Key-logging phishing scam targets
internet banking users - The combination of an exploit of a
serious vulnerability in Internet Explorer (IE) and a phishing email
is posing a serious threat to Internet banking users.
Australians face devious phishing
scam - A sophisticated scam directs
users to a site that installs a key-logging program on their PC then
redirects them to a genuine online banking site.
Security scare for business laptops
Business travelers are unwittingly making company
secrets available to rivals by ignoring the risks of local wireless
networks, known as wi-fi hotspots, security experts warn.
FDIC Issues Warning About Fraudulent E-mails - The FDIC has
received complaints from consumers who received an e-mail that
appears to have been sent by the FDIC. The e-mail is purportedly
from security at fdic.com and the subject is fraud report.
BJ's announces security clampdown after credit card
- BJ's Wholesale Club has
tightened computer security after finding that its customers' credit
card information might have been stolen, forcing banks and financial
institutions to replace thousands of credit and debit cards.
Return to the top
of the newsletter
INTERNET COMPLIANCE - Fair
A financial institution that advertises on-line credit products that
are subject to the Fair Housing Act must display the Equal Housing
Lender logotype and legend or other permissible disclosure of its
nondiscrimination policy if required by rules of the institution's
Home Mortgage Disclosure Act (Regulation C)
The regulations clarify that applications accepted through
electronic media with a video component (the financial institution
has the ability to see the applicant) must be treated as "in person"
applications. Accordingly, information about these applicants' race
or national origin and sex must be collected. An institution that
accepts applications through electronic media without a video
component, for example, the Internet or facsimile, may treat the
applications as received by mail.
the top of the newsletter
INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information
SECURITY CONTROLS -
IMPLEMENTATION - DATA CENTER SECURITY
When selecting a site for the most important information systems
components, one major objective is to limit the risk of exposure
from internal and external sources. The selection process should
include a review of the surrounding area to determine if it is
relatively safe from exposure to fire, flood, explosion, or similar
environmental hazards. Outside intruders can be deterred through the
use of guards, fences, barriers, surveillance equipment, or other
similar devices. Since access to key information system hardware and
software should be limited, doors and windows must be secure.
Additionally, the location should not be identified or advertised by
signage or other indicators.
Detection devices, where applicable, should be utilized to prevent
theft and safeguard the equipment. They should provide continuous
coverage. Detection devices have two purposes - to alarm when a response is necessary and to support subsequent
forensics. The alarm capability is only useful when a response will
occur. Some intruder detection devices available include:
! Switches that activate an alarm when an electrical circuit is
! Light and laser beams, ultraviolet beams and sound or vibration
detectors that are invisible to the intruder, and ultrasonic and
radar devices that detect movement in a room; and
! Closed-circuit television that allows visual observation and
recording of actions.
Risks from environmental threats can be addressed somewhat through
devices such as halon gas, smoke alarms, raised flooring, heat
sensors, and the like.
Physical security devices frequently need preventive maintenance to
function properly. Maintenance logs are one control the institution
can use to determine whether the devices are appropriately
maintained. Periodic testing of the devices provides assurance that
they are operating correctly.
Security guards should be properly instructed about their duties.
The employees who access secured areas should have proper
identification and authorization to enter the area. All visitors
should sign in and wear proper IDs so that they can be identified
easily. Security guards should be trained to restrict the removal of
assets from the premises and to record the identity of anyone
removing assets. Consideration should be given to implementing a
specific and formal authorization process for the removal of
hardware and software from premises.
The following security zones should have access restricted to a need
! Operations center
! Uninterrupted power supply
! Telecommunications equipment
! Media library
CABINET AND VAULT SECURITY
Protective containers are designed to meet either fire-resistant or
burglar-resistant standards. Labels describing expected tolerance
levels are usually attached to safes and vault doors. An institution
should select the tolerance level based on the sensitivity and
importance of the information being protected.
the top of the newsletter
IT SECURITY QUESTION:
D. USER EQUIPMENT SECURITY
6. Determine whether appropriate workstations are
deactivated after a period of inactivity through screen saver
passwords, server time-outs, powering down, or other means.
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
40. Does the institution provide at least one initial, annual,
and revised notice, as applicable, to joint consumers? [§9(g)]