Internet Banking News

March 23, 2014

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - New EU cybersecurity law avoids making big Internet companies report breaches - Breach rule extends only to companies that own, operate or provide technology for critical infrastructure facilities. Europe on Thursday approved a new cybersecurity law, but held back from requiring Internet giants such as Google, Amazon, Ebay and Skype, to report security incidents. http://www.networkworld.com/news/2014/031314-new-eu-cybersecurity-law-avoids-279681.html

FYI - MasterCard, Visa to push EMV; NRF calls for use of PINs - A MasterCard and Visa alliance aimed at migrating the U.S. payment system to EMV drew criticism from a major retailer group. Soon after MasterCard and Visa announced a partnership to enhance payment security by accelerating the adoption of EMV chip technology, the National Retail Federation (NRF) took their plans to task. http://www.scmagazine.com/mastercard-visa-to-push-emv-nrf-calls-for-use-of-pins/article/338019/

FYI - Google is encrypting search globally. That’s bad for the NSA and China’s censors. - Google has begun routinely encrypting Web searches conducted in China, posing a bold new challenge to that nation’s powerful system for censoring the Internet and tracking what individual users are viewing online. http://www.washingtonpost.com/blogs/the-switch/wp/2014/03/12/google-is-encrypting-search-worldwide-thats-bad-for-the-nsa-and-china/

FYI - No employees fell for failed Army phishing test - A U.S. Army combat commander seeking to test employee awareness of phishing emails failed badly when he sent one out on his own and caused mass confusion - but no staffers actually fell for the fake scam, making it something of a success. http://www.scmagazine.com/no-employees-fell-for-failed-army-phishing-test/article/338557/

FYI - Morrisons staffer arrested for stealing payroll data on 100K employees - A Morrisons employee was arrested in Leeds and remains in custody, just days after the UK supermarket chain announced it suspected an insider took payroll data on about 100,000 employees and leaked it online and to a local newspaper. http://www.scmagazine.com/morrisons-staffer-arrested-for-stealing-payroll-data-on-100k-employees/article/338548/

FYI - Critical Stuxnet-level vulnerabilities discovered in UK power plants - Security researchers have discovered three critical vulnerabilities in a popular industrial control system used by more than 7,600 power, chemical and petrochemical plants across the globe. http://www.v3.co.uk/v3-uk/news/2334217/critical-stuxnet-level-vulnerabilities-discovered-in-uk-power-plants

FYI - Court approves first-of-its-kind data breach settlement - AvMed agrees to set aside $3 million for breach victims, whether they suffered direct harm or not - Courts have generally tended to dismiss consumer class-action lawsuits filed against companies that suffer data breaches if victims can't show that the the breach directly caused a financial hit. http://www.computerworld.com/s/article/9247017/Court_approves_first_of_its_kind_data_breach_settlement?taxonomyId=17

FYI - Men from Ukraine, New York Charged in International Cybercrime Scheme - Federal prosecutors on Monday announced the indictment of three men they accuse of being members of an international cybercrime ring that tried to steal at least $15 million by hacking into U.S. customer accounts at 14 financial institutions and the Department of Defense's payroll service. http://www.nbcnews.com/tech/tech-news/men-ukraine-new-york-charged-international-cybercrime-scheme-n55171

FYI - Miss Teen USA hacker sentenced to 18 months in federal prison - A 20-year-old California college student who hacked into at least 150 online accounts, including those of a former Miss Teen USA, was sentenced to 18 months in federal prison earlier this week. http://www.scmagazine.com/miss-teen-usa-hacker-sentenced-to-18-months-in-federal-prison/article/338670/

FYI - Breaches, malware to cost $491 billion in 2014, study says - The cost of a data breach or malware infection extends well beyond the dollars spent on responding and addressing security issues - productivity takes a big hit as enterprises and consumers spend countless hours dealing with the threats. http://www.scmagazine.com/breaches-malware-to-cost-491-billion-in-2014-study-says/article/339167/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Missed Alarms and 40 Million Stolen Credit Card Numbers: How Target Blew It - The biggest retail hack in U.S. history wasn’t particularly inventive, nor did it appear destined for success. In the days prior to Thanksgiving 2013, someone installed malware in Target’s (TGT) security and payments system designed to steal every credit card used at the company’s 1,797 U.S. stores. http://www.businessweek.com/articles/2014-03-13/target-missed-alarms-in-epic-hack-of-credit-card-data

FYI - Insider suspected of stealing payroll data on 100K Morrisons staffers - An insider is suspected of taking payroll data on about 100,000 employees of UK supermarket chain Morrisons, and leaking it online and to a local newspaper, Mail Online reported on Friday. http://www.scmagazine.com/insider-suspected-of-stealing-payroll-data-on-100k-morrisons-staffers/article/338280/

FYI - CD in refurbished drive contained unencrypted info on 15K NYC transit workers - Roughly 15,000 active, retired, former, and deceased New York City transit workers may have personal information - including Social Security numbers - at risk after the unencrypted data was discovered on a CD inside a refurbished CD drive. http://www.scmagazine.com/cd-in-refurbished-drive-contained-unencrypted-info-on-15k-nyc-transit-workers/article/338265/

FYI - Sally Beauty changes tune, says customer data was accessed in breach - after initially finding “no evidence” that customer card data was taken after a breach, Sally Beauty has now confirmed that fewer than 25,000 records containing card data were illegally accessed by intruders. http://www.scmagazine.com/sally-beauty-changes-tune-says-customer-data-was-accessed-in-breach/article/338498/

FYI - Virus compromises sensitive info on 5,400 Colorado hospital patients - Social Security numbers and payment card data is among the personal information that may have been compromised for about 5,400 patients of Colorado-based Valley View Hospital after a computer virus was identified on some hospital computers. http://www.scmagazine.com/virus-compromises-sensitive-info-on-5400-colorado-hospital-patients/article/338488/

FYI - DDoS attacks against NATO likely DNS amplification or NTP reflection, expert suggests - A distributed denial-of-service (DDoS) attack carried out against various NATO websites on Sunday was likely a Domain Name Server (DNS) amplification attack or a Network Time Protocol (NTP) reflection attack – or possibly some combination of both – according to a DDoS expert. http://www.scmagazine.com/ddos-attacks-against-nato-likely-dns-amplification-or-ntp-reflection-expert-suggests/article/338524/

FYI - Dave & Buster's Waitress Arrested in Alleged Skimming Plot - Police say customers at the restaurant in Westbury on Long Island may have been victims - A waitress at a Dave & Buster's restaurant on Long Island has been arrested along with three alleged accomplices, accused of stealing customers' credit card information with a skimming device. http://www.nbcnewyork.com/news/local/Dave-Busters-Waitress-Arrested-Skimming-Customers-Credit-Card-250705311.html

FYI - Maryland nonprofit breached, nearly 10K impacted, suspect identified - Nearly 10,000 clients of Maryland-based Service Coordination Inc. (SCI) – a nonprofit organization that supports intellectually and developmentally disabled people – may have personal information at risk after an individual gained unauthorized access to SCI computer systems. http://www.scmagazine.com/maryland-nonprofit-breached-nearly-10k-impacted-suspect-identified/article/338656/

FYI - Hacked EA Games server puts Apple IDs and card data at risk - Apple ID accounts, payment card data and other personal information are at risk for victims of a fairly convincing phishing scam being hosted on a compromised EA Games server, according to UK-based internet security company Netcraft. http://www.scmagazine.com/hacked-ea-games-server-puts-apple-ids-and-card-data-at-risk/article/338984/

FYI - Personal info ends up online, nearly 9,000 Ohio patients affected - A file containing personal information – including Social Security numbers and payment card data – on almost 9,000 patients of HealthSource of Ohio (HSO) was viewed 47 times in the roughly five-week span it was made available on the internet. http://www.scmagazine.com/personal-info-ends-up-online-nearly-9000-ohio-patients-affected/article/338732/

FYI - IRS staffer uses drive at home, risks unencrypted data on 20K workers - The personal information - including Social Security numbers - of 20,000 current and former U.S. Internal Revenue Service (IRS) workers may be at risk after an employee took home a thumb drive that contained the unencrypted data and plugged it into an unsecured home network. http://www.scmagazine.com/irs-staffer-uses-drive-at-home-risks-unencrypted-data-on-20k-workers/article/339044/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."

RISK ASSESSMENT/MANAGEMENT

A thorough and proactive risk assessment is the first step in establishing a sound security program. This is the ongoing process of evaluating threats and vulnerabilities, and establishing an appropriate risk management program to mitigate potential monetary losses and harm to an institution's reputation. Threats have the potential to harm an institution, while vulnerabilities are weaknesses that can be exploited.

The extent of the information security program should be commensurate with the degree of risk associated with the institution's systems, networks, and information assets. For example, compared to an information-only Web site, institutions offering transactional Internet banking activities are exposed to greater risks. Further, real-time funds transfers generally pose greater risks than delayed or batch-processed transactions because the items are processed immediately. The extent to which an institution contracts with third-party vendors will also affect the nature of the risk assessment program.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Application - Level Firewalls

Application-level firewalls perform application-level screening, typically including the filtering capabilities of packet filter firewalls with additional validation of the packet content based on the application. Application-level firewalls capture and compare packets to state information in the connection tables. Unlike a packet filter firewall, an application-level firewall continues to examine each packet after the initial connection is established for specific application or services such as telnet, FTP, HTTP, SMTP, etc. The application-level firewall can provide additional screening of the packet payload for commands, protocols, packet length, authorization, content, or invalid headers. Application-level firewalls provide the strongest level of security, but are slower and require greater expertise to administer properly.

The primary disadvantages of application - level firewalls are:

! The time required to read and interpret each packet slows network traffic. Traffic of certain types may have to be split off before the application level firewall and passed through different access controls.

! Any particular firewall may provide only limited support for new network applications and protocols. They also simply may allow traffic from those applications and protocols to go through the firewall.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

41. Does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as permitted under §§13-15, unless:

a. it has provided the consumer with an initial notice; [§10(a)(1)(i)]

b. it has provided the consumer with an opt out notice; [§10(a)(1)(ii)]

c. it has given the consumer a reasonable opportunity to opt out before the disclosure; [§10(a)(1)(iii)] and

d. the consumer has not opted out? [§10(a)(1)(iv)]

(Note: this disclosure limitation applies to consumers as well as to customers [§10(b)(1)], and to all nonpublic personal information regardless of whether collected before or after receiving an opt out direction. [§10(b)(2)])