REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Technology Alert: GNU Bourne-Again Shell Vulnerability - The FDIC, as a member of the Federal Financial Institutions Examination Council, is issuing the attached alert advising financial institutions of a material security vulnerability with Linux and Unix operating systems that could allow an attacker to gain control of a bank's servers remotely. The vulnerability is commonly known as the GNU Bourne-Again Shell or "Shellshock" vulnerability. www.fdic.gov/news/news/financial/2014/fil14049.html

FYI - U.S. Bank ordered to refund $48M to customers - The Consumer Financial Protection Bureau's continued efforts to curb illegal or deceptive banking activities – including promising credit monitoring but not delivering – has resulted in U.S. Bank being ordered to refund $48 million to customers. http://www.scmagazine.com/us-bank-pays-customers-back-for-services-they-didnt-receive/article/373940/

FYI - UK banks hook themselves up to real-time cop data feed - UK banks will receive real-time warnings about threats to their customers' accounts as well as the overall integrity of their banking systems from a new financial crime alert system. http://www.theregister.co.uk/2014/09/23/uk_bank_fraud_alert_system/

FYI - The FDA wants to talk about medical device cybersecurity - The Food and Drug Administration is asking the public to weigh in on the cybersecurity of medical devices and holding a conference on the subject, organized in collaboration with the Department of Homeland Security. http://www.washingtonpost.com/blogs/the-switch/wp/2014/09/23/the-fda-wants-to-talk-about-medical-device-cybersecurity/

FYI - State IT suppliers face cyber security requirement - All businesses must from next month meet a cyber security standard if they want to bid for government contracts involving handling information and providing IT services. http://www.contractoruk.com/news/0011739state_it_suppliers_face_cyber_security_requirement.html

FYI - FDA finalizes guidelines on medical device, patient data security - In a move to bolster the health care sector's security regarding patient data and medical devices, the U.S. Food and Drug Administration (FDA) has finanlized guidance meant to better protect patient health and personal information. http://www.scmagazine.com/food-and-drug-administration-finalize-guidelines-on-medical-device-security/article/374882/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - 75 million records compromised so far in 2014 - More than 75 million records have been compromised this year in approximately 568 breaches, according to the most recent breach report by the Identity Theft Resource Center. http://www.scmagazine.com/568-breaches-compromiseed-75-million-records/article/374282/

FYI - Tripadvisor site coughs to card data breach for a potential 800k users - TripAdvisor has suffered a data breach at its Viator tour-booking and review website. http://www.theregister.co.uk/2014/09/23/tripadvisor_subsidiary_viator_breach_card_fraud_link/

FYI - Internet Crime Complaint Center warns that scam uses IC3 email as way to con victims - Fraudsters say email sender is a representative of the IC3. Not that it needed the reminder that scams suck, but the Internet Crime Complaint Center (IC3) warned today that a new email scam is making the rounds that uses the IC3 as the fraud contrivance. http://www.computerworld.com/article/2687877/security0/internet-crime-complaint-center-warns-that-scam-uses-ic3-email-as-way-to-con-victims.html

FYI - Jimmy John’s Confirms Breach at 216 Stores - More than seven weeks after this publication broke the news of a possible credit card breach at nationwide sandwich chain Jimmy John’s, the company now confirms that a break-in at one of its payment vendors jeopardized customer credit and debit card information at 216 stores. http://krebsonsecurity.com/2014/09/jimmy-johns-confirms-breach-at-216-stores/

FYI - Cyber attack on Japan Airlines impacts up to 750,000 - A phishing attack may have resulted in the theft of personal information belonging to customers of Japan Airlines's frequent flier club. http://www.scmagazine.com/japan-airlines-experiences-data-breach/article/373722/

FYI - Two laptops containing patient data stolen from American Family Care - American Family Care is notifying patients that their personal information – including Social Security numbers – may have been stored on two unencrypted, password protected laptops that were stolen from an employee's vehicle in July. http://www.scmagazine.com/american-family-care-data-breach-impacts-patient-data/article/374245/

FYI - Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT - Gets back up again after half an hour though - Ello, the social network site intended to serve as something of an antidote to ad-stuffed Facebook, was hit by a suspected Distributed-Denial-of-Service attack today. http://www.theregister.co.uk/2014/09/28/ello_hit_by_massive_ddos_attack/

FYI - Fraud reports from a 'few dozen' customers in Sheplers payment card breach - Western wear retailer Sheplers is notifying an undisclosed number of customers that their payment card information may have been exposed after hackers gained access to its payment systems. http://www.scmagazine.com/fraud-reports-from-a-few-dozen-customers-in-sheplers-payment-card-breach/article/374874/

FYI - JPMorgan Chase security issues ongoing - Oops, Chase did it again. Or did they? In a refrain that's becoming more commonplace, JPMorgan Chase may have joined the ranks of companies that have been hit by two data breaches, or more, in fairly short order. http://www.scmagazine.com/jpmorgan-chase-security-issues-ongoing/article/375128/

FYI - Flinn Scientific notifies customers of payment card breach - An undisclosed number of customers who made purchases on the Flinn Scientific website are being notified that their personal information – including payment card data – may have been compromised in a malware attack on the company's server that hosts its internet store. http://www.scmagazine.com/flinn-scientific-notifies-customers-of-payment-card-breach/article/375119/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.
 
 Principle 3: Banks should ensure that appropriate measures are in place to promote adequate segregation of duties within e-banking systems, databases and applications.
 
 Segregation of duties is a basic internal control measure designed to reduce the risk of fraud in operational processes and systems and ensure that transactions and company assets are properly authorized, recorded and safeguarded. Segregation of duties is critical to ensuring the accuracy and integrity of data and is used to prevent the perpetration of fraud by an individual. If duties are adequately separated, fraud can only be committed through collusion.
 
 E-banking services may necessitate modifying the ways in which segregation of duties are established and maintained because transactions take place over electronic systems where identities can be more readily masked or faked. In addition, operational and transaction-based functions have in many cases become more compressed and integrated in e-banking applications. Therefore, the controls traditionally required to maintain segregation of duties need to be reviewed and adapted to ensure an appropriate level of control is maintained. Because access to poorly secured databases can be more easily gained through internal or external networks, strict authorization and identification procedures, safe and sound architecture of the straight-through processes, and adequate audit trails should be emphasized.
 
 Common practices used to establish and maintain segregation of duties within an e-banking environment include the following:
 
 1)  Transaction processes and systems should be designed to ensure that no single employee/outsourced service provider could enter, authorize and complete a transaction.
 
 2)  Segregation should be maintained between those initiating static data (including web page content) and those responsible for verifying its integrity.
 
 3)  E-banking systems should be tested to ensure that segregation of duties cannot be bypassed.
 
 4)  Segregation should be maintained between those developing and those administrating e-banking systems.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  
 
 PERSONNEL SECURITY
 
 Security personnel allow legitimate users to have system access necessary to perform their duties. Because of their internal access levels and intimate knowledge of financial institution processes, authorized users pose a potential threat to systems and data. Employees, contractors, or third - party employees can exploit their legitimate computer access for malicious, fraudulent, or economic reasons. Additionally, the degree of internal access granted to some users increases the risk of accidental damage or loss of information and systems. Risk exposures from internal users include:
 
 ! Altering data,
 ! Deleting production and back up data,
 ! Crashing systems,
 ! Destroying systems,
 ! Misusing systems for personal gain or to damage the institution,
 ! Holding data hostage, and
 ! Stealing strategic or customer data for corporate espionage or fraud schemes.
 
 BACKGROUND CHECKS AND SCREENING
 
 Financial institutions should verify job application information on all new employees. The sensitivity of a particular job or access level may warrant additional criminal background and credit checks. Institutions should verify that contractors are subject to similar screening procedures. Typically, the minimum verification considerations include:
 
 ! Character references;
 ! Confirmation of prior experience, academic record, and professional qualifications; and
 ! Confirmation of identity from government issued identification.
 
 After employment, managers should remain alert to changes in employees' personal circumstances that could increase incentives for system misuse or fraud.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.
 
 Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13).  (Part 1 of 3)
 
 Note: Financial institutions whose practices fall within this category engage in the most expansive degree of information sharing permissible. Consequently, these institutions are held to the most comprehensive compliance standards imposed by the Privacy regulation.
 
 A. Disclosure of Nonpublic Personal Information 
 
 1)  Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party both inside and outside of the exceptions. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the financial institution's compliance with disclosure limitations.
 
 a.  Compare the categories of data shared and with whom the data were shared to those stated in the privacy notice and verify that what the institution tells consumers (customers and those who are not customers) in its notices about its policies and practices in this regard and what the institution actually does are consistent (§§10, 6).
 
 b.  Compare the data shared to a sample of opt out directions and verify that only nonpublic personal information covered under the exceptions or from consumers (customers and those who are not customers) who chose not to opt out is shared (§10).
 
 2)  If the financial institution also shares information under Section 13, obtain and review contracts with nonaffiliated third parties that perform services for the financial institution not covered by the exceptions in section 14 or 15. Determine whether the contracts prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed. Note that the "grandfather" provisions of Section 18 apply to certain of these contracts (§13(a)).