R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

July 14, 2019

wsletter Content FFIEC IT Security FFIEC & ADA Web Site Audits
Web Site Compliance NIST Handbook Penetration Testing
Does Your Financial Institution need an affordable cybersecurity Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our cybersecurity audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) as well as the penetration test complies with the FFIEC Cybersecurity Assessment Tool regarding resilience testing The cybersecurity penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world cybersecurity weaknesses.  For more information, give R. Kinney Williams a call today at Office/Cell 806-535-8300 or visit http://www.internetbankingaudits.com/.

- Border-surveillance subcontractor suspended after cyberattack - Border-surveillance subcontractor Perceptics was suspended by The U.S. Customs and Border Protection (CBP) after a cyberattack against the firm revealed sensitive monitoring details. https://www.scmagazine.com/home/government/border-surveillance-subcontractor-perceptics-was-suspended-after-a-cyberattack-against-the-firm-revealed-sensitive-monitoring-details/

The value of passwordless technology: Learning from the American prohibition era - Say “password” today and the word will conjure up visions of a laptop or an application – not secret societies. Still, passwords have played an important role throughout human history to distinguish between who could and couldn’t enter a specific area, club or level of access to information. https://www.scmagazine.com/home/opinion/executive-insight/the-value-of-passwordless-technology-learning-from-the-american-prohibition-era/

Uber pays out $375K in bug bounties during challenge in London - Uber laid out $375,000 to bug bounty hunters during a live hacking event held in London with partner HackerOne. https://www.scmagazine.com/home/security-news/vulnerabilities/uber-pays-out-375k-in-bug-bounties-during-challenge-in-london/

Database management: The security checklist for every data-driven deployment - Security threats have become a ubiquitous problem for American companies, and reports find that damage related to cybercrime is projected to hit $6 trillion annually by 2021. According to Accenture, the most expensive component of a cyber attack is data loss, which represents 43 percent of cybercrime costs. https://www.scmagazine.com/home/opinion/executive-insight/database-management-the-security-checklist-for-every-data-driven-deployment/

British Airways hit with record £183 million GDPR fine for last year’s breach - The Information Commissioner’s Office (ICO) hit British Airways with a record-breaking £183 million fine for last year’s data breach that compromised the personal data of half a million customers. https://www.scmagazine.com/home/security-news/legal-security-news/ico-hits-british-airways-with-a-record-breaking-183-million-fine-for-last-years-data-breach-that-compromised-the-personal-data-of-half-a-million-customers/

Marriott hit with $124 million fine for 2018 data breach - The U.K. Information Commissioners Office (ICO) intends to levy a £99,200,396, or $124 million, fine against Marriott International in response to the data breach suffered by that company’s Starwood reservation data base in November 2018. https://www.scmagazine.com/home/security-news/marriott-hit-with-124-million-fine-for-2018-data-breach/

Coast Guard issues cyber recommendations to shipping industry - The U.S. Coast Guard issued a marine safety alert recommending the shipping industry institute basic cybersecurity measures to ensure the safety of their vessels. https://www.scmagazine.com/home/security-news/coast-guard-issues-cyber-recommendations-to-shipping-industry/

Record British Airways fine shows how data protection legislation is beginning to bite - The ICO's proposed £183m fine should act as a wake-up call for other organisations: make sure your cybersecurity and data protection policies are GDPR-compliant - or you could be next. https://www.zdnet.com/article/gdpr-record-british-airways-fine-shows-how-data-protection-legislation-is-beginning-to-bite/

Baltimore restores online payment systems for speeding and parking tickets and property taxes - Baltimore officials said Wednesday that people can once again pay property tax bills and parking tickets online, although the city’s water billing system remains unavailable about eight weeks after a ransomware attack took down the city’s computer systems. http://www.baltimoresun.com/maryland/baltimore-city/bs-md-ci-online-payments-20190703-story.html

UK's largest police forensics lab paid ransom demand to recover locked data - Eurofins Scientific has already recovered from the incident. Didn't say how much it paid hackers. https://www.zdnet.com/article/uks-largest-police-forensics-lab-paid-ransom-demand-to-recover-locked-data/

U.S. mayors resolve to no longer pay ransomware attackers - The United States Conference of Mayors issued a resolution at its 87th annual meeting to stand united against paying ransoms when their municipality is hit with a ransomware attack. https://www.scmagazine.com/home/security-news/ransomware/u-s-mayors-resolve-to-no-longer-pay-ransomware-attackers/

Cybercriminals are increasingly targeting the financial services industry - Universally, consumers and small and large businesses alike, are increasingly aware of the well-established fact that cybercrime is on the rise. https://www.scmagazine.com/home/opinion/executive-insight/cybercriminals-are-increasingly-targeting-the-financial-services-industry/


FYI - Florida state worker steals resident’s PII - About 2,000 Florida residents were potentially victimized by an employee of that state’s Department of Children and Family Services (DFCS) who accessed and used their PII to fraudulently make $260,000 in purchases. https://www.scmagazine.com/home/security-news/data-breach/florida-state-worker-steals-residents-pii/

Real estate group ALTA warns members of possible data breach - The American Land Title Association (ALTA) on July 3 informed its members, comprised of title insurance agents, abstracters and underwriters, their usernames and passwords may have been acquired by an unauthorized person. https://www.scmagazine.com/home/security-news/data-breach/real-estate-group-alta-warns-members-of-possible-data-breach/

ICE, FBI using driver’s license photos, without permission, for facial recognition searches - Driver’s license photos have been used, without users’ permission, by agents with the FBI and Immigration and Customs Enforcement (ICE) for facial recognition searches. https://www.scmagazine.com/home/security-news/privacy-compliance/ice-fbi-using-drivers-license-photos-without-permission-for-facial-recognition-searches/

Hackers breach Canonical GitHub account, create repositories, leave source code untouched - Hackers compromised credentials to break into a Canonical Ltd. GitHub account July 6 and created repositories, but apparently did not lift sensitive information or manipulate any source code. https://www.scmagazine.com/home/security-news/hackers-breach-canonical-github-account-create-repositories-leave-source-code-untouched/

Thieves steal $500K from users of 7-Eleven Japan’s new payment app - Convenience chain 7-Eleven Japan has suspended a brand new mobile cashless payment service after an authorized third party accessed approximately 900 user accounts and made fraudulent charges totally 55 million yen, or roughly $500,000 dollars. https://www.scmagazine.com/home/security-news/inconvenience-stores-thieves-steal-500k-from-users-of-7-eleven-japans-new-payment-app/

Cyberattack shuts down La Porte County (Indiana) government - La Porte County, Ind., was hit with a cyberattack on July 6 that knocked the county government’s systems offline. https://www.scmagazine.com/home/security-news/malware/cyberattack-shuts-down-la-porte-county-indiana-government/

Eurofins Scientific forensics firm pays after hit with ransomware - Eurofins Scientific, the U.K.’s largest provider of forensic services, paid up after a ransomware attack a month ago. https://www.scmagazine.com/home/security-news/ransomware/eurofins-scientific-the-uks-largest-provider-of-forensic-services-paid-the-ransom-after-it-was-hit-with-an-attack-a-month-ago/

Automated Magecart campaign infects 962 online stores - A July 4 Magecart card-skimming attack successfully infiltrated 962 online stores in what researchers are calling the largest 24-hour automated Magecart campaign to date. https://www.scmagazine.com/web-services-security-e-commerce-security/automated-magecart-campaign-infects-962-online-stores/

Canonical Investigating Hack of Its GitHub Page - Canonical Ltd., a British company that offers commercial support and services for the popular Ubuntu Linux open source operating system, is investigating the hacking of its GitHub page over the weekend. http://www.bankinfosecurity.com/canonical-investigating-hack-its-github-page-a-12749

L.A. County Health Services Department contractor breach leaks patient data - A data breach at a Los Angeles County Department of Health Services contractor resulted in the compromise of data from 14,591 patients. https://www.scmagazine.com/home/security-news/data-breach/a-data-breach-at-a-l-a-county-department-of-health-services-contractor-resulted-in-the-compromise-of-data-from-several-thousand-patients/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
Board and Management Oversight - Principle 13: Banks should have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-banking systems and services.
   To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with customer expectations. To achieve this, the bank must have the ability to deliver e-banking services to end-users from either primary (e.g. internal bank systems and applications) or secondary sources (e.g. systems and applications of service providers). The maintenance of adequate availability is also dependent upon the ability of contingency back-up systems to mitigate denial of service attacks or other events that may potentially cause business disruption.
   The challenge to maintain continued availability of e-banking systems and applications can be considerable given the potential for high transaction demand, especially during peak time periods. In addition, high customer expectations regarding short transaction processing cycle times and constant availability (24 X 7) has also increased the importance of sound capacity, business continuity and contingency planning. To provide customers with the continuity of e-banking services that they expect, banks need to ensure that:
   1)  Current e-banking system capacity and future scalability are analyzed in light of the overall market dynamics for e-commerce and the projected rate of customer acceptance of e-banking products and services.
   2)  E-banking transaction processing capacity estimates are established, stress tested and periodically reviewed.
   3)  Appropriate business continuity and contingency plans for critical e-banking processing and delivery systems are in place and regularly tested.

Return to the top of the newsletter

FFIEC IT SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

  Many financial institutions use modems, remote - access servers (RAS), and VPNs to provide remote access into their systems or to allow remote access out of their systems. Remote access can support mobile users through wireless, Internet, or dial-in capabilities. In some cases, modem access is required periodically by vendors to make emergency program fixes or to support a system.
  Remote access to a financial institution's systems provides an attacker with the opportunity to remotely attack the systems either individually or in groups. Accordingly, management should establish policies restricting remote access and be aware of all remote access devices attached to their systems. These devices should be strictly controlled. Good controls for remote access include the following actions:
  ! Disallow remote access by policy and practice unless a compelling business justification exists.
  ! Disable remote access at the operating system level if a business need for such access does not exist.
  ! Require management approval for remote access.
  ! Require an operator to leave the modems unplugged or disabled by default, to enable modems only for specific, authorized external requests, and disable the modem immediately when the requested purpose is completed.
  ! Configure modems not to answer inbound calls, if modems are for outbound use only.
  ! Use automated callback features so the modems only call one number (although this is subject to call forwarding schemes).
  ! Install a modem bank where the outside number to the modems uses a different prefix than internal numbers and does not respond to incoming calls.
  ! Log and monitor the date, time, user, user location, duration, and purpose for all remote access.
  ! Require a two-factor authentication process for all remote access (e.g., PIN-based token card with a one-time random password generator).
  ! Implement controls consistent with the sensitivity of remote use (e.g., remote system administration requires strict controls and oversight including encrypting the authentication and log-in process).
  ! Appropriately patch and maintain all remote access software.
  ! Use trusted, secure access devices.
  ! Use remote-access servers (RAS) to centralize modem and Internet access, to provide a consistent authentication process, and to subject the inbound and outbound network traffic to firewalls.

Return to the top of the newsletter

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY - We continue the series on the National Institute of Standards and Technology (NIST) Handbook.

Chapter 20 -

20.4.2 Protection Against Payroll Fraud and Errors: Time and Attendance Application (2 of 2)

Protection Against Payroll Errors

The frequency of data entry errors is reduced by having Time and Attendance clerks enter each time sheet into the time and attendance application twice. If the two copies are identical, both are considered error free, and the record is accepted for subsequent review and approval by a supervisor. If the copies are not identical, the discrepancies are displayed, and for each discrepancy, the clerk determines which copy is correct. The clerk then incorporates the corrections into one of the copies, which is then accepted for further processing. If the clerk makes the same data-entry error twice, then the two copies will match, and one will be accepted as correct, even though it is erroneous. To reduce this risk, the time and attendance application could be configured to require that the two copies be entered by different clerks.

In addition, each department has one or more Time and Attendance Supervisors who are authorized to review these reports for accuracy and to approve them by running another server program that is part of the time and attendance application. The data are then subjected to a collection of "sanity checks" to detect entries whose values are outside expected ranges. Potential anomalies are displayed to the supervisor prior to allowing approval; if errors are identified, the data are returned to a clerk for additional examination and corrections.

When a supervisor approves the time and attendance data, this application logs into the interagency mainframe via the WAN and transfers the data to a payroll database on the mainframe. The mainframe later prints paychecks or, using a pool of modems that can send data over phone lines, it may transfer the funds electronically into employee-designated bank accounts. Withheld taxes and contributions are also transferred electronically in this manner.

The Director of Personnel is responsible for ensuring that forms describing significant payroll-related personnel actions are provided to the Payroll Office at least one week before the payroll processing date for the first affected pay period. These actions include hiring, terminations, transfers, leaves of absences and returns from such, and pay raises.

The Manager of the Payroll Office is responsible for establishing and maintaining controls adequate to ensure that the amounts of pay, leave, and other benefits reported on pay stubs and recorded in permanent records and those distributed electronically are accurate and consistent with time and attendance data and with other information provided by the Personnel Department. In particular, paychecks must never be provided to anyone who is not a bona fide, active-status employee of HGA. Moreover, the pay of any employee who terminates employment, who transfers, or who goes on leave without pay must be suspended as of the effective date of such action; that is, extra paychecks or excess pay must not be dispersed.

Protection Against Accidental Corruption or Loss of Payroll Data

The same mechanisms used to protect against fraudulent modification are used to protect against accidental corruption of time and attendance data -- namely, the access-control features of the server and mainframe operating systems.

COG's (Computer Operations Group) nightly backups of the server's disks protect against loss of time and attendance data. To a limited extent, HGA also relies on mainframe administrative personnel to back up time and attendance data stored on the mainframe, even though HGA has no direct control over these individuals. As additional protection against loss of data at the mainframe, HGA retains copies of all time and attendance data on line on the server for at least one year, at which time the data are archived and kept for three years. The server's access controls for the on-line files are automatically set to read-only access by the time and attendance application at the time of submission to the mainframe. The integrity of time and attendance data will be protected by digital signatures as they are implemented.

The WAN's communications protocols also protect against loss of data during transmission from the server to the mainframe (e.g., error checking). In addition, the mainframe payroll application includes a program that is automatically run 24 hours before paychecks and pay stubs are printed. This program produces a report identifying agencies from whom time and attendance data for the current pay period were expected but not received. Payroll department staff are responsible for reviewing the reports and immediately notifying agencies that need to submit or resubmit time and attendance data. If time and attendance input or other related information is not available on a timely basis, pay, leave, and other benefits are temporarily calculated based on information estimated from prior pay periods.

Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.