REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.FYI
- "Human error" contributes to nearly all cyber incidents, study
finds - Even though organizations may have all of the bells and
whistles needed in their data security arsenal, it's the human
element that continues to fuel cyber incidents occurring, according
to one recent study.
- Former NSA chief pitches consulting work for $1 million per month
- The National Security Agency's (NSA) former chief hasn't retired
Hacked Companies Face SEC Scrutiny Over Disclosure - The U.S.
Securities and Exchange Commission has opened investigations of
multiple companies in recent months examining whether they properly
handled and disclosed a growing number of cyberattacks.
Sneaky Android RAT disables required anti-virus apps to steal
banking info - Researchers with FireEye have identified HijackRAT, a
crafty remote access trojan (RAT) for mobile devices running the
Android operating system that can steal banking information by
disabling anti-virus applications, among other things.
NCL calls on gov't, business to better protect consumer data - A
consumer group is pushing business and government to adopt
comprehensive reforms to better protect consumer data.
Russian MPs back law on internet data storage- The Kremlin says the
move is for data protection but critics fear it is aimed at muzzling
social networks like Twitter and Facebook.
Australian teen accepts police caution to avoid hacking charge - An
Australian teenager has accepted a caution from police rather than
face charges for discovering a vulnerability in the website of one
of the country’s public transport authorities late last year.
Pics, other data, recovered from 'wiped' Android phones purchased on
eBay - Restoring Android smartphones to default, or erasing the
memory, will not stop attackers from recovering personal information
and possibly using it for nefarious purposes, AVAST researchers
found after purchasing 20 "wiped" devices on eBay and digging up,
altogether, more than 40,000 individual bits of data.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Brazilian 'bolware' gang targeted $3.75B in transactions, RSA finds
- While the financial sector in Brazil continues to wrestle with “bolware”
attacks – malware targeting a popular payment method in the country
called “Boleto,” new findings on a fraud ring furthering the schemes
HotelHippo shuts down permanently after security flaws discovered -
After a security consultant turned customer found and reported a
number of potentially serious security vulnerabilities on its travel
booking site, HotelHippo has shuttered the site for good.
St. Vincent BC mails 63K letters to wrong people - A clerical error
resulted in Indianapolis-based St. Vincent BC mailing more than
63,000 letters containing personal information to the wrong people.
Former employee posts data online, 10K impacted in Missouri school
district - At Park Hill School District in Missouri, more than
10,000 current and former staffers and students are being notified
that their personal information - including Social Security numbers
- was accessed after a former employee made the data accessible from
notified of six-month payment card breach at The Houstonian Hotel -
It is unclear how many transactions have been impacted, but The
Houstonian Hotel, Club & Spa in Texas has already notified more than
10,000 customers that their payment card data was exposed in a
roughly six-month-long attack on the hotel's payment processing
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the
issues discussed in the "Risk Management Principles for Electronic
Banking" published by the Basel Committee on Bank Supervision.
Risk management challenges
The Electronic Banking Group (EBG) noted that the fundamental
characteristics of e-banking (and e-commerce more generally) posed a
number of risk management challenges:
The speed of change
relating to technological and customer service innovation in
e-banking is unprecedented. Historically, new banking applications
were implemented over relatively long periods of time and only after
in-depth testing. Today, however, banks are experiencing competitive
pressure to roll out new business applications in very compressed
time frames - often only a few months from concept to production.
This competition intensifies the management challenge to ensure that
adequate strategic assessment, risk analysis and security reviews
are conducted prior to implementing new e-banking applications.
web sites and associated retail and wholesale business applications
are typically integrated as much as possible with legacy computer
systems to allow more straight-through processing of electronic
transactions. Such straight-through automated processing reduces
opportunities for human error and fraud inherent in manual
processes, but it also increases dependence on sound systems design
and architecture as well as system interoperability and operational
E-banking increases banks'
dependence on information technology, thereby increasing the
technical complexity of many operational and security issues and
furthering a trend towards more partnerships, alliances and
outsourcing arrangements with third parties, many of whom are
unregulated. This development has been leading to the creation of
new business models involving banks and non-bank entities, such as
Internet service providers, telecommunication companies and other
4) The Internet is ubiquitous and global by nature. It is an open
network accessible from anywhere in the world by unknown parties,
with routing of messages through unknown locations and via fast
evolving wireless devices. Therefore, it significantly magnifies the
importance of security controls, customer authentication techniques,
data protection, audit trail procedures, and customer privacy
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
ENCRYPTION KEY MANAGEMENT
Since security is primarily based on the encryption keys, effective
key management is crucial. Effective key management systems are
based on an agreed set of standards, procedures, and secure methods
! Generating keys for different cryptographic systems and different
! Generating and obtaining public keys;
! Distributing keys to intended users, including how keys should be
activated when received;
! Storing keys, including how authorized users obtain access to
! Changing or updating keys including rules on when keys should be
changed and how this will be done;
! Dealing with compromised keys;
! Revoking keys and specifying how keys should be withdrawn or
! Recovering keys that are lost or corrupted as part of business
! Archiving keys;
! Destroying keys;
! Logging the auditing of key management - related activities; and
! Instituting defined activation and deactivation dates, limiting
the usage period of keys.
Secure key management systems are characterized by the following
! Key management is fully automated (e.g. personnel do not have the
opportunity to expose a key or influence the key creation).
! No key ever appears unencrypted.
! Keys are randomly chosen from the entire key space, preferably by
! Key - encrypting keys are separate from data keys. No data ever
appears in clear text that was encrypted using a key - encrypting
key. (A key - encrypting key is used to encrypt other keys, securing
them from disclosure.)
! All patterns in clear text are disguised before encrypting.
! Keys with a long life are sparsely used. The more a key is used,
the greater the opportunity for an attacker to discover the key.
! Keys are changed frequently. The cost of changing keys rises
linearly while the cost of attacking the keys rises exponentially.
Therefore, all other factors being equal, changing keys increases
the effective key length of an algorithm.
! Keys that are transmitted are sent securely to well -
! Key generating equipment is physically and logically secure from
construction through receipt, installation, operation, and removal
Return to the top of
INTERNET PRIVACY -
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Consumer and Customer:
A "customer" is a consumer who has a "customer relationship"
with a financial institution. A "customer relationship" is a
continuing relationship between a consumer and a financial
institution under which the institution provides one or more
financial products or services to the consumer that are to be used
primarily for personal, family, or household purposes.
For example, a customer relationship may be established when a
consumer engages in one of the following activities with a financial
1) maintains a deposit or investment account;
2) obtains a loan;
3) enters into a lease of personal property; or
4) obtains financial, investment, or economic advisory services for
Customers are entitled to initial and annual privacy notices
regardless of the information disclosure practices of their
There is a special rule for loans. When a financial institution
sells the servicing rights to a loan to another financial
institution, the customer relationship transfers with the servicing
rights. However, any information on the borrower retained by the
institution that sells the servicing rights must be accorded the
protections due any consumer.
Note that isolated transactions alone will not cause a consumer to
be treated as a customer. For example, if an individual purchases a
bank check from a financial institution where the person has no
account, the individual will be a consumer but not a customer of
that institution because he or she has not established a customer
relationship. Likewise, if an individual uses the ATM of a financial
institution where the individual has no account, even repeatedly,
the individual will be a consumer, but not a customer of that