REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
The Federal Financial Institutions Examination Council today
issued a Press Release concerning Microsoft’s discontinuation of
support for its Windows XP operating system as of April 8, 2014.
- Developing a Talent That Becomes A Career - In coming years,
conflicts with serious real world consequences will be fought
online. The risk of your private information falling into the wrong
hands is also rapidly rising.
German Teen Arrested for DDoS Attack on Government Web Site - RP
Online reports that an 18-year-old student from Hamburg, Germany has
been arrested for launching a cyber attack on the official Web site
for the German state of Saxony-Anhalt.
US demanded access to encryption keys of email provider Lavabit -
Lavabit said in August it was shutting down its service rather than
be complicit in crimes against Americans - The U.S. government
demanded from email service provider Lavabit that it hand over
access to all user communications and a copy of the encryption keys
used to secure web, instant message and email traffic for its
investigation into several Lavabit user accounts.
DHS will expand cybersecurity intern program - A U.S. Department of
Homeland Security (DHS) summer internship program for community
college students focusing on cybersecurity was so successful, the
department plans to ramp it up.
- Supreme Court Declines to Decide When Online Speech Becomes an
Illegal Threat - The Supreme Court declined Monday to weigh into the
legal thicket of when an online threat becomes worthy of
prosecution, a decision leaving conflicting federal appellate court
views on the topic.
- Banks put to the test over cyber security - Simulated online
attack will test UK’s banking, payments and markets systems - Banks
will next month launch the most extensive cyber threat exercise in
two years as the authorities test the preparedness of the financial
system to survive a sustained online attack.
- MasterCard joins FIDO Alliance march to standardize biometric
auth, other password alternatives - MasterCard has joined forces
with an organization that aims to eliminate consumers' dependency on
passwords and PINs for authentication.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Adobe hacked, 3 million accounts compromised - Adobe announced on
Thursday that it has been the target of a major security breach in
which sensitive and personal data about millions of its customers
have been put at risk.
Burglary compromises info of thousands at Calif. medical center -
More than 3,500 patients of University of California San Francisco
Medical Center (UCSF) may have had data compromised after a hospital
laptop was stolen from an employee's vehicle.
Insecure email puts more than a thousand NC patients at risk - An
employee with North Carolina-based CaroMont Health sent out an
insecure email containing personal information on more than 1,300
- Not in Kansas anymore, thousands affected by Wichita website hack
- The city of Wichita had its website hacked over the weekend,
consequently compromising sensitive information for tens of
thousands of current and former vendors who have done business with
the city and employees who have been reimbursed for expenses since
- Compromised websites possibly the result of DNS redirection attack
- A hacktivist group calling itself Kdms Team, known on Twitter as @KdmsTeam
and claiming to hail from Palestine, took credit on Twitter for
several recent attacks against websites, including those belonging
to cross-platform instant messaging service WhatsApp, computer
security company AVG Technologies, and anti-virus software company
- Peel Health Program hit with data breach - Ontarian regional
municipality Peel admitted this week to losing the personal
information of more than 18,000 people in a security breach.
- Nearly 50k patient credit cards compromised by insider - As many
as 46,000 patients of Arizona-based Scottsdale Dermatology may have
had personal information compromised, but two suspects - one of them
an employee of the medical practice's billing firm - have been
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
This week begins our series on the
Federal Financial Institutions Examination Council Guidance on
Electronic Financial Services and Consumer Compliance.
Electronic Fund Transfer
Act, Regulation E (Part 1 of 2)
Generally, when on-line banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction involving stored value products is covered by
Regulation E when the transaction accesses a consumer's account
(such as when value is "loaded" onto the card from the consumer's
deposit account at an electronic terminal or personal computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule was issued on March 20, 1998 that allows
depository institutions to satisfy the requirement to deliver by
electronic communication any of these disclosures and other
information required by the act and regulations, as long as the
consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign-up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not
specifically mentioned in the commentary, this applies to all new
banking services including electronic financial services.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC
interagency Information Security Booklet.
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION - Shared Secret Systems
(Part 1 of 2)
Shared secret systems uniquely identify the user by matching
knowledge on the system to knowledge that only the system and user
are expected to share. Examples are passwords, pass phrases, or
current transaction knowledge. A password is one string of
characters (e.g., "t0Ol@Tyme"). A pass phrase is typically a string
of words or characters (e.g., "My car is a shepherd") that the
system may shorten to a smaller password by means of an algorithm.
Current transaction knowledge could be the account balance on the
last statement mailed to the user/customer. The strength of shared
secret systems is related to the lack of disclosure of and about the
secret, the difficulty in guessing or discovering the secret, and
the length of time that the secret exists before it is changed.
A strong shared secret system only involves the user and the system
in the generation of the shared secret. In the case of passwords and
pass phrases, the user should select them without any assistance
from any other user, such as the help desk. One exception is in the
creation of new accounts, where a temporary shared secret could be
given to the user for the first login, after which the system
prompts the user to create a different password. Controls should
prevent any user from re - using shared secrets that may have been
compromised or were recently used by them.
Passwords are the most common authentication mechanism. Passwords
are generally made difficult to guess when they are composed from a
large character set, contain a large number of characters, and are
frequently changed. However, since hard - to - guess passwords may
be difficult to remember, users may take actions that weaken
security, such as writing the passwords down. Any password system
must balance the password strength with the user's ability to
maintain the password as a shared secret. When the balancing
produces a password that is not sufficiently strong for the
application, a different authentication mechanism should be
considered. Pass phrases are one alternative to consider. Due to
their length, pass phrases are generally more resistant to attack
than passwords. The length, character set, and time before enforced
change are important controls for pass phrases as well as passwords.
Shared secret strength is typically assured through the use of
automated tools that enforce the password selection policy.
Authentication systems should force changes to shared secrets on a
schedule commensurate with risk.
Passwords can also be dynamic. Dynamic passwords typically use
seeds, or starting points, and algorithms to calculate a new -
shared secret for each access. Because each password is used for
only one access, dynamic passwords can provide significantly more
authentication strength than static passwords. In most cases,
dynamic passwords are implemented through tokens. A token is a
physical device, such as an ATM card, smart card, or other device
that contains information used in the authentication process.
Return to the top of
INTERNET PRIVACY - We
continue our series listing the regulatory-privacy examination
questions. When you answer the question each week, you will help
ensure compliance with the privacy regulations.
Content of Privacy Notice
14. Does the institution describe the following about its policies
and practices with respect to protecting the confidentiality and
security of nonpublic personal information:
a. who is authorized to have access to the information; and
b. whether security practices and policies are in place to ensure
the confidentiality of the information in accordance with the
institution's policy? [§6(c)(6)(ii)]
(Note: the institution is not required to describe technical
information about the safeguards used in this respect.)