DHS seeks to ease privacy fears - Homeland Security Department
officials say they hope their new privacy protection principles for
research projects will address concerns some privacy advocates have
raised about the programs.
Browsers fail password protection tests - A beta version of Google
Chrome has tied with Safari for last place in tests of how the
browsers dealt with password security.
Brazilian hackers blamed for aiding Amazon deforestation - Malicious
hackers have been charged with all manner of misdeeds, from mounting
the biggest military hack ever to sending Viagra to Bill Gates to
crashing sewerage systems. Greenpeace has accused cybercrooks of
conspiring to allow actions that threaten the balance of nature by
helping to destroy the Amazon rainforest.
Google releases browser security handbook - Google posted on
Wednesday a handbook for Web developers that highlights the key
security features and quirks of major Web browsers. The document,
dubbed the Browser Security Handbook, has three parts that tackle
the security features in browsers and browser-specific issues that
could lead to security weaknesses.
The five myths of two-factor authentication - Every day, people find
new reasons to go online to access goods and services. Shopping
online is convenient and offers broad selection that local
businesses often just can't touch.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Credit Card Numbers Stolen From Movie Theater Computer - Merrimack
Police Say Numerous People Report Credit Card Problems - Hackers
broke into a Merrimack movie theater's servers and stole customers'
credit card information.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
week begins our series on the Federal Financial Institutions Examination Council Guidance
on Electronic Financial Services and Consumer Compliance.
Electronic Fund Transfer Act,
Regulation E (Part 1 of 2)
Generally, when on-line banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction involving stored value products is covered by
Regulation E when the transaction accesses a consumer's account
(such as when value is "loaded" onto the card from the
consumer's deposit account at an electronic terminal or personal
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule was issued on March 20, 1998 that allows
depository institutions to satisfy the requirement to deliver by
electronic communication any of these disclosures and other
information required by the act and regulations, as long as the
consumer agrees to such method of delivery.
Financial institutions must ensure that consumers who sign-up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not
specifically mentioned in the commentary, this applies to all new
banking services including electronic financial services.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Many financial institutions use modems, remote - access servers
(RAS), and VPNs to provide remote access into their systems or to
allow remote access out of their systems. Remote access can support
mobile users through wireless, Internet, or dial-in capabilities. In
some cases, modem access is required periodically by vendors to make
emergency program fixes or to support a system.
Remote access to a financial institution's systems provides an
attacker with the opportunity to remotely attack the systems either
individually or in groups. Accordingly, management should establish
policies restricting remote access and be aware of all remote access
devices attached to their systems. These devices should be strictly
controlled. Good controls for remote access include the following
! Disallow remote access by policy and practice unless a compelling
business justification exists.
! Disable remote access at the operating system level if a business
need for such access does not exist.
! Require management approval for remote access.
! Require an operator to leave the modems unplugged or disabled by
default, to enable modems only for specific, authorized external
requests, and disable the modem immediately when the requested
purpose is completed.
! Configure modems not to answer inbound calls, if modems are for
outbound use only.
! Use automated callback features so the modems only call one number
(although this is subject to call forwarding schemes).
! Install a modem bank where the outside number to the modems uses a
different prefix than internal numbers and does not respond to
! Log and monitor the date, time, user, user location, duration, and
purpose for all remote access.
! Require a two-factor authentication process for all remote access
(e.g., PIN-based token card with a one-time random password
! Implement controls consistent with the sensitivity of remote use
(e.g., remote system administration requires strict controls and
oversight including encrypting the authentication and log-in
! Appropriately patch and maintain all remote access software.
! Use trusted, secure access devices.
! Use remote-access servers (RAS) to centralize modem and Internet
access, to provide a consistent authentication process, and to
subject the inbound and outbound network traffic to firewalls.
Return to the top of the
D. USER EQUIPMENT SECURITY
(E.G. WORKSTATION, LAPTOP, HANDHELD)
4. Determine whether adequate policies and
procedures exist to address the loss of equipment, including laptops
and other mobile devices. Such plans should encompass the potential
loss of customer data and authentication devices.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Fair Credit Reporting Act
The regulations do not modify, limit, or supersede the operation
of the Fair Credit Reporting Act.
The regulations do not supersede, alter, or affect any state
statute, regulation, order, or interpretation, except to the extent
that it is inconsistent with the regulations. A state statute,
regulation, order, etc. is consistent with the regulations if the
protection it affords any consumer is greater than the protection
provided under the regulations, as determined by the FTC.
Grandfathered Service Contracts
Contracts that a financial institution has entered into, on or
before July 1, 2000, with a nonaffiliated third party to perform
services for the financial institution or functions on its behalf,
as described in section 13, will satisfy the confidentiality
requirements of section 13(a)(1)(ii) until July 1, 2002, even if the
contract does not include a requirement that the third party
maintain the confidentiality of nonpublic personal information.
Guidelines Regarding Protecting Customer Information
The regulations require a financial institution to disclose its
policies and practices for protecting the confidentiality, security,
and integrity of nonpublic personal information about consumers
(whether or not they are customers). The disclosure need not
describe these policies and practices in detail, but instead may
describe in general terms who is authorized to have access to the
information and whether the institution has security practices and
procedures in place to ensure the confidentiality of the information
in accordance with the institution's policies.
The four federal bank and thrift regulators have published
guidelines, pursuant to section 501(b) of the Gramm-Leach-Bliley
Act, that address steps a financial institution should take in order
to protect customer information. The guidelines relate only to
information about customers, rather than all consumers. Compliance
examiners should consider the findings of a 501(b) inspection during
the compliance examination of a financial institution for purposes
of evaluating the accuracy of the institution's disclosure regarding
Next week we will start covering the examination objectives.