REMINDER - This newsletter is
available for the Android smart phones and tablets. Go to the
Market Store and search for yennik.
- Top firewall management blunders - We've all made one in our
career, I'm talking about that blunder for which you thought you
would be fired.
- National banking regulator advises on DDoS deluge - The regulator
for national banks issued an alert Friday about the apparent uptick
in distributed denial-of-service (DDoS) attacks being waged against
- Obama Administration Outlines National Information Sharing
Strategy - The NSISS broadly outlines how the Obama administration
wants to promote the secure sharing of national security
- FCC offers security advice to smartphone users - FCC publishes
10-step plan for securing mobile devices and their data - The U.S.
Federal Communications Commission is advising smartphone users on
how to protect their mobile devices and data from mobile security
- US: We'll drag cyber-spies into COURT from their hideouts - 'And
Iran to prosecute American programmers for Stuxnet?' - The US
Department of Justice has floated a plan to advance criminal
prosecutions against cyber-spies.
- Children's privacy law catches on to apps, social networks - The
FTC updates rules tied to the Children's Online Privacy Protection
Act, or COPPA, but the changes won't really affect companies like
Apple or Facebook. he Federal Trade Commission today moved to make a
key children's online privacy law more up-to-date in a world of
smartphones and social networks.
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
- Wells Fargo's website buckles under flood of traffic - Customers
who can't access the website should go to a branch or bank over the
phone, Wells Fargo said - Well Fargo urged its customers on Thursday
to visit bank branches or use telephone banking due to continuing
problems with its website.
- Costs mount as NASA responds to October data breach - The fallout
from the theft of a NASA laptop bearing personal information on
10,000 current and former agency employees could cost taxpayers
nearly $960,000, according to the space agency’s inspector general.
- Stabuniq trojan found on servers at U.S. banks - An
information-gathering trojan has successfully compromised servers at
a number of U.S. financial institutions, according to researchers at
security firm Symantec.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from
Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance
for Web Site Spoofing Incidents (Part 1 of 5)
Web-site spoofing is a method of creating fraudulent Web sites that
look similar, if not identical, to an actual site, such as that of a
bank. Customers are typically directed to these spoofed Web sites
through phishing schemes or pharming techniques. Once at the
spoofed Web site, the customers are enticed to enter information
such as their Internet banking username and password, credit card
information, or other information that could enable a criminal to
use the customers' accounts to commit fraud or steal the customers'
identities. Spoofing exposes a bank to strategic, operational, and
reputational risks; jeopardizes the privacy of bank customers; and
exposes banks and their customers to the risk of financial fraud.
PROCEDURES TO ADDRESS SPOOFING
Banks can mitigate the risks of Web-site spoofing by implementing
the identification and response procedures discussed in this
bulletin. A bank also can help minimize the impact of a spoofing
incident by assigning certain bank employees responsibility for
responding to such incidents and training them in the steps
necessary to respond effectively. If a bank's Internet activities
are outsourced, the bank can address spoofing risks by ensuring that
its contracts with its technology service providers stipulate
appropriate procedures for detecting and reporting spoofing
incidents, and that the service provider's process for responding to
such incidents is integrated with the bank's own internal
Banks can improve the effectiveness of their response procedures by
establishing contacts with the Federal Bureau of Investigation (FBI)
and local law enforcement authorities in advance of any spoofing
incident. These contacts should involve the appropriate departments
and officials responsible for investigating computer security
incidents. Effective procedures should also include appropriate
time frames to seek law enforcement involvement, taking note of the
nature and type of information and resources that may be available
to the bank, as well as the ability of law enforcement authorities
to act rapidly to protect the bank and its customers.
Additionally, banks can use customer education programs to mitigate
some of the risks associated with spoofing attacks. Education
efforts can include statement stuffers and Web-site alerts
explaining various Internet-related scams, including the use of
fraudulent e-mails and Web-sites in phishing attacks. In addition,
because the attacks can exploit vulnerabilities in Web browsers
and/or operating systems, banks should consider reminding their
customers of the importance of safe computing practices.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue the
series from the FDIC "Security Risks Associated with the
Encryption, or cryptography, is a method of converting information
to an unintelligible code. The process can then be reversed,
returning the information to an understandable form. The information
is encrypted (encoded) and decrypted (decoded) by what are commonly
referred to as "cryptographic keys." These "keys" are actually
values, used by a mathematical algorithm to transform the data. The
effectiveness of encryption technology is determined by the strength
of the algorithm, the length of the key, and the appropriateness of
the encryption system selected.
Because encryption renders information unreadable to any party
without the ability to decrypt it, the information remains private
and confidential, whether being transmitted or stored on a system.
Unauthorized parties will see nothing but an unorganized assembly of
characters. Furthermore, encryption technology can provide
assurance of data integrity as some algorithms offer protection
against forgery and tampering. The ability of the technology to
protect the information requires that the encryption and decryption
keys be properly managed by authorized parties.
Return to the top of
INTERNET PRIVACY - With
this issue, we begin our review of the issues in the "Privacy of
Consumer Financial Information" published by the financial
On November 12, 1999, President Clinton signed into law the
Gramm-Leach-Bliley Act (the "Act"). Title V, Subtitle A of the Act
governs the treatment of nonpublic personal information about
consumers by financial institutions. Section 502 of the Subtitle,
subject to certain exceptions, prohibits a financial institution
from disclosing nonpublic personal information about a consumer to
nonaffiliated third parties, unless the institution satisfies
various notice and opt-out requirements, and provided that the
consumer has not elected to opt out of the disclosure. Section 503
requires the institution to provide notice of its privacy policies
and practices to its customers. Section 504 authorizes the issuance
of regulations to implement these provisions.
Accordingly, on June 1, 2000, the four federal bank and thrift
regulators published substantively identical regulations
implementing provisions of the Act governing the privacy of consumer
financial information. The regulations establish rules governing
duties of a financial institution to provide particular notices and
limitations on its disclosure of nonpublic personal information, as
1) A financial institution must provide a notice of its privacy
policies, and allow the consumer to opt out of the disclosure of the
consumer's nonpublic personal information, to a nonaffiliated third
party if the disclosure is outside of the exceptions in sections 13,
14 or 15 of the regulations.
2) Regardless of whether a financial institution shares nonpublic
personal information, the institution must provide notices of its
privacy policies to its customers.
3) A financial institution generally may not disclose customer
account numbers to any nonaffiliated third party for marketing
4) A financial institution must follow reuse and redisclosure
limitations on any nonpublic personal information it receives from a
nonaffiliated financial institution.