REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- HTC settles with FTC over software security vulnerabilities -
Mobile handset maker HTC has agreed to settle a complaint filed
against it by the Federal Trade Commission accusing the company of
failing to take "reasonable steps" to patch a security flaw in
software running on its smartphones.
Malware once used exclusively for bank fraud is finding a new
mission - Attackers who once relied on malware exclusively to
initiate financial fraud are finding that it also can be used to
pillage intellectual property, researchers have found.
- China blames U.S. for most cyberattacks against military Web sites
- China's Defense Ministry claims that almost two-thirds of the
cyberattacks against its military sites have come from the United
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Add Microsoft to list of hacked companies - Undisclosed number of
computers are found with malware, but the company says no customer
data has been compromised.
DDoS Attack on Bank Hid $900,000 Cyberheist - A Christmas Eve
cyberattack against the Web site of a regional California financial
institution helped to distract bank officials from an online account
takeover against one of its clients, netting thieves more than
Many companies likely affected by iOS developer forum compromise -
The administrators of a popular iOS developer Web forum called
iPhoneDevSDK confirmed Wednesday that it had been compromised by
hackers who used it to launch attacks against its users.
Microsoft joins list of recently hacked companies - The software
giant said it was hit with a similar hack to that used against -
Microsoft has disclosed that it recently fell victim to the same
type of cyberattack that targeted Apple and Facebook.
NBC.com hacked to serve up banking malware - NBC said it was working
to clear up the issues, which also affected some of its other
websites - Websites affiliated with U.S. broadcaster NBC were hacked
for several hours on Thursday, serving up malicious software
intended to steal bank account details.
Server hack prompts call for cPanel customers to take “immediate
action” - Change root and account passwords and rotate SSH keys,
company advises. The providers of the cPanel website management
application are warning some users to immediately change their
systems' root or administrative passwords after discovering one of
its servers has been hacked.
- Overseas hackers nab more than 1TB of data daily - A new report
shows that the recent wave of cyberattacks on the U.S. are coming
from a highly sophisticated group of hackers that are most likely
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Risk Management of
Outsourced Technology Services ( Part 2 of 4)
The board of directors and senior management are responsible for
understanding the risks associated with outsourcing arrangements for
technology services and ensuring that effective risk management
practices are in place. As part of this responsibility, the board
and management should assess how the outsourcing arrangement will
support the institution’s objectives and strategic plans and how the
service provider’s relationship will be managed. Without an
effective risk assessment phase, outsourcing technology services may
be inconsistent with the institution’s strategic plans, too costly,
or introduce unforeseen risks.
Outsourcing of information and transaction processing and settlement
activities involves risks that are similar to the risks that arise
when these functions are performed internally. Risks include threats
to security, availability and integrity of systems and resources,
confidentiality of information, and regulatory compliance. In
addition, the nature of the service provided, such as bill payment,
funds transfer, or emerging electronic services, may result in
entities performing transactions on behalf of the institution, such
as collection or disbursement of funds, that can increase the levels
of credit, liquidity, transaction, and reputation risks.
Management should consider additional risk management controls when
services involve the use of the Internet. The broad geographic
reach, ease of access, and anonymity of the Internet require close
attention to maintaining secure systems, intrusion detection and
reporting systems, and customer authentication, verification, and
authorization. Institutions should also understand that the
potential risks introduced are a function of a system’s structure,
design and controls and not necessarily the volume of activity.
An outsourcing risk assessment should consider the following:
• Strategic goals, objectives, and business needs of the
• Ability to evaluate and oversee outsourcing relationships.
• Importance and criticality of the services to the financial
• Defined requirements for the outsourced activity.
• Necessary controls and reporting processes.
• Contractual obligations and requirements for the service
• Contingency plans, including availability of alternative
service providers, costs and resources
required to switch service providers.
• Ongoing assessment of outsourcing arrangements to evaluate
consistency with strategic
objectives and service provider performance.
• Regulatory requirements and guidance for the business lines
affected and technologies used.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Logical Access Controls (Part 2 of 2)
Token technology relies on a separate physical device, which is
retained by an individual, to verify the user's identity. The token
resembles a small hand-held card or calculator and is used to
generate passwords. The device is usually synchronized with security
software in the host computer such as an internal clock or an
identical time based mathematical algorithm. Tokens are well suited
for one‑time password generation and access control. A separate PIN
is typically required to activate the token.
Smart cards resemble credit cards or other traditional magnetic
stripe cards, but contain an embedded computer chip. The chip
includes a processor, operating system, and both read only memory
(ROM) and random access memory (RAM). They can be used to generate
one-time passwords when prompted by a host computer, or to carry
cryptographic keys. A smart card reader is required for their use.
Biometrics involves identification and verification of an individual
based on some physical characteristic, such as fingerprint analysis,
hand geometry, or retina scanning. This technology is advancing
rapidly, and offers an alternative means to authenticate a user.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Financial Institution Duties ( Part 3 of 6)
Requirements for Notices
Clear and Conspicuous. Privacy notices must be clear and
conspicuous, meaning they must be reasonably understandable and
designed to call attention to the nature and significance of the
information contained in the notice. The regulations do not
prescribe specific methods for making a notice clear and
conspicuous, but do provide examples of ways in which to achieve the
standard, such as the use of short explanatory sentences or bullet
lists, and the use of plain-language headings and easily readable
typeface and type size. Privacy notices also must accurately reflect
the institution's privacy practices.
Delivery Rules. Privacy notices must be provided so that each
recipient can reasonably be expected to receive actual notice in
writing, or if the consumer agrees, electronically. To meet this
standard, a financial institution could, for example, (1)
hand-deliver a printed copy of the notice to its consumers, (2) mail
a printed copy of the notice to a consumer's last known address, or
(3) for the consumer who conducts transactions electronically, post
the notice on the institution's web site and require the consumer to
acknowledge receipt of the notice as a necessary step to completing
For customers only, a financial institution must provide the initial
notice (as well as the annual notice and any revised notice) so that
a customer may be able to retain or subsequently access the notice.
A written notice satisfies this requirement. For customers who
obtain financial products or services electronically, and agree to
receive their notices on the institution's web site, the institution
may provide the current version of its privacy notice on its web