REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

MUST READ - Social Media: Consumer Compliance Risk Management Guidance - The Federal Financial Institutions Examination Council , on behalf of its members, released final guidance on the applicability of consumer protection and compliance laws, regulations, and policies to activities conducted via social media by banks, savings associations, and credit unions, as well as nonbank entities supervised by the Consumer Financial Protection Bureau.
Press Release: www.fdic.gov/news/news/financial/2013/fil13056.pdf
FDIC attachment:  http://www.fdic.gov/news/news/financial/2013/fil13056a.pdf
Press Release: www.ncua.gov/News/Pages/NW20131211SocialMedia.aspx
NCUA attachment:  http://www.ncua.gov/News/Press/FFIEC-Social-Media-Guidance20121211.pdf

FYI - Cyber-security puzzle: Who is sending Internet traffic on long, strange trips? The Internet traffic of governments and financial companies is being quietly and momentarily diverted to overseas locations, cyber-security experts say. Who is hijacking traffic and why is it a mystery? http://www.csmonitor.com/World/Security-Watch/2013/1203/Cyber-security-puzzle-Who-is-sending-Internet-traffic-on-long-strange-trips

FYI - China bans banks from handling Bitcoin trade - China has banned its banks from handling transactions involving the Bitcoin virtual currency. The ban came in a notice issued by the People's Bank of China, financial watchdogs and the nation's IT ministry. http://www.bbc.co.uk/news/technology-25233224

FYI - Site identifies accounts compromised in major breaches - Users looking to identify whether their accounts have been impacted by recent breaches, including Adobe's, can check through haveibeenpwned.com. Computer scientist Troy Hunt launched the site earlier this week. http://www.scmagazine.com/site-identifies-accounts-compromised-in-major-breaches/article/324578/?DCMP=EMC-SCUS_Newswire&spMailingID=7542160&spUserID=MjI5OTI3MzMyMQS2&spJobID=104271807&spReportId=MTA0MjcxODA3S0

FYI - PayPal 13 plead guilty to launching DDoS attacks - The US Department of Justice (DoJ) said the accused had all admitted to carrying out a Distributed Denial of Service (DDoS) cyber-attack against PayPal in December 2010 in protest against the payment processing firm's decision to stop handling donations to WikiLeaks over the Cablegate affair. http://www.theregister.co.uk/2013/12/09/paypal_13_guilty_pleas/

FYI - Sensitive data management in the coming year - As 2013 draws to a close, it has become clear that every major industry maintains sensitive data, and has been targeted by hackers. http://www.scmagazine.com/sensitive-data-management-in-the-coming-year/article/324862/?DCMP=EMC-SCUS_Newswire&spMailingID=7561401&spUserID=MjI5OTI3MzMyMQS2&spJobID=104632726&spReportId=MTA0NjMyNzI2S0

FYI - For the right price, employees would sell company data, says new study - Security professionals aren't confident in the access management tools they have in place, and they believe employees would sell sensitive company data if given the right price, a recent study found. http://www.scmagazine.com/for-the-right-price-employees-would-sell-company-data-says-new-study/article/325435/?DCMP=EMC-SCUS_Newswire&spMailingID=7580250&spUserID=MjI5OTI3MzMyMQS2&spJobID=105052673&spReportId=MTA1MDUyNjczS0

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Researchers discover database with 2M stolen login credentials - The database contains stolen usernames and passwords associated with Facebook, Twitter, Google, Yahoo, and more. http://news.cnet.com/8301-1009_3-57614479-83/researchers-discover-database-with-2m-stolen-login-credentials/

FYI - Hackers access plain text info on nearly 500K JPMorgan Chase cardholders - Banking and financial services holding company JPMorgan Chase is alerting 465,000 prepaid cash cardholders that their personal information may have been compromised by hackers. http://www.scmagazine.com/hackers-access-plain-text-info-on-nearly-500k-jpmorgan-chase-cardholders/article/324285/

FYI - Scottish bank experiences DDoS attack - The Royal Bank of Scotland (RBS) experienced a distributed denial-of-service (DDoS) attack last week that shut down its site and prevented customers from accessing their bank accounts. The attack came less than a week after a separate system failure yielded similar problems. http://www.scmagazine.com/scottish-bank-experiences-ddos-attack/article/324792/?DCMP=EMC-SCUS_Newswire&spMailingID=7551761&spUserID=MjI5OTI3MzMyMQS2&spJobID=104452877&spReportId=MTA0NDUyODc3S0

FYI - Sensitive student data improperly disposed during university relocation - The personal financial information of students of National American University (NAU) in Rapid City, S.D., may have been compromised after thousands of records were found in a dumpster near the school's old campus.http://www.scmagazine.com/sensitive-student-data-improperly-disposed-during-university-relocation/article/324778/?DCMP=EMC-SCUS_Newswire&spMailingID=7551761&spUserID=MjI5OTI3MzMyMQS2&spJobID=104452877&spReportId=MTA0NDUyODc3S0

FYI - Anatomy Of An Electronic Health Record Zero-Day - How a dangerous security flaw discovered in one of the most pervasive electronic medical record platforms in the U.S. was found and fixed before it could do damage. http://www.darkreading.com/vulnerability/anatomy-of-an-electronic-health-record-z/240164441 

FYI - House legislators request investigation into FDA hack - Lawmakers have asked the Food and Drug Administration (FDA) to look into an October hack that involved an unauthorized user gaining access to the agency's online submission systems. http://www.scmagazine.com/house-legislators-request-investigation-into-fda-hack/article/324992/?DCMP=EMC-SCUS_Newswire&spMailingID=7561401&spUserID=MjI5OTI3MzMyMQS2&spJobID=104632726&spReportId=MTA0NjMyNzI2S0

FYI - Data on 20M Chinese hotel guests dumped online by hackers - The privacy of millions of Chinese hotel guests is at risk after hackers leaked their personal data online. http://www.scmagazine.com/data-on-20m-chinese-hotel-guests-dumped-online-by-hackers/article/324961/?DCMP=EMC-SCUS_Newswire&spMailingID=7561401&spUserID=MjI5OTI3MzMyMQS2&spJobID=104632726&spReportId=MTA0NjMyNzI2S0

FYI - Hackers infiltrate European ministry networks at G20 summit - Chinese hackers compromised the networks of five European ministries through a spear phishing campaign during September's G20 Summit, according to experts. http://www.scmagazine.com/hackers-infiltrate-european-ministry-networks-at-g20-summit/article/324958/?DCMP=EMC-SCUS_Newswire&spMailingID=7561401&spUserID=MjI5OTI3MzMyMQS2&spJobID=104632726&spReportId=MTA0NjMyNzI2S0

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures and Notices

Several consumer regulations provide for disclosures and/or notices to consumers.  The compliance officer should check the specific regulations to determine whether the disclosures/notices can be delivered via electronic means.  The delivery of disclosures via electronic means has raised many issues with respect to the format of the disclosures, the manner of delivery, and the ability to ensure receipt by the appropriate person(s).  The following highlights some of those issues and offers guidance and examples that may be of use to institutions in developing their electronic services.

Disclosures are generally required to be "clear and conspicuous."  Therefore, compliance officers should review the web site to determine whether the disclosures have been designed to meet this standard. Institutions may find that the format(s) previously used for providing paper disclosures may need to be redesigned for an electronic medium. Institutions may find it helpful to use "pointers " and "hotlinks" that will automatically present the disclosures to customers when selected.  A financial institution's use solely of asterisks or other symbols as pointers or hotlinks would not be as clear as descriptive references that specifically indicate the content of the linked material.
 
Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Single Sign - On

Several single sign - on protocols are in use. Those protocols allow clients to authenticate themselves once to obtain access to a range of services. An advantage of single sign - on systems is that users do not have to remember or possess multiple authentication mechanisms, potentially allowing for more complex authentication methods and fewer user - created weaknesses. Disadvantages include the broad system authorizations potentially tied to any given successful authentication, the centralization of authenticators in the single sign - on server, and potential weaknesses in the single sign - on technologies.

When single sign - on systems allow access for a single login to multiple instances of sensitive data or systems, financial institutions should employ robust authentication techniques, such as multi - factor, PKI, and biometric techniques. Financial institutions should also employ additional controls to protect the authentication server and detect attacks against the server and server communications.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

23. If the institution delivers the opt out notice after the initial notice, does the institution provide the initial notice once again with the opt out notice? [§7(c)]

24. Does the institution provide an opt out notice, explaining how the institution will treat opt out directions by the joint consumers, to at least one party in a joint consumer relationship? [§7(d)(1)]