REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.FYI - "Human error" contributes to nearly all cyber incidents, study finds - Even though organizations may have all of the bells and whistles needed in their data security arsenal, it's the human element that continues to fuel cyber incidents occurring, according to one recent study. http://www.scmagazine.com/human-error-contributes-to-nearly-all-cyber-incidents-study-finds/article/356015/

FYI - Corporate Boards Race to Shore Up Cybersecurity - Directors Grapple With Issues Once Consigned to Tech Experts - After a series of high-profile data breaches and warnings, corporate boards are waking to cyberthreats, grappling with security issues they once relegated to technology experts. http://online.wsj.com/articles/boards-race-to-bolster-cybersecurity-1404086146

FYI - Germany dumps Verizon for Deutsche Telekom over NSA spying - Nein, danke, we need 'a very high level of security' - The German government has said it will cancel its contract with US telecoms provider Verizon, citing spying fears. http://www.theregister.co.uk/2014/06/26/germany_boots_verizon/

FYI - Massachusetts man forced to decrypt files after court ruling - Law enforcement officials were granted legal permission to force an attorney accused of mortgage fraud to decrypt his computers seized in an investigation of his alleged crime without violating his constitutional right against self-incrimination. http://www.scmagazine.com/massachusetts-man-forced-to-decrypt-files-after-court-ruling/article/358278/

FYI - P.F. Chang's hit with class-action lawsuit following breach - A proposed class-action lawsuit has been filed against P.F. Chang's China Bistro Inc. by consumers claiming that the restaurant chain failed to protect their personal financial data. http://www.scmagazine.com/pf-changs-hit-with-class-action-lawsuit-following-breach/article/358909/

FYI - DDoS attacks down, gov't increasingly a target - Distributed denial-of-service (DDoS) attack traffic declined in the first quarter of 2014 and China held on to the top spot as the country from which the most attack traffic originated, according to observations disclosed by Akamai in its "State of the Internet Report" for the first quarter of 2014. http://www.scmagazine.com/report-ddos-attacks-down-govt-increasingly-a-target/article/359198/

FYI - File sharing programs cause data leaks, security headaches - It probably comes as no surprise to most security specialists that 84 percent of the 308 senior IT professionals in a recent Harris Poll survey said that unmanaged file sharing programs like Dropbox posed a security challenge for their organizations. http://www.scmagazine.com/file-sharing-programs-cause-data-leaks-security-headaches/article/358954/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hospital Networks Are Leaking Data, Leaving Critical Devices Vulnerable - Two researchers examining the security of hospital networks have found many of them leak valuable information to the internet, leaving critical systems and equipment vulnerable to hacking. http://www.wired.com/2014/06/hospital-networks-leaking-data/

FYI - Thousands impacted so far in Splash Car Wash payment card breach - On Thursday, three days after technology writer Brian Krebs reported that Splash Car Wash may have experienced a payment card breach, the Connecticut-based automobile cleaning company announced that its payment card systems were compromised by malware. http://www.scmagazine.com/thousands-impacted-so-far-in-splash-car-wash-payment-card-breach/article/358279/

FYI - Salina Family Healthcare Center email gaffe impacts about 10K patients - Nearly 10,000 patients of Kansas-based Salina Family Healthcare Center (SFHC) are being notified that their personal information was inadvertently left in a database submitted to the National Commission for Quality Assurance (NCQA). http://www.scmagazine.com/salina-family-healthcare-center-email-gaffe-impacts-about-10k-patients/article/358186/

FYI - 'Luuuk' banking malware may have stolen $682K in a week - Kaspersky Lab says the professional criminal group behind the operation is very active - A European bank may have lost as much as $682,000 in a week earlier this year, according to Kaspersky Lab, which analyzed data on a server used in attacks against online banking users in Italy and Turkey. http://www.computerworld.com/s/article/9249390/_39_Luuuk_39_banking_malware_may_have_stolen_682K_in_a_week?taxonomyId=17

FYI - Hackers access data on more than 160K Butler University students and staffers - Around 163,000 Butler University students, alumni, faculty, staff and prospective students are being notified that their personal information - including Social Security numbers and bank account information - may have been compromised in a hacking incident dating back to 2013. http://www.scmagazine.com/hackers-access-data-on-more-than-160k-butler-university-students-and-staffers/article/358527/

FYI - Houston Astros hacked, trade conversations posted online - The incident affects more than just the Texas baseball squad because information pilfered in the breach – and posted publicly online – relates to private conversations the team had with several other major league ball clubs. http://www.scmagazine.com/houston-astros-hacked-trade-conversations-posted-online/article/358952/

FYI - POS vendor notifies restaurants of possible payment card breach - Information Systems & Supplies Inc. (ISS), a point-of-sale (POS) and security systems vendor for restaurants such as Taco Bell and Dairy Queen, may have experienced a payment card breach, according to a BankInfoSecurity report. http://www.scmagazine.com/pos-vendor-notifies-restaurants-of-possible-payment-card-breach/article/358966/

FYI - Benjamin F. Edwards alerts customers to May breach - In a letter to customers on June 27, brokerage house Benjamin F. Edwards & Co. disclosed that it had been the target of a data breach in late May, according to a Forbes blog post. http://www.scmagazine.com/benjamin-f-edwards-alerts-customers-to-may-breach/article/358928/

FYI - New malware program targets banking data - There is yet another reason to be wary of spam email about bank transfers or invoices -- it could be carrying a new, cleverly designed malware program that steals financial information. http://www.computerworld.com/s/article/9249458/New_malware_program_targets_banking_data?taxonomyId=17

FYI - Hackers commandeer businessman's phone lines, rack up $23K in charges - A New Zealand businessman was shocked to find $23,000 in phone bill charges after an international phone hacking scam targeted his business lines. http://www.scmagazine.com/hackers-commandeer-businessmans-phone-lines-rack-up-23k-in-charges/article/359073/

FYI - Laptop stolen from billing vendor contained unencrypted data on 3,500 students - About 3,500 students in Massachusetts and Vermont who receive Medicaid reimbursements are being notified that their unencrypted personal information – including Social Security numbers – was on a password protected laptop stolen from the vehicle of a Multi-State Billing Services employee. http://www.scmagazine.com/laptop-stolen-from-billing-vendor-contained-unencrypted-data-on-3500-students/article/359064/

FYI - Alabama Department of Public Health warns of possible data breach - Alabama's Department of Public Health (ADPH) has sent letters to individuals whose personal information may have been compromised and used in a tax fraud scheme. http://www.scmagazine.com/alabama-department-of-public-health-warns-of-possible-data-breach/article/359014/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Introduction 

Banking organizations have been delivering electronic services to consumers and businesses remotely for years. Electronic funds transfer, including small payments and corporate cash management systems, as well as publicly accessible automated machines for currency withdrawal and retail account management, are global fixtures. However, the increased world-wide acceptance of the Internet as a delivery channel for banking products and services provides new business opportunities for banks as well as service benefits for their customers. 

Continuing technological innovation and competition among existing banking organizations and new market entrants has allowed for a much wider array of electronic banking products and services for retail and wholesale banking customers. These include traditional activities such as accessing financial information, obtaining loans and opening deposit accounts, as well as relatively new products and services such as electronic bill payment services, personalized financial "portals," account aggregation and business-to-business market places and exchanges. 

Notwithstanding the significant benefits of technological innovation, the rapid development of e-banking capabilities carries risks as well as benefits and it is important that these risks are recognized and managed by banking institutions in a prudent manner. These developments led the Basel Committee on Banking Supervision to conduct a preliminary study of the risk management implications of e-banking and e-money in 1998. This early study demonstrated a clear need for more work in the area of e-banking risk management and that mission was entrusted to a working group comprised of bank supervisors and central banks, the Electronic Banking Group (EBG), which was formed in November 1999.

The Basel Committee released the EBG's Report on risk management and supervisory issues arising from e-banking developments in October 2000. This Report inventoried and assessed the major risks associated with e-banking, namely strategic risk, reputational risk, operational risk (including security and legal risks), and credit, market, and liquidity risks. The EBG concluded that e-banking activities did not raise risks that were not already identified by the previous work of the Basel Committee. However, it noted that e-banking increase and modifies some of these traditional risks, thereby influencing the overall risk profile of banking. In particular, strategic risk, operational risk, and reputational risk are certainly heightened by the rapid introduction and underlying technological complexity of e-banking activities.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

ENCRYPTION - HOW ENCRYPTION WORKS

In general, encryption functions by taking data and a variable, called a "key," and processing those items through a fixed algorithm to create the encrypted text. The strength of the encrypted text is determined by the entropy, or degree of uncertainty, in the key and the algorithm. Key length and key selection criteria are important determinants of entropy. Greater key lengths generally indicate more possible keys. More important than key length, however, is the potential limitation of possible keys posed by the key selection criteria. For instance, a 128-bit key has much less than 128 bits of entropy if it is selected from only certain letters or numbers. The full 128 bits of entropy will only be realized if the key is randomly selected across the entire 128-bit range.

The encryption algorithm is also important. Creating a mathematical algorithm that does not limit the entropy of the key and testing the algorithm to ensure its integrity are difficult. Since the strength of an algorithm is related to its ability to maximize entropy instead of its secrecy, algorithms are generally made public and subject to peer review. The more that the algorithm is tested by knowledgeable worldwide experts, the more the algorithm can be trusted to perform as expected. Examples of public algorithms are AES, DES and Triple DES, HSA - 1, and RSA.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Consumer and Customer:

The distinction between consumers and customers is significant because financial institutions have additional disclosure duties with respect to customers. All customers covered under the regulation are consumers, but not all consumers are customers.

A "consumer" is an individual, or that individual's legal representative, who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes.

A "financial service" includes, among other things, a financial institution's evaluation or brokerage of information that the institution collects in connection with a request or an application from a consumer for a financial product or service. For example, a financial service includes a lender's evaluation of an application for a consumer loan or for opening a deposit account even if the application is ultimately rejected or withdrawn.

Consumers who are not customers are entitled to an initial privacy and opt out notice only if their financial institution wants to share their nonpublic personal information with nonaffiliated third parties outside of the exceptions.

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.