FYI - Banks struggle with online queries - Bank sites are failing to answer even routine questions satisfactorily, according to a new survey by a customer service software company. http://news.com.com/2102-1038_3-6204291.html?tag=st.util.print

FYI - Medical IT Contractor Folds After Breaches - Blamed for privacy breaches at five different hospitals, Verus Inc. silently closes its doors - Verus Inc., the IT contractor that has been implicated in security breaches at at least five different hospitals across the country, has gone out of business. http://www.darkreading.com/document.asp?doc_id=131712&print=true

FYI - Some at IRS still careless with taxpayer data -Published on Aug. 15, 2007 Taxpayers' personal information is put at risk because Internal Revenue Service managers and employees are not adhering to established security policies and procedures. http://www.fcw.com/article103499-08-15-07-Web&printLayout

FYI - VOIP hacker talks: Service provider nets easy pickings - Common attacks worked for duo that stole $1 million worth of voice minutes. A combination of simple dictionary and brute-force attacks in combination with Google hacking enabled a criminal pair to break into VOIP-provider networks and steal US$1 million worth of voice minutes, says one of the duo who has pleaded guilty to his crimes. http://www.computerworld.com.au/index.php/id;1841623469;fp;;fpid;;pf;1

FYI - US curriculum to include online safety - Schools must educate students on cyber-threats - The US National Cyber Security Alliance (NCSA) has called on state leaders to work with schools and colleges to ensure that cyber-security, online safety and ethics lessons are integrated into every classroom. http://www.vnunet.com/vnunet/news/2196759/ncsa-urges-schools-teach-cyber

FYI - How phishers defeat online banking controls - A new financial services requirement calling for two-factor authentication should make online banking secure, but one researcher says it's actually making things worse. http://reviews.cnet.com/4520-3513_7-6762995-1.html?tag=txt&tag=nl.e757

FYI - TJX reports plummeting profits, but sales up - TJX's profits are starting to crumble under the weight of the massive data breach announced in January that placed about 45.7 million customers at risk for identity theft, according to a filing this week with the U.S. Securities and Exchange Commission. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070820/731823/

FYI - Service Problems Mire Wells Fargo - Service problems disabled ATMs and online accounts at Wells Fargo & Co. for at least 24 hours starting Sunday afternoon, leaving some customers of the nation's fifth largest bank unable to get cash or use debit cards to pay for goods. http://www.washingtonpost.com/wp-dyn/content/article/2007/08/20/AR2007082001253.html

FYI - Authorities hope arrest of Ukraine man leads to TJX orchestrator - Authorities believe the recent arrest of a Ukrainian man in Turkey on identity theft charges could lead police to the brains behind the TJX data breach. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070822/732751/

FYI - Phishers scramble to cash in on Wells Fargo computer crash - Vulture-like vocalizing among the online criminal classes - Wells Fargo & Co. may have a new problem following its widespread computer crash earlier this week: online scammers. Over the past 24 hours, there has been a growing amount of chatter in the underground criminal community about ways to take advantage of the outage, according to Joel Helgeson, an independent computer security consultant in St. Paul, Minn. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9031979&intsrc=hm_list

FYI - FBI launches cybersecurity project - The FBI has chosen the National Center for Supercomputing Applications at the University of Illinois at Urbana-Champaign to host a new law enforcement cybersecurity research center. http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=44898

MISSING COMPUTERS/DATA

FYI - Idaho Army National Guard Info Stolen - A small computer drive containing Social Security numbers and other personal information about every Army National Guard soldier in Idaho has been stolen, a National Guard spokeswoman said. http://www.forbes.com/feeds/ap/2007/08/15/ap4020711.html

FYI - Ubuntu Servers Hijacked, Used to Launch Attack - Members of the Ubuntu colocation team suggest the attack could have begun with a Chinese IP address. The Ubuntu community had to yank five of the eight Ubuntu-hosted community servers sponsored by Canonical offline Aug. 6 after discovering that the servers had been hijacked and were attacking other machines. http://www.eweek.com/article2/0,1895,2171318,00.asp

FYI - Pfizer Reports Second Data Breach In Two Months - Two laptops containing identifying information on 950 people were stolen out of a consultant's car in Boston. For the second time in two months, a security breach at pharmaceutical giant Pfizer has put the personally identifying information on current and former employees at risk. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201800113

FYI - Attackers steal Monster.com user information - Was Monster.com hacked, or did someone take advantage of one of the popular website's fundamental business processes to harvest the personal data of hundreds of thousands of job hunters? http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070822/732756/

FYI - Police recover Idaho National Guard data, arrest suspect - Boise Police have made an arrest in a string of car burglaries and recovered a thumb drive containing personal information about thousands of Idaho National Guard members stolen from one of the vehicles. http://www.idahopress.com/news/?id=172

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 4 of 10)

A. RISK DISCUSSION

Reputation Risk

Trade Names

If the third party has a name similar to that of the financial institution, there is an increased likelihood of confusion for the customer and increased exposure to reputation risk for the financial institution. For example, if customers access a similarly named broker from the financial institution's website, they may believe that the financial institution is providing the brokerage service or that the broker's products are federally insured.

Website Appearance

The use of frame technology and other similar technologies may confuse customers about which products and services the financial institution provides and which products and services third parties, including affiliates, provide. If frames are used, when customers link to a third-party website through the institution-provided link, the third-party webpages open within the institution's master webpage frame. For example, if a financial institution provides links to a discount broker and the discount broker's webpage opens within the institution's frame, the appearance of the financial institution's logo on the frame may give the impression that the financial institution is providing the brokerage service or that the two entities are affiliated. Customers may believe that their funds are federally insured, creating potential reputation risk to the financial institution in the event the brokerage service should fail or the product loses value.

Compliance Risk

The compliance risk to an institution linking to a third-party's website depends on several factors. These factors include the nature of the products and services provided on the third-party's website, and the nature of the institution's business relationship with the third party. This is particularly true with respect to compensation arrangements for links. For example, a financial institution that receives payment for offering advertisement-related weblinks to a settlement service provider's website should carefully consider the prohibition against kickbacks, unearned fees, and compensated referrals under the Real Estate Settlement Procedures Act (RESPA).

The financial institution has compliance risk as well as reputation risk if linked third parties offer less security and privacy protection than the financial institution. Third-party sites may have less secure encryption policies, or less stringent policies regarding the use and security of their customer's information. The customer may be comfortable with the financial institution's policies for privacy and security, but not with those of the linked third party. If the third-party's policies and procedures create security weaknesses or apply privacy standards that permit the third party to release confidential customer information, customers may blame the financial institution.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We begin a new series  from the FDIC "Security Risks Associated with the Internet."  While this Financial Institution Letter was published in December 1997, the issues still are relevant.

This FDIC paper alerts financial institutions to the fundamental technological risks presented by use of the Internet. Regardless of whether systems are maintained in-house or services are outsourced, bank management is responsible for protecting systems and data from compromise.

Security Risks 

The Internet is inherently insecure. By design, it is an open network which facilitates the flow of information between computers. Technologies are being developed so the Internet may be used for secure electronic commerce transactions, but failure to review and address the inherent risk factors increases the likelihood of system or data compromise. Five areas of concern relating to both transactional and system security issues, as discussed below, are: Data Privacy and Confidentiality, Data Integrity, Authentication, Non-repudiation, and Access Control/System Design. 

Data Privacy and Confidentiality 

Unless otherwise protected, all data transfers, including electronic mail, travel openly over the Internet and can be monitored or read by others. Given the volume of transmissions and the numerous paths available for data travel, it is unlikely that a particular transmission would be monitored at random. However, programs, such as "sniffer" programs, can be set up at opportune locations on a network, like Web servers (i.e., computers that provide services to other computers on the Internet), to simply look for and collect certain types of data. Data collected from such programs can include account numbers (e.g., credit cards, deposits, or loans) or passwords. 

Due to the design of the Internet, data privacy and confidentiality issues extend beyond data transfer and include any connected data storage systems, including network drives. Any data stored on a Web server may be susceptible to compromise if proper security precautions are not taken. 

Return to the top of the newsletter

IT SECURITY QUESTION:  IT personnel - to ensure a safe and sound continuous operation:

a. Is there a network administrator?
b. Does the Network Administrator have any conflicting duties?
c. Is there a core application administrator?
d. Does the core application administrator have any conflicting duties?
e. Is there a programming administrator?
f.  Is there an IT Security Officer?
g. Does the IT Security Officer have any conflicting duties?
h.  Are the number of IT personnel satisfactory for the IT operation?
i.  Are the IT personnel performing their respective duties satisfactory?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13).  (Part 1 of 3)

Note: Financial institutions whose practices fall within this category engage in the most expansive degree of information sharing permissible. Consequently, these institutions are held to the most comprehensive compliance standards imposed by the Privacy regulation.

A. Disclosure of Nonpublic Personal Information 

1)  Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party both inside and outside of the exceptions. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the financial institution's compliance with disclosure limitations.

a.  Compare the categories of data shared and with whom the data were shared to those stated in the privacy notice and verify that what the institution tells consumers (customers and those who are not customers) in its notices about its policies and practices in this regard and what the institution actually does are consistent (§§10, 6).

b.  Compare the data shared to a sample of opt out directions and verify that only nonpublic personal information covered under the exceptions or from consumers (customers and those who are not customers) who chose not to opt out is shared (§10).

2)  If the financial institution also shares information under Section 13, obtain and review contracts with nonaffiliated third parties that perform services for the financial institution not covered by the exceptions in section 14 or 15. Determine whether the contracts prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed. Note that the "grandfather" provisions of Section 18 apply to certain of these contracts (§13(a)).