PBX FRAUD - A banker called this week and asked us to inform our readers that PBX fraud is real. Someone hacked into their VOIP system and forward calls overseas. The fraudulent calls will cost the bank $30,000 because the bank is responsible to the telephone company for the fraudulent calls. The banker stated that the FBI told them that this was the third report regarding PBX fraud they had taken this morning. 
Suggested reading: http://www.teledesignsecurity.com/faq.asp and http://www.fdic.gov/news/news/financial/2005/fil6905a.html. 

FYI - Deposit Insurance Coverage New Electronic Deposit Insurance Estimator - The Federal Deposit Insurance Corporation has released a new expanded version of its Electronic Deposit Insurance Estimator, also known as "Online EDIE," for use by bank customers. With this new version, users can estimate insurance coverage for a wider range of account types. www.fdic.gov/news/news/financial/2006/fil06011.html 

FYI - ChoicePoint to pay $15 million to settle charges - In the largest civil fine levied by the Federal Trade Commission, data broker ChoicePoint has agreed to pay $15 million to settle charges it did not properly protect consumers' personal financial information, the FTC said Thursday. http://www.usatoday.com/tech/news/computersecurity/2006-01-26-ftc-choicepoint_x.htm

FYI - Providence Launches Outreach to Home Services Patients After Data Theft - Providence Home Services has begun contacting current and former patients following the theft of tapes and disks that hold confidential data. The theft involves the records of some 365,000 patients who received health care through Providence Home Services. http://www.providence.org/oregon/hcs/newsrelease.htm

FYI - Computer security breach in urban affairs, agriculture - Two recent computer security breaches at the University of Delaware have resulted in the possible exposure of names and Social Security Numbers that were stored on the machines. A computer in the University's School of Urban Affairs and Public Policy was hacked, and a back-up hard drive in the UD Department of Entomology and Wildlife Ecology was stolen. http://www.udel.edu/PR/UDaily/2006/jan/breach012506.html

FYI - Enterprises ignorant of outsourcing security risks - Organizations that outsource their IT systems are increasing their vulnerability to security breaches, causing possible long-term damage to their businesses, insurers have warned. http://www.scmagazine.com/us/news/article/538228/?n=us

FYI - Dial ‘D' for DoS; VoIP's hidden security threat - Communication technology experts have released a report highlighting inherent security issues with VoIP applications such as Skype and Vonage that could give online criminals an opportunity to operate undetected. http://www.scmagazine.com/us/news/article/538427/?n=us

FYI - Credit card numbers stolen off state Web site - Thousands stolen from Rhode Island site run by contractor - Thousands of credit card numbers were stolen from a state government Web site that allows residents to register their cars and buy state permits, authorities said. http://www.msnbc.msn.com/id/11064775/

FYI - Mobile devices are IT managers' security headache - Two-third of IT managers are still experiencing security breaches because of poor practices on mobile devices, according to new findings. http://www.scmagazine.com/us/news/article/538706/?n=us

FYI - Mass. newspapers expose credit card data - The Boston Globe and Worcester Telegram & Gazette have mistakenly sent out slips of paper with the credit card data of up to nearly a quarter million subscribers. http://news.com.com/2102-1029_3-6033703.html?tag=st.util.print

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 1 of 2)

Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form. Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Public Key Infrastructure (Part 3 of 3)

When utilizing PKI policies and controls, financial institutions need to consider the following:

! Defining within the certificate issuance policy the methods of initial verification that are appropriate for different types of certificate applicants and the controls for issuing digital certificates and key pairs;

! Selecting an appropriate certificate validity period to minimize transactional and reputation risk exposure - expiration provides an opportunity to evaluate the continuing adequacy of key lengths and encryption algorithms, which can be changed as needed before issuing a new certificate;

! Ensuring that the digital certificate is valid by such means as checking a certificate revocation list before accepting transactions accompanied by a certificate;

! Defining the circumstances for authorizing a certificate's revocation, such as the compromise of a user's private key or the closure of user accounts;

! Updating the database of revoked certificates frequently, ideally in real - time mode;

! Employing stringent measures to protect the root key including limited physical access to CA facilities, tamper - resistant security modules, dual control over private keys and the process of signing certificates, as well as the storage of original and back - up keys on computers that do not connect with outside networks;

! Requiring regular independent audits to ensure controls are in place, public and private key lengths remain appropriate, cryptographic modules conform to industry standards, and procedures are followed to safeguard the CA system;

! Recording in a secure audit log all significant events performed by the CA system, including the use of the root key, where each entry is time/date stamped and signed;

! Regularly reviewing exception reports and system activity by the CA's employees to detect malfunctions and unauthorized activities; and

! Ensuring the institution's certificates and authentication systems comply with widely accepted PKI standards to retain the flexibility to participate in ventures that require the acceptance of the financial institution's certificates by other CAs.

The encryption components of PKI are addressed more fully under "Encryption."

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

11. Determine if network-based IDSs (Intrusion Detection System) are properly coordinated with firewalls (see "Intrusion Detection" procedures).

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 5 of 6)

Limitations on Disclosure of Account Numbers:

A financial institution must not disclose an account number or similar form of access number or access code for a credit card, deposit, or transaction account to any nonaffiliated third party (other than a consumer reporting agency) for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

The disclosure of encrypted account numbers without an accompanying means of decryption, however, is not subject to this prohibition. The regulation also expressly allows disclosures by a financial institution to its agent to market the institution's own products or services (although the financial institution must not authorize the agent to directly initiate charges to the customer's account). Also not barred are disclosures to participants in private-label or affinity card programs, where the participants are identified to the customer when the customer enters the program.