FYI - Banks struggle
with online queries - Bank sites are failing to answer even routine
questions satisfactorily, according to a new survey by a customer
service software company.
FYI - Medical IT
Contractor Folds After Breaches - Blamed for privacy breaches at
five different hospitals, Verus Inc. silently closes its doors -
Verus Inc., the IT contractor that has been implicated in security
breaches at at least five different hospitals across the country,
has gone out of business.
FYI - Some at IRS still
careless with taxpayer data -Published on Aug. 15, 2007 Taxpayers'
personal information is put at risk because Internal Revenue Service
managers and employees are not adhering to established security
policies and procedures.
FYI - VOIP hacker talks:
Service provider nets easy pickings - Common attacks worked for duo
that stole $1 million worth of voice minutes. A combination of
simple dictionary and brute-force attacks in combination with Google
hacking enabled a criminal pair to break into VOIP-provider networks
and steal US$1 million worth of voice minutes, says one of the duo
who has pleaded guilty to his crimes.
FYI - US curriculum to
include online safety - Schools must educate students on
cyber-threats - The US National Cyber Security Alliance (NCSA) has
called on state leaders to work with schools and colleges to ensure
that cyber-security, online safety and ethics lessons are integrated
into every classroom.
FYI - How phishers
defeat online banking controls - A new financial services
requirement calling for two-factor authentication should make online
banking secure, but one researcher says it's actually making things
FYI - TJX reports
plummeting profits, but sales up - TJX's profits are starting to
crumble under the weight of the massive data breach announced in
January that placed about 45.7 million customers at risk for
identity theft, according to a filing this week with the U.S.
Securities and Exchange Commission.
FYI - Service Problems
Mire Wells Fargo - Service problems disabled ATMs and online
accounts at Wells Fargo & Co. for at least 24 hours starting Sunday
afternoon, leaving some customers of the nation's fifth largest bank
unable to get cash or use debit cards to pay for goods.
FYI - Authorities hope
arrest of Ukraine man leads to TJX orchestrator - Authorities
believe the recent arrest of a Ukrainian man in Turkey on identity
theft charges could lead police to the brains behind the TJX data
FYI - Phishers scramble
to cash in on Wells Fargo computer crash - Vulture-like vocalizing
among the online criminal classes - Wells Fargo & Co. may have a new
problem following its widespread computer crash earlier this week:
online scammers. Over the past 24 hours, there has been a growing
amount of chatter in the underground criminal community about ways
to take advantage of the outage, according to Joel Helgeson, an
independent computer security consultant in St. Paul, Minn.
FYI - FBI launches
cybersecurity project - The FBI has chosen the National Center for
Supercomputing Applications at the University of Illinois at
Urbana-Champaign to host a new law enforcement cybersecurity
FYI - Idaho Army
National Guard Info Stolen - A small computer drive containing
Social Security numbers and other personal information about every
Army National Guard soldier in Idaho has been stolen, a National
Guard spokeswoman said.
FYI - Ubuntu Servers
Hijacked, Used to Launch Attack - Members of the Ubuntu colocation
team suggest the attack could have begun with a Chinese IP address.
The Ubuntu community had to yank five of the eight Ubuntu-hosted
community servers sponsored by Canonical offline Aug. 6 after
discovering that the servers had been hijacked and were attacking
FYI - Pfizer Reports
Second Data Breach In Two Months - Two laptops containing
identifying information on 950 people were stolen out of a
consultant's car in Boston. For the second time in two months, a
security breach at pharmaceutical giant Pfizer has put the
personally identifying information on current and former employees
FYI - Attackers steal
Monster.com user information - Was Monster.com hacked, or did
someone take advantage of one of the popular website's fundamental
business processes to harvest the personal data of hundreds of
thousands of job hunters?
FYI - Police recover
Idaho National Guard data, arrest suspect - Boise Police have made
an arrest in a string of car burglaries and recovered a thumb drive
containing personal information about thousands of Idaho National
Guard members stolen from one of the vehicles.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 4 of 10)
A. RISK DISCUSSION
If the third party has a name similar to that of the financial
institution, there is an increased likelihood of confusion for the
customer and increased exposure to reputation risk for the financial
institution. For example, if customers access a similarly named
broker from the financial institution's website, they may believe
that the financial institution is providing the brokerage service or
that the broker's products are federally insured.
The use of frame technology and other similar technologies may
confuse customers about which products and services the financial
institution provides and which products and services third parties,
including affiliates, provide. If frames are used, when customers
link to a third-party website through the institution-provided link,
the third-party webpages open within the institution's master
webpage frame. For example, if a financial institution provides
links to a discount broker and the discount broker's webpage opens
within the institution's frame, the appearance of the financial
institution's logo on the frame may give the impression that the
financial institution is providing the brokerage service or that the
two entities are affiliated. Customers may believe that their funds
are federally insured, creating potential reputation risk to the
financial institution in the event the brokerage service should fail
or the product loses value.
The compliance risk to an institution linking to a third-party's
website depends on several factors. These factors include the nature
of the products and services provided on the third-party's website,
and the nature of the institution's business relationship with the
third party. This is particularly true with respect to compensation
arrangements for links. For example, a financial institution that
receives payment for offering advertisement-related weblinks to a
settlement service provider's website should carefully consider the
prohibition against kickbacks, unearned fees, and compensated
referrals under the Real Estate Settlement Procedures Act (RESPA).
The financial institution has compliance risk as well as reputation
risk if linked third parties offer less security and privacy
protection than the financial institution. Third-party sites may
have less secure encryption policies, or less stringent policies
regarding the use and security of their customer's information. The
customer may be comfortable with the financial institution's
policies for privacy and security, but not with those of the linked
third party. If the third-party's policies and procedures create
security weaknesses or apply privacy standards that permit the third
party to release confidential customer information, customers may
blame the financial institution.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
begin a new series
from the FDIC "Security Risks Associated with the Internet." While this
Financial Institution Letter was published in December 1997, the
issues still are relevant.
This FDIC paper alerts financial institutions to the fundamental
technological risks presented by use of the Internet. Regardless of
whether systems are maintained in-house or services are outsourced,
bank management is responsible for protecting systems and data from
The Internet is inherently insecure. By design, it is an open
network which facilitates the flow of information between computers.
Technologies are being developed so the Internet may be used for
secure electronic commerce transactions, but failure to review and
address the inherent risk factors increases the likelihood of system
or data compromise. Five areas of concern relating to both
transactional and system security issues, as discussed below, are:
Data Privacy and Confidentiality, Data Integrity, Authentication,
Non-repudiation, and Access Control/System Design.
Data Privacy and Confidentiality
Unless otherwise protected, all data transfers, including electronic
mail, travel openly over the Internet and can be monitored or read
by others. Given the volume of transmissions and the numerous paths
available for data travel, it is unlikely that a particular
transmission would be monitored at random. However, programs, such
as "sniffer" programs, can be set up at opportune locations on a
network, like Web servers (i.e., computers that provide services to
other computers on the Internet), to simply look for and collect
certain types of data. Data collected from such programs can include
account numbers (e.g., credit cards, deposits, or loans) or
Due to the design of the Internet, data privacy and confidentiality
issues extend beyond data transfer and include any connected data
storage systems, including network drives. Any data stored on a Web
server may be susceptible to compromise if proper security
precautions are not taken.
the top of the newsletter
IT SECURITY QUESTION:
IT personnel - to
ensure a safe and sound continuous operation:
a. Is there a network administrator?
b. Does the Network Administrator have any conflicting duties?
c. Is there a core application administrator?
d. Does the core application administrator have any conflicting
e. Is there a programming administrator?
f. Is there an IT Security Officer?
g. Does the IT Security Officer have any conflicting duties?
h. Are the number of IT personnel satisfactory for the IT
i. Are the IT personnel performing their respective duties
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 1 of 3)
Note: Financial institutions whose practices fall within this
category engage in the most expansive degree of information sharing
permissible. Consequently, these institutions are held to the most
comprehensive compliance standards imposed by the Privacy
A. Disclosure of Nonpublic Personal Information
1) Select a
sample of third party relationships with nonaffiliated third parties
and obtain a sample of data shared between the institution and the
third party both inside and outside of the exceptions. The sample
should include a cross-section of relationships but should emphasize
those that are higher risk in nature as determined by the initial
procedures. Perform the following comparisons to evaluate the
financial institution's compliance with disclosure limitations.
a. Compare the categories of data shared and with whom the
data were shared to those stated in the privacy notice and verify
that what the institution tells consumers (customers and those who
are not customers) in its notices about its policies and practices
in this regard and what the institution actually does are consistent
b. Compare the data shared to a sample of opt out directions
and verify that only nonpublic personal information covered under
the exceptions or from consumers (customers and those who are not
customers) who chose not to opt out is shared (§10).
2) If the financial institution also shares information under
Section 13, obtain and review contracts with nonaffiliated third
parties that perform services for the financial institution not
covered by the exceptions in section 14 or 15. Determine whether the
contracts prohibit the third party from disclosing or using the
information other than to carry out the purposes for which the
information was disclosed. Note that the "grandfather"
provisions of Section 18 apply to certain of these contracts (§13(a)).