Spending less than 5 minutes a week along
with a cup of coffee, you can monitor your IT
security as required
by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices.
For more information visit
REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- GAO - Federal Deposit Insurance Corporation Has Made Progress, but
Further Actions Are Needed to Protect Financial Data.
- SF Bay Area transit police cut mobile service to thwart protest -
Agency said safety concerns drove decision to shut down services -
The agency that runs the commuter trains that rumble beneath San
Francisco each day hit the panic button Thursday night, cutting off
mobile-phone service to hundreds of thousands of commuters in an
effort to thwart a protest that was expected to snarl up the evening
- AT&T sues two over scheme to steal customer data - AT&T has
accused two Utah men of carrying out a data mining scheme, using
automatic dialing programs to harvest information from its customer
database and costing the company more than $6.5 million.
- Voicemail hacking: Does the current technology make it too easy? -
In the past few weeks, there has been a tremendous amount of news
coverage of alleged voicemail hacking in both England and the United
States by reporters and associates purportedly helping them gather
information for stories.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Hackers steal, sell 92,000 Citigroup accounts - More than 92,000
accounts held by Citigroup's Citi Cards Japan have been stolen and
sold illegally to a third party.
- Hack on Hong Kong Stock Exchange disrupts trading - 'Malicious
attack' keeps traders in dark - Hackers took down a website
belonging to the Hong Kong stock Exchange, prompting Asia's
third-largest securities exchange to suspend trading in the shares
of London-based HSBC and six other companies.
- UWM computers hacked; data on 75,000 exposed - A computer system
at the University of Wisconsin-Milwaukee was hacked and bugged with
malicious software, potentially exposing the names and Social
Security numbers of about 75,000 students, faculty and staff, the
school announced Wednesday.
- Fraudster jailed for stealing $57,000 by leveraging Facebook - a
33-year-old stole £35,000 ($57,000) over two years from his
neighbors by figuring out the answers to security questions on their
- Software maker fingered in Korean hackocalypse - ESTsoft flub
spawns nation's worst breach - A devastating attack that exposed the
personal information of 35 million South Koreans was perpetrated
after hackers breached the security of popular software provider
ESTsoft and planted malicious code on one of its update servers, it
was widely reported Thursday.
- FTC fines children's app maker $50K for privacy violation - In its
first settlement related to deceptive mobile applications, the
Federal Trade Commission has ordered an app maker to pay $50,000 to
settle claims that its program illegally collected and disclosed the
personal data of tens of thousands of children.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week continues our
series on the FDIC's Supervisory Policy on Identity Theft.
2 of 6)
Characteristics of Identity Theft
At this time, the majority of identity theft is committed using
hard-copy identification or other documents obtained from the victim
without his or her permission. A smaller, but significant, amount of
identity theft is committed electronically via phishing, spyware,
hacking and computer viruses. Financial institutions are among
the most frequent targets of identity thieves since they store
sensitive information about their customers and hold customer funds
in accounts that can be accessed remotely and transferred
Identity theft may harm consumers in several ways. First, an
identity thief may gain access to existing accounts maintained by
consumers and either transfer funds out of deposit accounts or incur
charges to credit card accounts. Identity thieves may also open new
accounts in the consumer's name, incur expenses, and then fail to
pay. This is likely to prompt creditors to attempt to collect
payment from the consumer for debts the consumer did not incur. In
addition, inaccurate adverse information about the consumer's
payment history may prevent the consumer from obtaining legitimate
credit when he or she needs it. An identity theft victim can spend
months or years attempting to correct errors in his or her credit
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the
FFIEC interagency Information Security Booklet.
SECURITY CONTROLS -
Stateful Inspection Firewalls
Stateful inspection firewalls are packet filters that monitor the
state of the TCP connection. Each TCP session starts with an
initial handshake communicated through TCP flags in the header
information. When a connection is established the firewall adds the
connection information to a table. The firewall can then compare
future packets to the connection or state table. This essentially
verifies that inbound traffic is in response to requests initiated
from inside the firewall.
Proxy Server Firewalls
Proxy servers act as an intermediary between internal and external
IP addresses and block direct access to the internal network.
Essentially, they rewrite packet headers to substitute the IP of the
proxy server for the IP of the internal machine and forward packets
to and from the internal and external machines. Due to that limited
capability, proxy servers are commonly employed behind other
firewall devices. The primary firewall receives all traffic,
determines which application is being targeted, and hands off the
traffic to the appropriate proxy server. Common proxy servers are
the domain name server (DNS), Web server (HTTP), and mail (SMTP)
server. Proxy servers frequently cache requests and responses,
providing potential performance benefits. Additionally, proxy
servers provide another layer of access control by segregating the
flow of Internet traffic to support additional authentication and
logging capability, as well as content filtering. Web and e-mail
proxy servers, for example, are capable of filtering for potential
malicious code and application-specific commands.
Return to the top of
INTERNET PRIVACY - We continue our
review of the issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies.
Opt Out Right and Exceptions:
Consumers must be given the right to "opt out" of, or prevent, a
financial institution from disclosing nonpublic personal information
about them to a nonaffiliated third party, unless an exception to
that right applies. The exceptions are detailed in sections 13, 14,
and 15 of the regulations and described below.
As part of the opt out right, consumers must be given a reasonable
opportunity and a reasonable means to opt out. What constitutes a
reasonable opportunity to opt out depends on the circumstances
surrounding the consumer's transaction, but a consumer must be
provided a reasonable amount of time to exercise the opt out right.
For example, it would be reasonable if the financial institution
allows 30 days from the date of mailing a notice or 30 days after
customer acknowledgement of an electronic notice for an opt out
direction to be returned. What constitutes a reasonable means to
opt out may include check-off boxes, a reply form, or a
toll-free telephone number, again depending on the circumstances
surrounding the consumer's transaction. It is not reasonable to
require a consumer to write his or her own letter as the only means
to opt out.