REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.FYI
- "Human error" contributes to nearly all cyber incidents, study
finds - Even though organizations may have all of the bells and
whistles needed in their data security arsenal, it's the human
element that continues to fuel cyber incidents occurring, according
to one recent study.
- Corporate Boards Race to Shore Up Cybersecurity - Directors
Grapple With Issues Once Consigned to Tech Experts - After a series
of high-profile data breaches and warnings, corporate boards are
waking to cyberthreats, grappling with security issues they once
relegated to technology experts.
- Germany dumps Verizon for Deutsche Telekom over NSA spying - Nein,
danke, we need 'a very high level of security' - The German
government has said it will cancel its contract with US telecoms
provider Verizon, citing spying fears.
Massachusetts man forced to decrypt files after court ruling - Law
enforcement officials were granted legal permission to force an
attorney accused of mortgage fraud to decrypt his computers seized
in an investigation of his alleged crime without violating his
constitutional right against self-incrimination.
- P.F. Chang's hit with class-action lawsuit following breach - A
proposed class-action lawsuit has been filed against P.F. Chang's
China Bistro Inc. by consumers claiming that the restaurant chain
failed to protect their personal financial data.
- DDoS attacks down, gov't increasingly a target - Distributed
denial-of-service (DDoS) attack traffic declined in the first
quarter of 2014 and China held on to the top spot as the country
from which the most attack traffic originated, according to
observations disclosed by Akamai in its "State of the Internet
Report" for the first quarter of 2014.
- File sharing programs cause data leaks, security headaches - It
probably comes as no surprise to most security specialists that 84
percent of the 308 senior IT professionals in a recent Harris Poll
survey said that unmanaged file sharing programs like Dropbox posed
a security challenge for their organizations.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Hospital Networks Are Leaking Data, Leaving Critical Devices
Vulnerable - Two researchers examining the security of hospital
networks have found many of them leak valuable information to the
internet, leaving critical systems and equipment vulnerable to
Thousands impacted so far in Splash Car Wash payment card breach -
On Thursday, three days after technology writer Brian Krebs reported
that Splash Car Wash may have experienced a payment card breach, the
Connecticut-based automobile cleaning company announced that its
payment card systems were compromised by malware.
Salina Family Healthcare Center email gaffe impacts about 10K
patients - Nearly 10,000 patients of Kansas-based Salina Family
Healthcare Center (SFHC) are being notified that their personal
information was inadvertently left in a database submitted to the
National Commission for Quality Assurance (NCQA).
'Luuuk' banking malware may have stolen $682K in a week - Kaspersky
Lab says the professional criminal group behind the operation is
very active - A European bank may have lost as much as $682,000 in a
week earlier this year, according to Kaspersky Lab, which analyzed
data on a server used in attacks against online banking users in
Italy and Turkey.
- Hackers access data on more than 160K Butler University students
and staffers - Around 163,000 Butler University students, alumni,
faculty, staff and prospective students are being notified that
their personal information - including Social Security numbers and
bank account information - may have been compromised in a hacking
incident dating back to 2013.
- Houston Astros hacked, trade conversations posted online - The
incident affects more than just the Texas baseball squad because
information pilfered in the breach – and posted publicly online –
relates to private conversations the team had with several other
major league ball clubs.
- POS vendor notifies restaurants of possible payment card breach -
Information Systems & Supplies Inc. (ISS), a point-of-sale (POS) and
security systems vendor for restaurants such as Taco Bell and Dairy
Queen, may have experienced a payment card breach, according to a
- Benjamin F. Edwards alerts customers to May breach - In a letter
to customers on June 27, brokerage house Benjamin F. Edwards & Co.
disclosed that it had been the target of a data breach in late May,
according to a Forbes blog post.
- New malware program targets banking data - There is yet another
reason to be wary of spam email about bank transfers or invoices --
it could be carrying a new, cleverly designed malware program that
steals financial information.
- Hackers commandeer businessman's phone lines, rack up $23K in
charges - A New Zealand businessman was shocked to find $23,000 in
phone bill charges after an international phone hacking scam
targeted his business lines.
- Laptop stolen from billing vendor contained unencrypted data on
3,500 students - About 3,500 students in Massachusetts and Vermont
who receive Medicaid reimbursements are being notified that their
unencrypted personal information – including Social Security numbers
– was on a password protected laptop stolen from the vehicle of a
Multi-State Billing Services employee.
- Alabama Department of Public Health warns of possible data breach
- Alabama's Department of Public Health (ADPH) has sent letters to
individuals whose personal information may have been compromised and
used in a tax fraud scheme.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Banking organizations have been delivering electronic services to
consumers and businesses remotely for years. Electronic funds
transfer, including small payments and corporate cash management
systems, as well as publicly accessible automated machines for
currency withdrawal and retail account management, are global
fixtures. However, the increased world-wide acceptance of the
Internet as a delivery channel for banking products and services
provides new business opportunities for banks as well as service
benefits for their customers.
Continuing technological innovation and competition among existing
banking organizations and new market entrants has allowed for a much
wider array of electronic banking products and services for retail
and wholesale banking customers. These include traditional
activities such as accessing financial information, obtaining loans
and opening deposit accounts, as well as relatively new products and
services such as electronic bill payment services, personalized
financial "portals," account aggregation and business-to-business
market places and exchanges.
Notwithstanding the significant benefits of technological
innovation, the rapid development of e-banking capabilities carries
risks as well as benefits and it is important that these risks are
recognized and managed by banking institutions in a prudent manner.
These developments led the Basel Committee on Banking Supervision to
conduct a preliminary study of the risk management implications of
e-banking and e-money in 1998. This early study demonstrated a clear
need for more work in the area of e-banking risk management and that
mission was entrusted to a working group comprised of bank
supervisors and central banks, the Electronic Banking Group (EBG),
which was formed in November 1999.
The Basel Committee released the EBG's Report on risk management and
supervisory issues arising from e-banking developments in October
2000. This Report inventoried and assessed the major risks
associated with e-banking, namely strategic risk, reputational risk,
operational risk (including security and legal risks), and credit,
market, and liquidity risks. The EBG concluded that e-banking
activities did not raise risks that were not already identified by
the previous work of the Basel Committee. However, it noted that
e-banking increase and modifies some of these traditional risks,
thereby influencing the overall risk profile of banking. In
particular, strategic risk, operational risk, and reputational risk
are certainly heightened by the rapid introduction and underlying
technological complexity of e-banking activities.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
ENCRYPTION - HOW ENCRYPTION
In general, encryption functions by taking data and a variable,
called a "key," and processing those items through a fixed algorithm
to create the encrypted text. The strength of the encrypted text is
determined by the entropy, or degree of uncertainty, in the key and
the algorithm. Key length and key selection criteria are important
determinants of entropy. Greater key lengths generally indicate more
possible keys. More important than key length, however, is the
potential limitation of possible keys posed by the key selection
criteria. For instance, a 128-bit key has much less than 128 bits of
entropy if it is selected from only certain letters or numbers. The
full 128 bits of entropy will only be realized if the key is
randomly selected across the entire 128-bit range.
The encryption algorithm is also important. Creating a mathematical
algorithm that does not limit the entropy of the key and testing the
algorithm to ensure its integrity are difficult. Since the strength
of an algorithm is related to its ability to maximize entropy
instead of its secrecy, algorithms are generally made public and
subject to peer review. The more that the algorithm is tested by
knowledgeable worldwide experts, the more the algorithm can be
trusted to perform as expected. Examples of public algorithms are
AES, DES and Triple DES, HSA - 1, and RSA.
Return to the top of
INTERNET PRIVACY -
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Consumer and Customer:
The distinction between consumers and customers is
significant because financial institutions have additional
disclosure duties with respect to customers. All customers covered
under the regulation are consumers, but not all consumers are
A "consumer" is an individual, or that individual's legal
representative, who obtains or has obtained a financial product or
service from a financial institution that is to be used primarily
for personal, family, or household purposes.
A "financial service" includes, among other things, a financial
institution's evaluation or brokerage of information that the
institution collects in connection with a request or an application
from a consumer for a financial product or service. For example, a
financial service includes a lender's evaluation of an application
for a consumer loan or for opening a deposit account even if the
application is ultimately rejected or withdrawn.
Consumers who are not customers are entitled to an initial privacy
and opt out notice only if their financial institution wants to
share their nonpublic personal information with nonaffiliated third
parties outside of the exceptions.
A "customer" is a consumer who has a "customer relationship" with a
financial institution. A "customer relationship" is a continuing
relationship between a consumer and a financial institution under
which the institution provides one or more financial products or
services to the consumer that are to be used primarily for personal,
family, or household purposes.