REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.FYI - "Human error" contributes to nearly all cyber incidents, study finds - Even though organizations may have all of the bells and whistles needed in their data security arsenal, it's the human element that continues to fuel cyber incidents occurring, according to one recent study. http://www.scmagazine.com/human-error-contributes-to-nearly-all-cyber-incidents-study-finds/article/356015/

FYI - Former NSA chief pitches consulting work for $1 million per month - The National Security Agency's (NSA) former chief hasn't retired just yet. http://www.scmagazine.com/former-nsa-chief-pitches-consulting-work-for-1-million-per-month/article/360158/

FYI - Hacked Companies Face SEC Scrutiny Over Disclosure - The U.S. Securities and Exchange Commission has opened investigations of multiple companies in recent months examining whether they properly handled and disclosed a growing number of cyberattacks. http://www.bloomberg.com/news/2014-07-02/hacked-companies-face-sec-scrutiny-over-disclosure.html

FYI - Sneaky Android RAT disables required anti-virus apps to steal banking info - Researchers with FireEye have identified HijackRAT, a crafty remote access trojan (RAT) for mobile devices running the Android operating system that can steal banking information by disabling anti-virus applications, among other things. http://www.scmagazine.com/sneaky-android-rat-disables-required-anti-virus-apps-to-steal-banking-info/article/359412/

FYI - NCL calls on gov't, business to better protect consumer data - A consumer group is pushing business and government to adopt comprehensive reforms to better protect consumer data. http://www.scmagazine.com/ncl-calls-on-govt-business-to-better-protect-consumer-data/article/359718/

FYI - Russian MPs back law on internet data storage- The Kremlin says the move is for data protection but critics fear it is aimed at muzzling social networks like Twitter and Facebook. http://www.bbc.com/news/world-europe-28173513

FYI - Australian teen accepts police caution to avoid hacking charge - An Australian teenager has accepted a caution from police rather than face charges for discovering a vulnerability in the website of one of the country’s public transport authorities late last year. http://www.networkworld.com/article/2451162/legal/australian-teen-accepts-police-caution-to-avoid-hacking-charge.html

FYI - Pics, other data, recovered from 'wiped' Android phones purchased on eBay - Restoring Android smartphones to default, or erasing the memory, will not stop attackers from recovering personal information and possibly using it for nefarious purposes, AVAST researchers found after purchasing 20 "wiped" devices on eBay and digging up, altogether, more than 40,000 individual bits of data. http://www.scmagazine.com/nude-pics-other-data-recovered-from-wiped-android-phones-purchased-on-ebay/article/359920/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Brazilian 'bolware' gang targeted $3.75B in transactions, RSA finds - While the financial sector in Brazil continues to wrestle with “bolware” attacks – malware targeting a popular payment method in the country called “Boleto,” new findings on a fraud ring furthering the schemes have surfaced. http://www.scmagazine.com/brazilian-bolware-gang-targeted-375b-in-transactions-rsa-finds/article/359083/

FYI - HotelHippo shuts down permanently after security flaws discovered - After a security consultant turned customer found and reported a number of potentially serious security vulnerabilities on its travel booking site, HotelHippo has shuttered the site for good. http://www.scmagazine.com/hotelhippo-shuts-down-permanently-after-security-flaws-discovered/article/359796/

FYI - St. Vincent BC mails 63K letters to wrong people - A clerical error resulted in Indianapolis-based St. Vincent BC mailing more than 63,000 letters containing personal information to the wrong people. http://www.scmagazine.com/st-vincent-breast-center-mails-63k-letters-to-wrong-people/article/359791/

FYI - Former employee posts data online, 10K impacted in Missouri school district - At Park Hill School District in Missouri, more than 10,000 current and former staffers and students are being notified that their personal information - including Social Security numbers - was accessed after a former employee made the data accessible from the internet. http://www.scmagazine.com/former-employee-posts-data-online-10k-impacted-in-missouri-school-district/article/360008/

FYI - Thousands notified of six-month payment card breach at The Houstonian Hotel - It is unclear how many transactions have been impacted, but The Houstonian Hotel, Club & Spa in Texas has already notified more than 10,000 customers that their payment card data was exposed in a roughly six-month-long attack on the hotel's payment processing systems. http://www.scmagazine.com/thousands-notified-of-six-month-payment-card-breach-at-the-houstonian-hotel/article/360317/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Risk management challenges

The Electronic Banking Group (EBG) noted that the fundamental characteristics of e-banking (and e-commerce more generally) posed a number of risk management challenges:

1.   The speed of change relating to technological and customer service innovation in e-banking is unprecedented. Historically, new banking applications were implemented over relatively long periods of time and only after in-depth testing. Today, however, banks are experiencing competitive pressure to roll out new business applications in very compressed time frames - often only a few months from concept to production. This competition intensifies the management challenge to ensure that adequate strategic assessment, risk analysis and security reviews are conducted prior to implementing new e-banking applications.

2.   Transactional e-banking web sites and associated retail and wholesale business applications are typically integrated as much as possible with legacy computer systems to allow more straight-through processing of electronic transactions. Such straight-through automated processing reduces opportunities for human error and fraud inherent in manual processes, but it also increases dependence on sound systems design and architecture as well as system interoperability and operational scalability.

3.  E-banking increases banks' dependence on information technology, thereby increasing the technical complexity of many operational and security issues and furthering a trend towards more partnerships, alliances and outsourcing arrangements with third parties, many of whom are unregulated. This development has been leading to the creation of new business models involving banks and non-bank entities, such as Internet service providers, telecommunication companies and other technology firms.

4)  The Internet is ubiquitous and global by nature. It is an open network accessible from anywhere in the world by unknown parties, with routing of messages through unknown locations and via fast evolving wireless devices. Therefore, it significantly magnifies the importance of security controls, customer authentication techniques, data protection, audit trail procedures, and customer privacy standards.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

ENCRYPTION KEY MANAGEMENT

Since security is primarily based on the encryption keys, effective key management is crucial. Effective key management systems are based on an agreed set of standards, procedures, and secure methods that address

! Generating keys for different cryptographic systems and different applications;
! Generating and obtaining public keys;
! Distributing keys to intended users, including how keys should be activated when received;
! Storing keys, including how authorized users obtain access to keys;
! Changing or updating keys including rules on when keys should be changed and how this will be done;
! Dealing with compromised keys;
! Revoking keys and specifying how keys should be withdrawn or deactivated;
! Recovering keys that are lost or corrupted as part of business continuity management;
! Archiving keys;
! Destroying keys;
! Logging the auditing of key management - related activities; and
! Instituting defined activation and deactivation dates, limiting the usage period of keys.

Secure key management systems are characterized by the following precautions.

! Key management is fully automated (e.g. personnel do not have the opportunity to expose a key or influence the key creation).
! No key ever appears unencrypted.
! Keys are randomly chosen from the entire key space, preferably by hardware.
! Key - encrypting keys are separate from data keys. No data ever appears in clear text that was encrypted using a key - encrypting key. (A key - encrypting key is used to encrypt other keys, securing them from disclosure.)
! All patterns in clear text are disguised before encrypting.
! Keys with a long life are sparsely used. The more a key is used, the greater the opportunity for an attacker to discover the key.
! Keys are changed frequently. The cost of changing keys rises linearly while the cost of attacking the keys rises exponentially. Therefore, all other factors being equal, changing keys increases the effective key length of an algorithm.
! Keys that are transmitted are sent securely to well - authenticated parties.
! Key generating equipment is physically and logically secure from construction through receipt, installation, operation, and removal from service.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Consumer and Customer:

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.

For example, a customer relationship may be established when a consumer engages in one of the following activities with a financial institution:

1)  maintains a deposit or investment account; 

2)  obtains a loan; 

3)  enters into a lease of personal property; or 

4)  obtains financial, investment, or economic advisory services for a fee.

Customers are entitled to initial and annual privacy notices regardless of the information disclosure practices of their financial institution.

There is a special rule for loans. When a financial institution sells the servicing rights to a loan to another financial institution, the customer relationship transfers with the servicing rights. However, any information on the borrower retained by the institution that sells the servicing rights must be accorded the protections due any consumer.

Note that isolated transactions alone will not cause a consumer to be treated as a customer. For example, if an individual purchases a bank check from a financial institution where the person has no account, the individual will be a consumer but not a customer of that institution because he or she has not established a customer relationship. Likewise, if an individual uses the ATM of a financial institution where the individual has no account, even repeatedly, the individual will be a consumer, but not a customer of that institution.