REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- FDIC: Improve Vendor Management - Monitoring Service Providers Is
Banks' Responsibility - Federal regulators are urging banking
institutions to pay more attention to vendor management in light of
recent breaches, such as one that compromised core processor
Fidelity National Information Services, better known as FIS.
New guidelines aid organizations in beefing up security teams - In
light of evolving cyber crime, hacktivism and insider threats, the
Security for Business Innovation Council (SBIC) – an independent
group of security experts from Global 1000 enterprises – has
released a report on what it takes for an organization to create an
elite security team (PDF).
Four charged over alleged plot to plant device, drain millions from
London bank - Four men in London where charged with allegedly
plotting a sophisticated cyber heist against Santander bank.
Cyberspies attack key South Korean institutions, North Korean
hackers suspected - South Korean organizations that conduct research
on international affairs, national security and Korean unification
are under siege from cyberspies whose attack may have its origins in
Hacker sentenced to three years for breaching police sites - A man
said to be affiliated with the hacking collective Anonymous gets
prison time for breaking into police and municipal Web sites in
Utah, New York, Missouri, and California.
In Barnes & Noble skimming case, federal judge dismisses plaintiffs'
class-action suit - A federal judge in Illinois has tossed a
class-action lawsuit against Barnes & Noble, after plaintiffs failed
to demonstrate loss or injury as a result of a PIN pad tampering
incident last year.
- Secret Spy Court Demands Surveillance Transparency From Feds - The
secret spy court at the center of NSA whistleblower Edward Snowden’s
leaks today ordered the government to begin declassifying its
opinions involving the Patriot Act.
- Cyber security: The new arms race for a new front line - The
Pentagon - and a growing cyber industrial complex - gears up for the
new front line: cyberspace. Cyber defense is necessary. But it could
- Health Agency Watchdog Doesn’t Have Time to Vet Obamacare Cyber
Designs - Inspectors have declined to review draft and final
security plans for health insurance online marketplaces set to
launch Oct. 1.
- AT&T shakes its banhammer at would-be pirates - If you appear to
pirate on an AT&T connection, your service may be terminated. AT&T
is alerting would-be pirates that their illegal activity could
result in termination of their Internet access, according to a
letter obtained by TorrentFreak.
- "Hackers for hire" group Hidden Lynx on mission to collect
corporate data - Researchers believe that a group of “hackers for
hire” based out of China are linked to numerous high-profile attacks
on U.S. companies, including those against Google and security firm
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
No warrant, no problem: US gov't uses travel alerts for warrantless
electronics search - The ACLU has released documents showing how the
US government uses border searches to take citizens' electronics and
rifle through private data to its heart's content.
Vodafone Germany hack hits two million customers - Personal details
of more than two million customers of Vodafone Germany have been
stolen by a hacker. Vodafone said the attacker got access to
customer names, addresses, bank account numbers and birth dates.
Email contains personal data on thousands of insurance agents -
Thousands of agents with state online health insurance exchange
MNsure in Minnesota may have had personal data compromised when an
employee inadvertently sent out an email attachment that contained
- Kaiser Permanente employee sends out email containing patient data
- An employee of health care provider Kaiser Permanente affected
hundreds of patients by inadvertently sending out an email
containing personal information related to a pilot Wellness
- Teenager busted for running botnet that stole $50,000 a month - A
19-year-old Argentinean man, whose identity has not been revealed,
could face up to 10 years behind bars after being arrested and
charged with intercepting $50,000 a month from gaming and money
transfer sites and dumping it into his bank account.
- Website programming error compromises personal information - A
programming error on the website belonging to PLS Financial Services
- a Chicago-based consumer financial services retailer - allowed
some visitors to access personal information of an undisclosed
number of customers.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week continues our series on
the FDIC's Supervisory Policy on Identity Theft.
4 of 6)
As a result of guidelines issued by the FDIC, together with other
federal agencies, financial institutions are required to develop and
implement a written program to safeguard customer information,
including the proper disposal of consumer information (Security
Guidelines).5 The FDIC considers this programmatic requirement to be
one of the foundations of identity theft prevention. In guidance
that became effective on January 1, 2007, the federal banking
agencies made it clear that they expect institutions to use stronger
and more reliable methods to authenticate the identity of customers
using electronic banking systems. Moreover, the FDIC has also issued
guidance stating that financial institutions are expected to notify
customers of unauthorized access to sensitive customer information
under certain circumstances. The FDIC has issued a number of other
supervisory guidance documents articulating its position and
expectations concerning identity theft. Industry compliance with
these expectations will help to prevent and mitigate the effects of
Risk management examiners trained in information technology (IT) and
the requirements of the Bank Secrecy Act (BSA) evaluate a number of
aspects of a bank's operations that raise identity theft issues. IT
examiners are well-qualified to evaluate whether banks are
incorporating emerging IT guidance into their Identity Theft
Programs and GLBA 501(b) Information Security Programs; responsibly
overseeing service provider arrangements; and taking action when a
security breach occurs. In addition, IT examiners will consult with
BSA examiners during the course of an examination to ensure that the
procedures institutions employ to verify the identity of new
customers are consistent with existing laws and regulations to
prevent financial fraud, including identity theft.
The FDIC has also issued revised examination procedures for the Fair
Credit Reporting Act (FCRA), through the auspices of the Federal
Financial Institutions Examination Council's (FFIEC) Consumer
Compliance Task Force. These procedures are used during consumer
compliance examinations and include steps to ensure that
institutions comply with the FCRA's fraud and active duty alert
provisions. These provisions enable consumers to place alerts on
their consumer reports that require users, such as banks, to take
additional steps to identify the consumer before new credit is
extended. The procedures also include reviews of institutions'
compliance with requirements governing the accuracy of data provided
to consumer reporting agencies. These requirements include the
blocking of data that may be the result of an identity theft.
Compliance examiners are trained in the various requirements of the
FCRA and ensure that institutions have effective programs to comply
with the identity theft provisions. Consumers are protected from
identity theft through the vigilant enforcement of all the
examination programs, including Risk Management, Compliance, IT and
The Fair and Accurate Credit Transactions Act directed the FDIC and
other federal agencies to jointly promulgate regulations and
guidelines that focus on identity theft "red flags" and customer
address discrepancies. As proposed, the guidelines would require
financial institutions and creditors to establish a program to
identify patterns, practices, and specific forms of activity that
indicate the possible existence of identity theft. The proposed
joint regulation would require financial institutions and creditors
to establish reasonable policies to implement the guidelines,
including a provision requiring debit and credit card issuers to
assess the validity of a request for a change of address. In
addition, the agencies proposed joint regulations that provide
guidance regarding reasonable policies and procedures that a user of
consumer reports must employ when the user receives a notice of
address discrepancy. When promulgated in final form, these joint
regulations and guidelines will comprise another element of the
FDIC's program to prevent and mitigate identity theft.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Access Rights Administration (4 of 5)
The access rights process programs the system to allow
the users only the access rights they were granted. Since access
rights do not automatically expire or update, periodic updating and
review of access rights on the system is necessary. Updating should
occur when an individual's business needs for system use changes.
Many job changes can result in an expansion or reduction of access
rights. Job events that would trigger a removal of access rights
include transfers, resignations, and terminations. Institutions
should take particular care to remove promptly the access rights for
users who have remote access privileges, and those who administer
the institution's systems.
Because updating may not always be accurate, periodic review of user
accounts is a good control to test whether the access right removal
processes are functioning, and whether users exist who should have
their rights rescinded or reduced. Financial institutions should
review access rights on a schedule commensurate with risk.
Access rights to new software and hardware present a unique problem.
Typically, hardware and software are installed with default users,
with at least one default user having full access rights. Easily
obtainable lists of popular software exist that identify the default
users and passwords, enabling anyone with access to the system to
obtain the default user's access. Default user accounts should
either be disabled, or the authentication to the account should be
changed. Additionally, access to these default accounts should be
monitored more closely than other accounts.
Sometimes software installs with a default account that allows
anonymous access. Anonymous access is appropriate, for instance,
where the general public accesses an informational web server.
Systems that allow access to or store sensitive information,
including customer information, should be protected against
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Content of Privacy Notice
11. Does the institution list the following categories of
affiliates and nonaffiliated third parties to whom it discloses
information, as applicable, and a few examples to illustrate the
types of the third parties in each category:
a. financial service providers; [§6(c)(3)(i)]
b. non-financial companies; [§6(c)(3)(ii)] and
c. others? [§6(c)(3)(iii)]