- Cybersecurity Awareness Resources - As part of the FDIC's
Community Banking Initiative, the agency is adding to its
cybersecurity awareness resources for financial institutions. These
include a Cybersecurity Awareness video and three new vignettes for
the Cyber Challenge, which consists of exercises that are intended
to encourage discussions of operational risk issues and the
potential impact of information technology disruptions on common
- Could Hello
Barbie become the plaything of hackers? Turns out toys are
vulnerable, too - Mattel's chatty doll could listen in on your kids,
while a hacker has already swiped children's pictures and personal
info from toymaker VTech. Experts say Internet-connected toys are
rife with security problems.
- Moody's: Cyber risks will impact credit ratings - Moody's will
begin to place more weight on considerations related to cyber risks
when issuing credit ratings. The company released a report, “Cross
Sector – Global: Cyber Risk of Growing Importance to Credit
Analysis,” outlining their plans to assess cyber issues as part of
the credit rating process.
- Americans come in second for cyber banking safety - When it comes
to online banking, Americans are the second most security focused
nation behind Great Britain, according to an ESET survey.
- Former RoadRunner Wireless worker arrested for hacking company - A
Rio Rancho, N.M., man was arrested for allegedly hacking into his
former employer's Roadrunner Wireless‘s servers and posing as a
- Bank of England worried about cyber-threats - Market crashes in
China and Greek political uncertainty loomed over the financial
world this summer. Now as it begins to look more stable, the Bank of
England (BOE) worries about finance risks more than ever with
cyber-security the number two worry for bankers.
- OPM launches site for victims to check if personal information
stolen - The Office of Personnel Management (OPM) launched a website
for potential victims to check whether their personal information
was stolen as part of the massive hack in June. The personal
information of 21.5 million and at least 5.6 million fingerprints
were stolen as a result of the attack.
- Target reaches preliminary $39.4M settlement with banks - Target
Corp. has reached a preliminary settlement with banks affected by
the retailer's 2013 breach, agreeing to pay out $39.4 million to the
- Commercial Bank
Examination Manual, October 2015 update.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- 5M affected in VTech breach; security concerns raised with popular
holiday items - A cybercriminal stole a database on Nov. 14 from the
Hong Kong-based toymaker VTech that contained the information of
nearly five million people including more than 200,000 children even
as security issues with other popular holiday items have raised
- China-based hacks hit Interior Dept. in 2013, inspector says -
Foreign cyber spies and other hackers have infiltrated the
Department of the Interior 19 times in recent years, according to a
recent government watchdog report.
- Hack of toy maker VTech exposes 5 million customers - A hacker got
into a customer database for the Learning Lodge app store, where
parents can download apps, games and e-books for VTech toys. VTech,
a Chinese company that makes popular electronic toys for kids, had
its app store hacked.
- Amazon force-resets some account passwords, citing password leak -
It's not clear how many accounts are affected. Amazon has
force-reset an unknown number of accounts, after passwords may have
- Hilton Data Breach Focuses Attention On Growing POS Malware Threat
- Analysts expect an increase in POS attacks against retailers and
others during this holiday shopping season.
- Breach at IT Automation Firm LANDESK - LANDESK, a company that
sells software to help organizations securely and remotely manage
their fleets of desktop computers, servers and mobile devices,
alerted employees last week that a data breach may have exposed
their personal information. But LANDESK employees contacted by this
author say the breach may go far deeper for the company and its
- 'Hacker Buba' holds UAE bank to ransom - One mysterious hacker has
blackmailed a UAE bank threatening to release the account
information of some of their most important clients over Twitter.
- Aramada Collective demands ransom from Greek banks - A hacking
group dubbing itself the Armada Collective has claimed
responsibility for striking three Greek banks with distributed
denial of service (DDoS) attacks and has threatened to continue to
do so unless paid a ransom.
- It isn't over .... Adele fans' security breached - Some fans
buying tickets for Adele's European tour were shocked to see the
payment details and addresses from other people's shopping baskets
other than their own while attempting to check out.
- Hackers use Dropbox to target Hong Kong media - Hong Kong
activists have been targetted via Dropbox according to FireEye, with
the Chinese government the top suspects. Hong Kong journalists and
activist groups were targeted by Chinese hackers, according to
information from FireEye.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue our review of the
FFIEC interagency statement on "Weblinking:
Identifying Risks and Risk Management Techniques."
(Part 8 of 10)
B. RISK MANAGEMENT TECHNIQUES
Implementing Weblinking Relationships
The strategy that financial institutions choose when
implementing weblinking relationships should address ways to avoid
customer confusion regarding linked third-party products and
services. This includes disclaimers and disclosures to limit
customer confusion and a customer service plan to address confusion
when it occurs.
Disclaimers and Disclosures
Financial institutions should use clear and conspicuous webpage
disclosures to explain their limited role and responsibility with
respect to products and services offered through linked third-party
websites. The level of detail of the disclosure and its prominence
should be appropriate to the harm that may ensue from customer
confusion inherent in a particular link. The institution might post
a disclosure stating it does not provide, and is not responsible
for, the product, service, or overall website content available at a
third-party site. It might also advise the customer that its privacy
polices do not apply to linked websites and that a viewer should
consult the privacy disclosures on that site for further
information. The conspicuous display of the disclosure, including
its placement on the appropriate webpage, by effective use of size,
color, and graphic treatment, will help ensure that the information
is noticeable to customers. For example, if a financial institution
places an otherwise conspicuous disclosure at the bottom of its
webpage (requiring a customer to scroll down to read it), prominent
visual cues that emphasize the information's importance should point
the viewer to the disclosure.
In addition, the technology used to provide disclosures is
important. While many institutions may simply place a disclaimer
notice on applicable webpages, some institutions use "pop-ups," or
intermediate webpages called "speedbumps," to notify customers they
are leaving the institution's website. For the reasons described
below, financial institutions should use speedbumps rather than
pop-ups if they choose to use this type of technology to deliver
their online disclaimers.
A "pop up" is a screen generated by mobile code, for example Java
or Active X, when the customer clicks on a particular hyperlink.
Mobile code is used to send small programs to the user's browser.
Frequently, those programs cause unsolicited messages to appear
automatically on a user's screen. At times, the programs may be
malicious, enabling harmful viruses or allowing unauthorized access
to a user's personal information. Consequently, customers may
reconfigure their browsers or install software to block disclosures
delivered via mobile codes.
In contrast, an intermediate webpage, or "speedbump," alerts the
customer to the transition to the third-party website. Like a
pop-up, a speedbump is activated when the customer clicks on a
particular weblink. However, use of a speedbump avoids the problems
of pop-up technology, because the speedbump is not generated
externally using mobile code, but is created within the
institution's operating system, and cannot be disabled by the
the top of the newsletter
FFIEC IT SECURITY
We continue our review of the OCC Bulletin about
Infrastructure Threats and Intrusion Risks. This week we review
Management should ensure that information system networks are
tested regularly. The nature, extent, and frequency of tests should
be proportionate to the risks of intrusions from external and
internal sources. Management should select qualified and reputable
individuals to perform the tests and ensure that tests do not
inadvertently damage information systems or reveal confidential
information to unauthorized individuals. Management should oversee
the tests, review test results, and respond to deficiencies in a
timely manner. In accordance with OCC's "Technology Risk Management:
PC Banking," management should ensure that an objective, qualified
source conducts a penetration test of Internet banking systems at
least once a year or more frequently when appropriate.
Return to the top of
NATIONAL INSTITUTE OF STANDARDS
AND TECHNOLOGY -
We continue the series on the
National Institute of Standards and Technology (NIST) Handbook.
Chapter 4 - COMMON THREATS: A BRIEF OVERVIEW
Computer systems are vulnerable to many threats that can inflict
various types of damage resulting in significant losses. This damage
can range from errors harming database integrity to fires destroying
entire computer centers. Losses can stem, for example, from the
actions of supposedly trusted employees defrauding a system, from
outside hackers, or from careless data entry clerks. Precision in
estimating computer security-related losses is not possible because
many losses are never discovered, and others are "swept under the
carpet" to avoid unfavorable publicity. The effects of various
threats varies considerably: some affect the confidentiality or
integrity of data while others affect the availability of a system.
This chapter presents a broad view of the risky environment in
which systems operate today. The threats and associated losses
presented in this chapter were selected based on their prevalence
and significance in the current computing environment and their
expected growth. This list is not exhaustive, and some threats may
combine elements from more than one area. This overview of many of
today's common threats may prove useful to organizations studying
their own threat environments; however, the perspective of this
chapter is very broad. Thus, threats against particular systems
could be quite different from those discussed here.
To control the risks of operating an information system, managers
and users need to know the vulnerabilities of the system and the
threats that may exploit them. Knowledge of the threat environment
allows the system manager to implement the most cost-effective
security measures. In some cases, managers may find it more
cost-effective to simply tolerate the expected losses. Such
decisions should be based on the results of a risk analysis.