FYI - Swedish Bank Stops Digital Theft - A gang of Swedish criminals was seconds away from completing a digital bank heist when an alert employee literally pulled the plug on their brazen scam, investigators said. http://apnews1.iwon.com/article/20080130/D8UG7LIG3.html

FYI - Increasing security breaches worry Energy IG - Inspector General Gregory Friedman hopes to lock down security on the Energy Department's interconnected computer networks, after auditors called 132 security breaches serious enough to report to law enforcement in fiscal 2006 - 22 percent more than in the prior year. http://www.fcw.com/online/news/151398-1.html?type=pf

FYI - French Bank Rocked by Rogue Trader - $7.2 Billion in Losses - On a Quiet 31-Year-Old - The rogues' gallery of banking has a new candidate for membership: 31-year-old trader Jérôme Kerviel.
http://online.wsj.com/article/SB120115814649013033.html?mod=djemalertNEWS
http://www.telegraph.co.uk/money/main.jhtml?xml=/money/2008/01/25/bcnkerviel325.xml
http://www.scmagazineus.com/Florida-woman-accused-of-deleting-25-million-in-data-from-employer/article/104575/

FYI - French bank could stopped $7 billion insider fraud - Societe Generale might have been able to prevent a year-long binge of fraudulent transactions by one of its mid-level traders - which the French banking giant confirmed this week has cost it more than $7 billion in losses - simply by instituting stricter password controls and applying available software that tracks transactions to individual workstations, analysts told SCMagazineUS.com. http://www.scmagazineus.com/French-bank-could-have-a-thwarted-7-billion-insider-fraud-with-better-password-workstation-controls-analysts/article/104586/

FYI - Societe Generale's 'Hacker' Trader Had Only Limited Computer Skills - The French banker accused of operating a multibillion-dollar fraudulent trading scheme apparently knew Microsoft Office, Visual Basic, and little else. The Societe Generale banker accused of operating a multibillion-dollar fraudulent trading scheme had only basic computing and programming skills -- a fact that deepens the mystery of how he managed to circumvent layers of highly sophisticated security software designed to prevent unauthorized activity. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=205918671

FYI - NIST to release SCAP FDCC scanner list - On Feb. 1 the National Institute of Standards and Technology will release a list of validated scanners that check for Federal Desktop Core Configuration compliance. The scanners all use the Security Content Automation Protocol (SCAP) to automatically scan desktop computers and return the results, said Peter Mell, NIST's SCAP validation program manager, at an FDCC workshop held yesterday in Gaithersburg, Md. http://www.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=45735

FYI - Bush Order Expands Network Monitoring - President Bush signed a directive this month that expands the intelligence community's role in monitoring Internet traffic to protect against a rising number of attacks on federal agencies' computer systems. http://www.washingtonpost.com/wp-dyn/content/article/2008/01/25/AR2008012503261.html?wpisrc=rss_technology

FYI - ChoicePoint Settles Data Breach Lawsuit - Will pay $10 million to settle class action - Data broker ChoicePoint has agreed to pay $10 million to settle a class-action lawsuit brought against it over the 2004 theft of 163,000 personal information records by a ring of Nigerian identity thieves. http://www.consumeraffairs.com/news04/2008/01/choicepoint_settle.html

FYI - US government workers fired for visiting adult sites - Sackings follow month-long investigation - Nine employees in the US District of Columbia have been given their marching orders for watching adult websites on government PCs during work hours. http://www.vnunet.com/vnunet/news/2208112/government-workers-fired

FYI - Storm makes house calls: New messages lead to bogus medical sites, evade filters - The notorious Storm worm botnet, which has mounted phishing attacks on major banks and spawned several waves of holiday-themed messages in recent weeks, has now changed tactics and is generating spam that directs recipients to bogus medical sites. http://www.scmagazineus.com/Storm-makes-house-calls-New-messages-lead-to-bogus-medical-sites-evade-filters/article/104722/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - T. Rowe Price contractor loses hard drives with data - Global investment management firm T. Rowe Price has admitted to thieves stealing two laptops containing the sensitive information of thousands of 401(k) participants from the St. Louis office of a third-party contractor. http://www.scmagazineus.com/T-Rowe-Price-contractor-loses-hard-drives-containing-retirement-information/article/104707/

FYI - Hackers steal OmniAmerican account data - An international gang of cyber criminals hacked into OmniAmerican Bank's records, the bank's president disclosed. They stole scores of account numbers, created new PINs, fabricated debit cards, then withdrew cash from ATMs in Eastern Europe, including Russia and Ukraine, as well as in Britain, Canada and New York. http://www.star-telegram.com/business/story/429367.html

FYI - Florida woman accused of deleting $2.5 million in data - A Florida woman, fearing she was about to be fired from her job, was arrested this week for allegedly deleting seven year's worth of her employer's architectural data. http://www.scmagazineus.com/Florida-woman-accused-of-deleting-25-million-in-data-from-employer/article/104575/

FYI - Now victims of crime have details lost in post in latest Government data bungle - Sensitive details about victims of crime may have fallen into the wrong hands in yet another lost data bungle by Government officials. Four computer discs containing confidential details of magistrates court cases are missing after being posted through the Royal Mail. http://www.dailymail.co.uk/pages/live/articles/news/news.html?in_article_id=509817&in_page_id=1770

FYI - Federal officials probe HMO data breach - Medicare officials said yesterday they are conducting their own investigation into a Fallon Community Health Plan data breach, examining the circumstances around a stolen laptop and how the health plan responded to the incident.
http://www.telegram.com/article/20080126/NEWS/801260320/1002/BUSINESS
http://www.telegram.com/article/20080124/ALERT01/769284629

FYI - Stolen M&S laptop contains 26,000 pension details - ICO demands overhaul of data security - Retailer Marks & Spencer (M&S) could face prosecution if it does not comply within two months to the overhaul of its data security after losing 26,000 employees' pension details. http://software.silicon.com/security/0,39024655,39169821,00.htm

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 1 of 2)

Generally, when online banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply.  A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep.  An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures.  Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated online. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

KEY STEPS

Common elements of risk assessment approaches involve three phases: information gathering, analysis, and prioritizing responses. Vendor concerns add additional elements to the process.

INFORMATION GATHERING

Identifying and understanding risk requires the analysis of a wide range of information relevant to the particular institution's risk environment. Once gathered, the information can be catalogued to facilitate later analysis. Information gathering generally includes the following actions:

1)  Obtaining listings of information system assets (e.g., data, software, and hardware). Inventories on a device - by - device basis can be helpful in risk assessment as well as risk mitigation. Inventories should consider whether data resides in house or at a TSP.

2)  Determining threats to those assets, resulting from people with malicious intent, employees and others who accidentally cause damage, and environmental problems that are outside the control of the organization (e.g., natural disasters, failures of interdependent infrastructures such as power, telecommunications, etc.).

3)  Identifying organizational vulnerabilities (e.g., weak senior management support, ineffective training, inadequate expertise or resource allocation, and inadequate policies, standards, or procedures).

4)  Identifying technical vulnerabilities (e.g., vulnerabilities in hardware and software, configurations of hosts, networks, workstations, and remote access).

5)  Documenting current controls and security processes, including both information technology and physical security.

6)  Identifying security requirements and considerations (e.g., GLBA).

7)  Maintaining the risk assessment process requires institutions to review and update their risk assessment at least once a year, or more frequently in response to material changes in any of the six actions above.

Return to the top of the newsletter

IT SECURITY QUESTION:  A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

1. Determine whether the financial institution has removed or reset default profiles and passwords from new systems and equipment.

2. Determine whether access to system administrator level is adequately controlled.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

14. Does the institution describe the following about its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information:

a. who is authorized to have access to the information; and [§6(c)(6)(i)]

b. whether security practices and policies are in place to ensure the confidentiality of the information in accordance with the institution's policy?  [§6(c)(6)(ii)]

(Note: the institution is not required to describe technical information about the safeguards used in this respect.)