FYI - New FDIC Tool Helps Consumers Protect Themselves Against Identity Theft and Suggests Steps They can Take if Victimized Don't Be an On-line Victim: How to Guard Against Internet Thieves and Electronic Scams - The Federal Deposit Insurance Corporation today released an on-line multimedia education tool that consumers can use to learn how to better protect their computers and themselves from identity thieves. www.fdic.gov/news/news/press/2006/pr06008.html 

FYI - Gov't Cyber-sleuths Focusing on Linux, iPod, Xbox - Cyber-security and computer experts from the government and law enforcement are increasingly concerned with malicious code that runs on Linux and Apple Computer Inc.'s Mac OS X operating systems and threats posed by devices such as iPods and Xboxes. http://www.eweek.com/article2/0%2C1895%2C1910371%2C00.asp

FYI - Computer crime costs $67 billion, FBI says - Dealing with viruses, spyware, PC theft and other computer-related crimes costs U.S. businesses a staggering $67.2 billion a year, according to the FBI. http://news.com.com/2102-7349_3-6028946.html?tag=st.util.print

FYI - Banks 'must tackle online fraud' - Banks must do more to promote security among their online customers, the UK's finance watchdog has said. The Financial Services Authority (FSA) made the call as it revealed half of internet users are either extremely or very concerned about the risk of fraud. http://news.bbc.co.uk/2/hi/business/4637226.stm

FYI - E*Trade to reimburse online-fraud victims - E*Trade Financial announced Tuesday that it will fully reimburse any customer who is the victim of fraudulent activity--the first online brokerage company to offer the kind of protection that credit- and debit-card users receive. http://news.com.com/2102-1029_3-6028006.html?tag=st.util.print

FYI - Notre Dame probes hack of computer system - Two computer-forensic companies are helping the University of Notre Dame investigate an electronic break-in that may have exposed the personal and financial information of school donors. http://news.com.com/2102-1029_3-6030229.html?tag=st.util.print

FYI - Stolen Ameriprise laptop had data on 230,000 people - Ameriprise Financial, the investment advisory unit spun off from American Express last year, said Wednesday that lists containing the personal information of about 230,000 customers and advisers had been compromised. http://news.com.com/2102-1029_3-6031334.html?tag=st.util.print

FYI - Could your laptop be worth millions? - The average laptop could contain data worth almost $1 million, according to new research. A report released Friday by security-software company Symantec suggests that an ordinary notebook holds content valued at 550,000 pounds ($972,000), and that some could store as much as 5 million pounds--or $8.8 million--in commercially sensitive data and intellectual property. http://news.com.com/2102-1029_3-6032177.html?tag=st.util.print

Return to the top of the newsletter

WEB SITE COMPLIANCE - Non-Deposit Investment Products

Financial institutions advertising or selling non-deposit investment products on-line should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products."  On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Public Key Infrastructure (Part 2 of 3)

The certificate authority (CA), which may be the financial institution or its service provider, plays a key role by attesting with a digital certificate that a particular public key and the corresponding private key belongs to a specific user or system. It is important when issuing a digital certificate that the registration process for initially verifying the identity of users is adequately controlled. The CA attests to the individual user's identity by signing the digital certificate with its own private key, known as the root key. Each time the user establishes a communication link with the financial institution's systems, a digital signature is transmitted with a digital certificate. These electronic credentials enable the institution to determine that the digital certificate is valid, identify the individual as a user, and confirm that transactions entered into the institution's computer system were performed by that user.

The user's private key exists electronically and is susceptible to being copied over a network as easily as any other electronic file. If it is lost or compromised, the user can no longer be assured that messages will remain private or that fraudulent or erroneous transactions would not be performed. User AUPs and training should emphasize the importance of safeguarding a private key and promptly reporting its compromise.

PKI minimizes many of the vulnerabilities associated with passwords because it does not rely on shared secrets to authenticate customers, its electronic credentials are difficult to compromise, and user credentials cannot be stolen from a central server. The primary drawback of a PKI authentication system is that it is more complicated and costly to implement than user names and passwords. Whether the financial institution acts as its own CA or relies on a third party, the institution should ensure its certificate issuance and revocation policies and other controls discussed below are followed.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

10. Determine if firewall and routing controls are in place and updated as needs warrant.

• Identify personnel responsible for defining and setting firewall rulesets and routing controls.
• Review procedures for updating and changing rulesets and routing controls.
• Confirm that the ruleset is based on the premise that all traffic that is not expressly allowed is denied, and that the firewall's capabilities for identifying and blocking traffic are effectively utilized.
• Confirm that network mapping through the firewall is disabled.
• Confirm that NAT and split DNS are used to hide internal names and addresses from external users. (Note: Split DNS is a method of segregating the internal DNS from the external DNS.)  
• Confirm that malicious code is effectively filtered.
• Confirm that firewalls are backed up to external media, and not to servers on protected networks.
• Determine that firewalls and routers are subject to appropriate and functioning host controls.
• Determine that firewalls and routers are securely administered.
• Confirm that routing tables are regularly reviewed for appropriateness on a schedule commensurate with risk.

Return to the top of the newsletter

INTERNET PRIVACY -  We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 4 of 6)

Requirements for Notices (continued)

Notice Content. A privacy notice must contain specific disclosures. However, a financial institution may provide to consumers who are not customers a "short form" initial notice together with an opt out notice stating that the institution's privacy notice is available upon request and explaining a reasonable means for the consumer to obtain it. The following is a list of disclosures regarding nonpublic personal information that institutions must provide in their privacy notices, as applicable:

1)  categories of information collected;

2)  categories of information disclosed;

3)  categories of affiliates and nonaffiliated third parties to whom the institution may disclose information;

4)  policies with respect to the treatment of former customers' information;

5)  information disclosed to service providers and joint marketers (Section 13);

6)  an explanation of the opt out right and methods for opting out;

7)  any opt out notices the institution must provide under the Fair Credit Reporting Act with respect to affiliate information sharing;

8)  policies for protecting the security and confidentiality of information; and

9)  a statement that the institution makes disclosures to other nonaffiliated third parties as permitted by law (Sections 14 and 15).