FYI - Why high-level
HMRC staff have lessons to learn - At least nine HMRC people knew of
the full 25 million record extract - Concerning the disastrous
leakage of 25 million people's identity information at least nine
HMRC staff knew of the full (25 million record) data extract and its
transfer to the National Audit Office (NAO) in March.
FYI - Gordon Brown
orders data security spot checks - The government has agreed to data
security spot checks across all departments by the Information
Commissioner following the loss of 25 million records of child
benefit recipients by HM Revenue & Customs (HMRC).
FYI - State hires new
data firm after student records are lost - Just more than a month
after a massive loss of college student records was revealed,
Louisiana's student financial aid office is hiring a new data
security company and considering litigation against the previous
FYI - Bank execs
targeted by fake Department of Justice phishing emails - Corporate
executives again are being targeted in a new round of spear phishing
attacks that attempt to dupe them into downloading a malicious
FYI - N.L. police probe
security breach of patient information - Officials in Newfoundland
and Labrador are investigating a computer security breach involving
sensitive patient information that may have been accessed through
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Electronic Fund Transfer Act, Regulation E (Part 2 of 2)
The Federal Reserve Board Official Staff Commentary
(OSC) also clarifies that terminal receipts are unnecessary for
transfers initiated on-line. Specifically, OSC regulations provides
that, because the term "electronic terminal" excludes a
telephone operated by a consumer, financial institutions need not
provide a terminal receipt when a consumer initiates a transfer by a
means analogous in function to a telephone, such as by a personal
computer or a facsimile machine.
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the OSC, an example of a consumer's authorization
that is not in the form of a signed writing but is, instead,
"similarly authenticated" is a consumer's authorization
via a home banking system. To satisfy the regulatory requirements,
the institution must have some means to identify the consumer (such
as a security code) and make a paper copy of the authorization
available (automatically or upon request). The text of the
electronic authorization must be displayed on a computer screen or
other visual display that enables the consumer to read the
communication from the institution.
Only the consumer may authorize the transfer and not, for example, a
third-party merchant on behalf of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A financial institution may receive
correspondence through an electronic medium concerning an
unauthorized transaction, loss, or theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue the series
from the FDIC "Security Risks Associated with the
Logical Access Controls (Part 1 of 2)
If passwords are used for access control or authentication measures,
users should be properly educated in password selection. Strong
passwords consist of at least six to eight alpha numeric characters,
with no resemblance to any personal data. PINs should also be
unique, with no resemblance to personal data. Neither passwords nor
PINs should ever be reduced to writing or shared with others.
Other security measures should include the adoption of one-time
passwords, or password aging measures that require periodic changes.
Encryption technology can also be employed in the entry and
transmission of passwords, PINs, user IDs, etc. Any password
directories or databases should be properly protected, as well.
Password guessing programs can be run against a system. Some can run
through tens of thousands of password variations based on personal
information, such as a user's name or address. It is preferable to
test for such vulnerabilities by running this type of program as a
preventive measure, before an unauthorized party has the opportunity
to do so. Incorporating a brief delay requirement after each
incorrect login attempt can be very effective against these types of
programs. In cases where a potential attacker is monitoring a
network to collect passwords, a system utilizing one-time passwords
would render any data collected useless.
When additional measures are necessary to confirm that passwords or
PINs are entered by the user, technologies such as tokens, smart
cards, and biometrics can be useful. Utilizing these technologies
adds another dimension to the security structure by requiring the
user to possess something physical.
the top of the newsletter
IT SECURITY QUESTION:
Network user access controls: (Part 1 of
g. Can the same password be used again within 12 months?
h. Is the user locked out after three unsuccessful attempts to enter
the correct password?
i. How long is the user locked out after entering an incorrect
j. Automatic timeout if left unattended? If so, how long?
k. Automatic lockout by time of day and day of week?
l. Is user access restricted by workstation?
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Initial Privacy Notice
6) Does the institution provide a clear and conspicuous notice
that accurately reflects its privacy policies and practices at least
annually (that is, at least once in any period of 12 consecutive
months) to all customers, throughout the customer relationship? [§5(a)(1)and
(Note: annual notices are not required for former customers. [§5(b)(1)and