FYI - World Bank takes action on cyber attacks - The World Bank has commissioned an external review of its informational technology networks following a series of cyber attacks on the international institution's computer systems. http://www.ft.com/cms/s/0/f0b4e6ac-bc9e-11dd-9efc-0000779fd18c.html?nclick_check=1

FYI - Biz travelers howl over US gov RFIDs - A travel industry group has called on the US government to halt its use of new machinery that remotely reads government issued identification cards at border crossings until the safety of the new system can be better understood. http://www.theregister.co.uk/2008/12/01/rfid_scanning_under_fire/

FYI - Iran executes IT expert who spied for Israel - A computer expert has been executed in Iran after he confessed to working for Mossad, the Israeli intelligence service. This provides a rare insight into the intense espionage activity inside the Islamic republic. http://www.timesonline.co.uk/tol/news/world/middle_east/article5258057.ece

FYI - Apple advises Mac users to install anti-virus software - Apple, whose market share is growing among computer users, is now recommending that consumers consider applying anti-virus protection to their machines. http://www.scmagazineus.com/Apple-advises-Mac-users-to-install-anti-virus-software/article/121749/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Sandwich loses nearly $50k to hacker - Scheme may have international ties - The same type of data security breach that has menaced retail stores, restaurants, and other businesses has made its way into the Sandwich treasurer's office, where a hacker with possible international ties stole tens of thousands of dollars from town coffers in a complex computer-fraud scheme. http://www.boston.com/news/local/massachusetts/articles/2008/11/26/sandwich_loses_nearly_50k_to_hacker/

FYI - Four men busted in home equity ID theft ring - Four men have been charged for their involvement in an international scheme in which they stole millions of dollars from home equity credit lines. http://www.scmagazineus.com/Four-men-busted-in-home-equity-ID-theft-ring/article/121653/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 5 of  6)

Consumer Education

The FDIC believes that consumers have an important role to play in protecting themselves from identity theft. As identity thieves become more sophisticated, consumers can benefit from accurate, up-to-date information designed to educate them concerning steps they should take to reduce their vulnerability to this type of fraud. The financial services industry, the FDIC and other federal regulators have made significant efforts to raise consumers' awareness of this type of fraud and what they can do to protect themselves.

In 2005, the FDIC sponsored four identity theft symposia entitled Fighting Back Against Phishing and Account-Hijacking. At each symposium (held in Washington, D.C., Atlanta, Los Angeles and Chicago), panels of experts from government, the banking industry, consumer organizations and law enforcement discussed efforts to combat phishing and account hijacking, and to educate consumers on avoiding scams that can lead to account hijacking and other forms of identity theft. Also in 2006, the FDIC sponsored a symposia series entitled Building Confidence in an E-Commerce World. Sessions were held in San Francisco, Phoenix and Miami. Further consumer education efforts are planned for 2007.

In 2006, the FDIC released a multi-media educational tool, Don't Be an On-line Victim, to help online banking customers avoid common scams. It discusses how consumers can secure their computer, how they can protect themselves from electronic scams that can lead to identity theft, and what they can do if they become the victim of identity theft. The tool is being distributed through the FDIC's web site and via CD-ROM. Many financial institutions also now display anti-fraud tips for consumers in a prominent place on their public web site and send customers informational brochures discussing ways to avoid identity theft along with their account statements. Financial institutions are also redistributing excellent educational materials from the Federal Trade Commission, the federal government's lead agency for combating identity theft.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - APPLICATION ACCESS (Part 1 of 2)

Sensitive or mission - critical applications should incorporate appropriate access controls that restrict which application functions are available to users and other applications. The most commonly referenced applications from an examination perspective support the information processing needs of the various business lines. These computer applications allow authorized users or other applications to interface with the related database. Effective application access control can enforce both segregation of duties and dual control. Access rights to sensitive or critical applications and their database should ensure that employees or applications have the minimum level of access required to perform their business functions. Effective application access control involves a partnership between the security administrators, the application programmers (including TSPs and vendors), and the business owners.

Some security software programs will integrate access control for the operating system and some applications. That software is useful when applications do not have their own access controls, and when the institution wants to rely on the security software instead of the application's access controls. Examples of such security software products for mainframe computers include RACF, CA - ACF2, and CA - TopSecret. Institutions should understand the functionality and vulnerabilities of their application access control solutions and consider those issues in their risk assessment process.

Return to the top of the newsletter

IT SECURITY QUESTION:

D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)

2. Determine whether workstations are configured either for secure remote administration or for no remote administration.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 5 of 6)

Limitations on Disclosure of Account Numbers:

A financial institution must not disclose an account number or similar form of access number or access code for a credit card, deposit, or transaction account to any nonaffiliated third party (other than a consumer reporting agency) for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

The disclosure of encrypted account numbers without an accompanying means of decryption, however, is not subject to this prohibition. The regulation also expressly allows disclosures by a financial institution to its agent to market the institution's own products or services (although the financial institution must not authorize the agent to directly initiate charges to the customer's account). Also not barred are disclosures to participants in private-label or affinity card programs, where the participants are identified to the customer when the customer enters the program.