FYI - Consumer advocates to fight NZ Banking code -
Internet advocacy group InternetNZ and the NZ Consumers' Institute
have both come out swinging over the New Zealand Bankers
Association's decision to allow victims of Internet banking fraud to
be potentially held liable for losses.
FYI - Jared Ilovar's statement -
Text of his e-mail to 'The Dispatch' - I would like to respond to
the recent articles in various newspapers regarding the data tape
theft, data breach, and the decision to terminate my employment as
FYI - Tutor sent to jail over ID
fraud - Eni Oyegoke has been told he faces deportation after prison
release - A university tutor who taught students about computer
security and identity theft has been jailed for two years for
identity fraud offences.
FYI - Software engineer held for
cyber crime - The Cyber Crime Cell of the CID Crime Branch on Friday
arrested a former employee of an information technology (IT) company
on charges of hacking into the server and stealing confidential
FYI - Auditors can't locate VA
computer equipment - More than a quarter of the computer equipment
at the Veterans Affairs Medical Center in Washington could not be
found by investigators, government auditors reported.
FYI - Newcastle council credit
card file lifted - Newcastle City Council has compromised private
details of up to 54,000 people who made payments to it by credit or
debit card between February 2006 and April 2007.
FYI - Fidelity Nat'l widens
scope of theft - Fidelity National Information Services Inc.
believes a former employee stole 8.5 million consumer records from
the check authorizing company, more than 3 times the original
estimate, according to a regulatory filing.
FYI - Yuba County data stolen -
Child-services computer had private info on 70,000 people - Yuba
County scrambled this week to contact 70,000 people whose names and
personal information were on a laptop computer stolen from the new
Child Support Services office in Linda.
FYI - 5,000 student loan
customers' info on stolen laptop - The theft of one laptop computer
has resulted in compromising the personal information of more than
5,000 student loan customers.
FYI - Virginia Beach Employees'
Identities Compromised After Fraud Investigation - Virginia Beach
investigators are urging certain school and city employees to be on
the look out for any sign of identity theft after a police
investigation revealed compromised personal information from a
FYI - Aflac Reports Laptop
Detailing 152,000 Clients Stolen - Aflac Inc., the world's largest
seller of supplemental health insurance, said a laptop containing
information on 152,000 customers in Japan was stolen from an
employee of an insurance agency there.
FYI - City Harvest Says Donor
Information Could Be At Risk After Security Breach - It's a
charitable organization dedicated to reaching out to hungry New
Yorkers, but after a potential breach of the organization's
information system City Harvest is also reaching out to its donors
with a warning that their personal information may have been
FYI - Marines' personal data
exposed on Web - Some Marines' personal information, including names
and Social Security numbers, was inadvertently posted online
recently, exposing more than 10,000 leathernecks to potential
identity theft, the Corps announced.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We begin this week
reviewing the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques." (Part 1 of
A. RISK DISCUSSION
A significant number of financial institutions regulated by the
financial institution regulatory agencies (Agencies) maintain sites
on the World Wide Web. Many of these websites contain weblinks to
other sites not under direct control of the financial institution.
The use of weblinks can create certain risks to the financial
institution. Management should be aware of these risks and take
appropriate steps to address them. The purpose of this guidance is
to discuss the most significant risks of weblinking and how
financial institutions can mitigate these risks.
When financial institutions use weblinks to connect to third-party
websites, the resulting association is called a "weblinking
relationship." Financial institutions with weblinking relationships
are exposed to several risks associated with the use of this
technology. The most significant risks are reputation risk and
Generally, reputation risk arises when a linked third party
adversely affects the financial institution's customer and, in turn,
the financial institution, because the customer blames the financial
institution for problems experienced. The customer may be under a
misimpression that the institution is providing the product or
service, or that the institution recommends or endorses the
third-party provider. More specifically, reputation risk could arise
in any of the following ways:
- customer confusion in
distinguishing whether the financial institution or the linked
third party is offering products and services;
- customer dissatisfaction
with the quality of products or services obtained from a third
- customer confusion as to
whether certain regulatory protections apply to third-party
products or services.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We continue our
coverage of the FDIC's "Guidance on Managing Risks Associated With
Wireless Networks and Wireless Customer Access."
Part II. Risks Associated with Wireless Internet Devices
As wireless Internet devices become more prevalent in the
marketplace, financial institutions are adopting wireless
application technologies as a channel for reaching their customers.
Wireless Internet services are becoming available in major cities
across the United States. Through wireless banking applications, a
financial institution customer could access account information and
perform routine non-cash transactions without having to visit a
branch or ATM.
The wireless Internet devices available today present attractive
methods for offering and using financial services. Customers have
access to financial information from anywhere they can receive
wireless Internet access. Many of the wireless devices have built-in
encryption through industry-standard encryption methods. This
encryption has its limits based on the processing capabilities of
the device and the underlying network architecture.
A popular standard for offering wireless applications is through the
use of the Wireless Application Protocol (WAP). WAP is designed to
bring Internet application capabilities to some of the simplest user
interfaces. Unlike the Web browser that is available on most
personal computer workstations, the browser in a wireless device
(such as a cell phone) has a limited display that in many cases can
provide little, if any, graphical capabilities. The interface is
also limited in the amount of information that can be displayed
easily on the screen. Further, the user is limited by the keying
capabilities of the device and often must resort to many key presses
for simple words.
The limited processing capabilities of these devices restrict the
robustness of the encryption network transmissions. Effective
encryption is, by nature, processing-intensive and often requires
complex calculations. The time required to complete the encryption
calculations on a device with limited processing capabilities may
result in unreasonable delays for the device's user. Therefore,
simpler encryption algorithms and smaller keys may be used to speed
the process of obtaining access.
WAP is an evolving protocol. The most recent specification of WAP (WAP
2.0 - July 2001) offers the capability of encrypting network
conversations all the way from the WAP server (at the financial
institution) to the WAP client (the financial institution customer).
Unfortunately, WAP 2.0 has not yet been fully adopted by vendors
that provide the building blocks for WAP applications. Previous
versions of WAP provide encryption between the WAP client and a WAP
gateway (owned by the Wireless Provider). The WAP gateway then must
re-encrypt the information before it is sent across the Internet to
the financial institution. Therefore, sensitive information is
available at the wireless provider in an unencrypted form. This
limits the financial institution's ability to provide appropriate
security over customer information.
the top of the newsletter
IT SECURITY QUESTION:
Internet connection to the network:
a. Is there an Internet use policy?
b. Are employees required to sign that they have read the Internet
c. Is there an Internet security policy?
d. Is Internet access given to all employees?
e. Is a password required to access the Internet?
f. Is Internet access analog?
g. Is Internet access DSL, cable, or secure T1 line?
h. Is there a firewall (hardware or software) between the Internet
and the network?
i. Is there an intrusion detection system?
j. Do all employees have e-mail privileges?
k. Is penetration-vulnerability testing performed?
l. Is there an anti-virus program on the network servers and
is the program current?
m. Is there an Internet activity report that is regularly review?
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Examination Procedures (Part 1 of 3)
A. Through discussions with management and review of available
information, identify the institution's information sharing
practices (and changes to those practices) with affiliates and
nonaffiliated third parties; how it treats nonpublic personal
information; and how it administers opt-outs. Consider the following
1) Notices (initial, annual, revised, opt out, short-form, and
2) Institutional privacy policies and procedures, including
a) process requests for nonpublic
personal information, including requests for aggregated data;
b) deliver notices to consumers;
manage consumer opt out directions (e.g., designating files,
allowing a reasonable time to opt out, providing new opt out and
privacy notices when necessary, receiving opt out directions,
handling joint account holders);
c) prevent the unlawful disclosure
and use of the information received from nonaffiliated financial
d) prevent the unlawful disclosure of
3) Information sharing agreements between the institution and
affiliates and service agreements or contracts between the
institution and nonaffiliated third parties either to obtain or
provide information or services;
4) Complaint logs, telemarketing scripts, and any other
information obtained from nonaffiliated third parties (Note: review
telemarketing scripts to determine whether the contractual terms set
forth under section 13 are met and whether the institution is
disclosing account number information in violation of section 12);
5) Categories of nonpublic personal information collected from
or about consumers in obtaining a financial product or service
(e.g., in the application process for deposit, loan, or investment
products; for an over-the-counter purchase of a bank check; from
E-banking products or services, including the data collected
electronically through Internet cookies; or through ATM
6) Categories of nonpublic personal information shared with,
or received from, each nonaffiliated third party; and
7) Consumer complaints regarding the treatment of nonpublic
personal information, including those received electronically.
8) Records that reflect the bank's categorization of its
information sharing practices under Sections 13, 14, 15, and outside
of these exceptions.
9) Results of a 501(b) inspection (used to determine the
accuracy of the institution's privacy disclosures regarding data