.
Storm makes house calls: New messages lead to bogus medical sites,
evade filters - The notorious Storm worm botnet, which has mounted
phishing attacks on major banks and spawned several waves of
holiday-themed messages in recent weeks, has now changed tactics and
is generating spam that directs recipients to bogus medical sites.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
T. Rowe Price contractor loses hard drives with data - Global
investment management firm T. Rowe Price has admitted to thieves
stealing two laptops containing the sensitive information of
thousands of 401(k) participants from the St. Louis office of a
Hackers steal OmniAmerican account data - An international gang of
cyber criminals hacked into OmniAmerican Bank's records, the bank's
president disclosed. They stole scores of account numbers, created
new PINs, fabricated debit cards, then withdrew cash from ATMs in
Eastern Europe, including Russia and Ukraine, as well as in Britain,
Canada and New York.
Florida woman accused of deleting $2.5 million in data - A Florida
woman, fearing she was about to be fired from her job, was arrested
this week for allegedly deleting seven year's worth of her
employer's architectural data.
Now victims of crime have details lost in post in latest Government
data bungle - Sensitive details about victims of crime may have
fallen into the wrong hands in yet another lost data bungle by
Government officials. Four computer discs containing confidential
details of magistrates court cases are missing after being posted
through the Royal Mail.
Federal officials probe HMO data breach - Medicare officials said
yesterday they are conducting their own investigation into a Fallon
Community Health Plan data breach, examining the circumstances
around a stolen laptop and how the health plan responded to the
Stolen M&S laptop contains 26,000 pension details - ICO demands
overhaul of data security - Retailer Marks & Spencer (M&S) could
face prosecution if it does not comply within two months to the
overhaul of its data security after losing 26,000 employees' pension
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Fund Transfer Act, Regulation E (Part 1 of 2)
Generally, when online banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction
involving stored value products is covered by Regulation E when the
transaction accesses a consumer's account (such as when value is
"loaded" onto the card from the consumer's deposit account
at an electronic terminal or personal computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule
was issued on March 20, 1998 that allows depository institutions to
satisfy the requirement to deliver by electronic communication any
of these disclosures and other information required by the act and
regulations, as long as the consumer agrees to such method of
Financial institutions must ensure that consumers who sign up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not specifically mentioned in the commentary, this
applies to all new banking services including electronic financial
The Federal Reserve Board Official Staff Commentary (OSC) also
clarifies that terminal receipts are unnecessary for transfers
initiated online. Specifically, OSC regulations provides that,
because the term "electronic terminal" excludes a
telephone operated by a consumer, financial institutions need not
provide a terminal receipt when a consumer initiates a transfer by a
means analogous in function to a telephone, such as by a personal
computer or a facsimile machine.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
INFORMATION SECURITY RISK ASSESSMENT
Common elements of risk assessment approaches involve three phases:
information gathering, analysis, and prioritizing responses. Vendor
concerns add additional elements to the process.
Identifying and understanding risk requires the analysis of a
wide range of information relevant to the particular institution's
risk environment. Once gathered, the information can be catalogued
to facilitate later analysis. Information gathering generally
includes the following actions:
1) Obtaining listings
of information system assets (e.g., data, software, and hardware).
Inventories on a device - by - device basis can be helpful in risk
assessment as well as risk mitigation. Inventories should consider
whether data resides in house or at a TSP.
2) Determining threats
to those assets, resulting from people with malicious intent,
employees and others who accidentally cause damage, and
environmental problems that are outside the control of the
organization (e.g., natural disasters, failures of interdependent
infrastructures such as power, telecommunications, etc.).
organizational vulnerabilities (e.g., weak senior management
support, ineffective training, inadequate expertise or resource
allocation, and inadequate policies, standards, or procedures).
technical vulnerabilities (e.g., vulnerabilities in hardware and
software, configurations of hosts, networks, workstations, and
5) Documenting current
controls and security processes, including both information
technology and physical security.
6) Identifying security
requirements and considerations (e.g., GLBA).
7) Maintaining the risk
assessment process requires institutions to review and update their
risk assessment at least once a year, or more frequently in response
to material changes in any of the six actions above.
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
1. Determine whether the financial institution
has removed or reset default profiles and passwords from new systems
2. Determine whether access to system administrator level is
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
14. Does the institution describe the following about its policies
and practices with respect to protecting the confidentiality and
security of nonpublic personal information:
a. who is authorized to have access to the information; and
b. whether security practices and policies are in place to ensure
the confidentiality of the information in accordance with the
institution's policy? [§6(c)(6)(ii)]
institution is not required to describe technical information about
the safeguards used in this respect.)