REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
Technology Alert: GNU Bourne-Again Shell Vulnerability - The
FDIC, as a member of the Federal Financial Institutions Examination
Council, is issuing the attached alert advising financial
institutions of a material security vulnerability with Linux and
Unix operating systems that could allow an attacker to gain control
of a bank's servers remotely. The vulnerability is commonly known as
the GNU Bourne-Again Shell or "Shellshock" vulnerability.
- U.S. Bank ordered to refund $48M to customers - The Consumer
Financial Protection Bureau's continued efforts to curb illegal or
deceptive banking activities – including promising credit monitoring
but not delivering – has resulted in U.S. Bank being ordered to
refund $48 million to customers.
- UK banks hook themselves up to real-time cop data feed - UK banks
will receive real-time warnings about threats to their customers'
accounts as well as the overall integrity of their banking systems
from a new financial crime alert system.
- The FDA wants to talk about medical device cybersecurity - The
Food and Drug Administration is asking the public to weigh in on the
cybersecurity of medical devices and holding a conference on the
subject, organized in collaboration with the Department of Homeland
- State IT suppliers face cyber security requirement - All
businesses must from next month meet a cyber security standard if
they want to bid for government contracts involving handling
information and providing IT services.
- FDA finalizes guidelines on medical device, patient data security
- In a move to bolster the health care sector's security regarding
patient data and medical devices, the U.S. Food and Drug
Administration (FDA) has finanlized guidance meant to better protect
patient health and personal information.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- 75 million records compromised so far in 2014 - More than 75
million records have been compromised this year in approximately 568
breaches, according to the most recent breach report by the Identity
Theft Resource Center.
- Tripadvisor site coughs to card data breach for a potential 800k
users - TripAdvisor has suffered a data breach at its Viator
tour-booking and review website.
- Internet Crime Complaint Center warns that scam uses IC3 email as
way to con victims - Fraudsters say email sender is a representative
of the IC3. Not that it needed the reminder that scams suck, but the
Internet Crime Complaint Center (IC3) warned today that a new email
scam is making the rounds that uses the IC3 as the fraud
- Jimmy John’s Confirms Breach at 216 Stores - More than seven weeks
after this publication broke the news of a possible credit card
breach at nationwide sandwich chain Jimmy John’s, the company now
confirms that a break-in at one of its payment vendors jeopardized
customer credit and debit card information at 216 stores.
- Cyber attack on Japan Airlines impacts up to 750,000 - A phishing
attack may have resulted in the theft of personal information
belonging to customers of Japan Airlines's frequent flier club.
- Two laptops containing patient data stolen from American Family
Care - American Family Care is notifying patients that their
personal information – including Social Security numbers – may have
been stored on two unencrypted, password protected laptops that were
stolen from an employee's vehicle in July.
- Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT - Gets
back up again after half an hour though - Ello, the social network
site intended to serve as something of an antidote to ad-stuffed
Facebook, was hit by a suspected Distributed-Denial-of-Service
- Fraud reports from a 'few dozen' customers in Sheplers payment
card breach - Western wear retailer Sheplers is notifying an
undisclosed number of customers that their payment card information
may have been exposed after hackers gained access to its payment
- JPMorgan Chase security issues ongoing - Oops, Chase did it again.
Or did they? In a refrain that's becoming more commonplace, JPMorgan
Chase may have joined the ranks of companies that have been hit by
two data breaches, or more, in fairly short order.
- Flinn Scientific notifies customers of payment card breach - An
undisclosed number of customers who made purchases on the Flinn
Scientific website are being notified that their personal
information – including payment card data – may have been
compromised in a malware attack on the company's server that hosts
its internet store.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering
some of the issues discussed in the "Risk Management Principles for
Electronic Banking" published by the Basel Committee on Bank
Principle 3: Banks should ensure that appropriate
measures are in place to promote adequate segregation of duties
within e-banking systems, databases and applications.
Segregation of duties is a basic internal control measure
designed to reduce the risk of fraud in operational processes and
systems and ensure that transactions and company assets are properly
authorized, recorded and safeguarded. Segregation of duties is
critical to ensuring the accuracy and integrity of data and is used
to prevent the perpetration of fraud by an individual. If duties are
adequately separated, fraud can only be committed through collusion.
E-banking services may necessitate modifying the ways in which
segregation of duties are established and maintained because
transactions take place over electronic systems where identities can
be more readily masked or faked. In addition, operational and
transaction-based functions have in many cases become more
compressed and integrated in e-banking applications. Therefore, the
controls traditionally required to maintain segregation of duties
need to be reviewed and adapted to ensure an appropriate level of
control is maintained. Because access to poorly secured databases
can be more easily gained through internal or external networks,
strict authorization and identification procedures, safe and sound
architecture of the straight-through processes, and adequate audit
trails should be emphasized.
Common practices used to establish and maintain segregation of
duties within an e-banking environment include the following:
1) Transaction processes and systems should be designed to
ensure that no single employee/outsourced service provider could
enter, authorize and complete a transaction.
2) Segregation should be maintained between those initiating
static data (including web page content) and those responsible for
verifying its integrity.
3) E-banking systems should be tested to ensure that
segregation of duties cannot be bypassed.
4) Segregation should be maintained between those developing
and those administrating e-banking systems.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
Security personnel allow legitimate users to have system
access necessary to perform their duties. Because of their internal
access levels and intimate knowledge of financial institution
processes, authorized users pose a potential threat to systems and
data. Employees, contractors, or third - party employees can exploit
their legitimate computer access for malicious, fraudulent, or
economic reasons. Additionally, the degree of internal access
granted to some users increases the risk of accidental damage or
loss of information and systems. Risk exposures from internal users
! Altering data,
! Deleting production and back up data,
! Crashing systems,
! Destroying systems,
! Misusing systems for personal gain or to damage the institution,
! Holding data hostage, and
! Stealing strategic or customer data for corporate espionage or
BACKGROUND CHECKS AND SCREENING
Financial institutions should verify job application information on
all new employees. The sensitivity of a particular job or access
level may warrant additional criminal background and credit checks.
Institutions should verify that contractors are subject to similar
screening procedures. Typically, the minimum verification
! Character references;
! Confirmation of prior experience, academic record, and
professional qualifications; and
! Confirmation of identity from government issued identification.
After employment, managers should remain alert to changes in
employees' personal circumstances that could increase incentives for
system misuse or fraud.
Return to the top of
INTERNET PRIVACY -
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will
help ensure compliance with the privacy regulations.
Sharing nonpublic personal information with nonaffiliated third
parties under Sections 14 and/or 15 and outside of exceptions (with
or without also sharing under Section 13). (Part 1 of 3)
Note: Financial institutions whose practices fall within this
category engage in the most expansive degree of information sharing
permissible. Consequently, these institutions are held to the most
comprehensive compliance standards imposed by the Privacy
A. Disclosure of Nonpublic Personal Information
1) Select a sample of third party relationships with
nonaffiliated third parties and obtain a sample of data shared
between the institution and the third party both inside and outside
of the exceptions. The sample should include a cross-section of
relationships but should emphasize those that are higher risk in
nature as determined by the initial procedures. Perform the
following comparisons to evaluate the financial institution's
compliance with disclosure limitations.
a. Compare the categories of data shared and with whom the
data were shared to those stated in the privacy notice and verify
that what the institution tells consumers (customers and those who
are not customers) in its notices about its policies and practices
in this regard and what the institution actually does are consistent
b. Compare the data shared to a sample of opt out directions
and verify that only nonpublic personal information covered under
the exceptions or from consumers (customers and those who are not
customers) who chose not to opt out is shared (§10).
2) If the financial institution also shares information under
Section 13, obtain and review contracts with nonaffiliated third
parties that perform services for the financial institution not
covered by the exceptions in section 14 or 15. Determine whether the
contracts prohibit the third party from disclosing or using the
information other than to carry out the purposes for which the
information was disclosed. Note that the "grandfather" provisions of
Section 18 apply to certain of these contracts (§13(a)).