Internet Banking News

January 13, 2013

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Corporate bank account takeovers less successful than ever - Hijacking corporate bank accounts is still prevalent, but miscreants are continuing to find less success in performing fraudulent transactions, according to a new study released Wednesday. http://www.scmagazine.com/corporate-bank-account-takeovers-less-successful-than-ever/article/275667/?DCMP=EMC-SCUS_Newswire

FYI - Hacktivists forecast continued DDoS campaign for banks - The collective of hackers taking claim for the months-long distributed denial-of-service (DDoS) attacks on U.S. banking sites now say the campaign could extend until 2014. http://www.scmagazine.com/hacktivists-forecast-continued-ddos-campaign-for-banks/article/275475/?DCMP=EMC-SCUS_Newswire

FYI - Feds step up HIPAA enforcement with hospice settlement - A Hayden, Idaho-based hospice is the first health care organization to be fined for sustaining a breach that affected fewer than 500 individuals.
http://www.scmagazine.com/feds-step-up-hipaa-enforcement-with-hospice-settlement/article/274916/?DCMP=EMC-SCUS_Newswire
http://www.hhs.gov/news/press/2013pres/01/20130102a.html

FYI - To thwart hackers, firms salting their servers with fake data - A Printing Co., which prints popular magazines and catalogues, knew that it had valuable assets in its computer systems and that those assets - online editions and subscriber databases - were increasingly at risk with the proliferation of cyber-espionage. http://www.washingtonpost.com/world/national-security/to-thwart-hackers-firms-salting-their-servers-with-fake-data/2013/01/02/3ce00712-4afa-11e2-9a42-d1ce6d0ed278_story.html

FYI - Google finds unauthorized certificate for google.com domain, scrambles to protect users - The company updated its Chrome browser and notified other browser makers about the problem - Google has taken steps to close potential security holes created by a fraudulent certificate for its google.com domain, discovered in late December. http://www.computerworld.com/s/article/9235218/Google_finds_unauthorized_certificate_for_google.com_domain_scrambles_to_protect_users?taxonomyId=17

FYI - States Bar Employers From Demanding Facebook Passwords - California and Illinois on Tuesday joined four others in becoming the union’s only states barring employers from demanding that employees fork over their social-media passwords. http://www.wired.com/threatlevel/2013/01/password-protected-states/

FYI - Nations prepare for cyber war - Security analysts are predicting that 2013 is when nation-sponsored cyberwarfare goes mainstream -- and some think such attacks will lead to actual deaths. http://money.cnn.com/2013/01/07/technology/security/cyber-war/index.html

FYI - Los Alamos replaces Chinese-made computer parts over security fears - US nuclear weapons laboratory found 'isolated cases' of H3C-branded network switches, according to letter sent to government - The US nuclear weapons laboratory that was the birthplace of the atomic bomb has replaced at least two Chinese-made components in its computer systems over fears they might pose a national security risk, according to a letter seen by the Reuters news agency. http://www.guardian.co.uk/world/2013/jan/07/los-alamos-chinese-computer-parts

FYI - UNC cancer center servers attacked to expose info of 3.5K - Attackers compromised the servers of a North Carolina cancer center to expose the sensitive information of thousands of employees, educators and contractors. http://www.scmagazine.com/unc-cancer-center-servers-attacked-to-expose-info-of-35k/article/275487/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - DDoS attacks on banks continue into the New Year - A hacktivist group is claiming responsibility for outages affecting nine U.S. bank websites in recent weeks – part of a distributed denial-of-service (DDoS) operation that began last fall. http://www.scmagazine.com/ddos-attacks-on-banks-continue-into-the-new-year/article/274712/?DCMP=EMC-SCUS_Newswire

FYI - Latest IE attack brought by same gang that hacked Google - Active attacks targeting a critical vulnerability in older versions of Microsoft's Internet Explorer browser have been carried out by an experienced gang of hackers. http://arstechnica.com/security/2013/01/latest-ie-attack-brought-by-same-gang-that-hacked-google/

FYI - Hacked SC agency failed to heed security warnings, ex-worker says - A computer chief at the S.C. Department of Revenue did not heed warnings about cyber-security shortcomings at that state agency before hackers stole personal financial data belonging to 6.4 million consumers and business, a former agency employee told lawmakers Thursday. http://www.thestate.com/2013/01/04/2576982/hacked-sc-agency-failed-to-heed.html#.UOshgkKVhmC

FYI - Calif. health vendor laptop stolen; nearly 70K affected - An unencrypted laptop belonging to a California health care vendor was stolen, leaving the sensitive information of thousands of patients at risk. http://www.scmagazine.com/calif-health-vendor-laptop-stolen-nearly-70k-affected/article/275161/?DCMP=EMC-SCUS_Newswire

FYI - Subway restaurant hacker sentenced to 21 months - A Romanian hacker, who pleaded guilty to compromising the credit card processing systems of Subway restaurants in 2011, has been sentenced to 21 months in prison. http://www.scmagazine.com/subway-restaurant-hacker-sentenced-to-21-months/article/275330/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 3 of 5)

PROCEDURES TO ADDRESS SPOOFING - Information Gathering

After a bank has determined that it is the target of a spoofing incident, it should collect available information about the attack to enable an appropriate response. The information that is collected will help the bank identify and shut down the fraudulent Web site, determine whether customer information has been obtained, and assist law enforcement authorities with any investigation. Below is a list of useful information that a bank can collect. In some cases, banks will require the assistance of information technology specialists or their service providers to obtain this information.

* The means by which the bank became aware that it was the target of a spoofing incident (e.g., report received through Website, fax, telephone, etc.);
* Copies of any e-mails or documentation regarding other forms of communication (e.g., telephone calls, faxes, etc.) that were used to direct customers to the spoofed Web sites;
* Internet Protocol (IP) addresses for the spoofed Web sites along with identification of the companies associated with the IP addresses;
* Web-site addresses (universal resource locator) and the registration of the associated domain names for the spoofed site; and
* The geographic locations of the IP address (city, state, and country).

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

SECURITY MEASURES

Digital Signatures

Digital signatures authenticate the identity of a sender, through the private, cryptographic key. In addition, every digital signature is different because it is derived from the content of the message itself. T he combination of identity authentication and singularly unique signatures results in a transmission that cannot be repudiated.

Digital signatures can be applied to any data transmission, including e-mail. To generate a digital signature, the original, unencrypted message is run through a mathematical algorithm that generates what is known as a message digest (a unique, character representation of the data). This process is known as the "hash." The message digest is then encrypted with a private key, and sent along with the message. The recipient receives both the message and the encrypted message digest. The recipient decrypts the message digest, and then runs the message through the hash function again. If the resulting message digest matches the one sent with the message, the message has not been altered and data integrity is verified. Because the message digest was encrypted with a private key, the sender can be identified and bound to the specific message. The digital signature cannot be reused, because it is unique to the message. In the above example, data privacy and confidentiality could also be achieved by encrypting the message itself. The strength and security of a digital signature system is determined by its implementation, and the management of the cryptographic keys.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Nonpublic Personal Information:

"Nonpublic personal information" generally is any information that is not publicly available and that:

1) a consumer provides to a financial institution to obtain a financial product or service from the institution;

2) results from a transaction between the consumer and the institution involving a financial product or service; or

3) a financial institution otherwise obtains about a consumer in connection with providing a financial product or service.

Information is publicly available if an institution has a reasonable basis to believe that the information is lawfully made available to the general public from government records, widely distributed media, or legally required disclosures to the general public. Examples include information in a telephone book or a publicly recorded document, such as a mortgage or securities filing.

Nonpublic personal information may include individual items of information as well as lists of information. For example, nonpublic personal information may include names, addresses, phone numbers, social security numbers, income, credit score, and information obtained through Internet collection devices (i.e., cookies).

There are special rules regarding lists. Publicly available information would be treated as nonpublic if it were included on a list of consumers derived from nonpublic personal information. For example, a list of the names and addresses of a financial institution's depositors would be nonpublic personal information even though the names and addresses might be published in local telephone directories because the list is derived from the fact that a person has a deposit account with an institution, which is not publicly available information.

However, if the financial institution has a reasonable basis to believe that certain customer relationships are a matter of public record, then any list of these relationships would be considered publicly available information. For instance, a list of mortgage customers where the mortgages are recorded in public records would be considered publicly available information. The institution could provide a list of such customers, and include on that list any other publicly available information it has about the customers on that list without having to provide notice or opt out.