Internet Banking News

August 4, 2013

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - MI5 and GCHQ urge FTSE chiefs to carry out cyber security ‘health check’ - The security bodies have asked that the check not be carried out by the CIO - The director general of MI5 and the director of GCHQ have written to all chairmen of FTSE 350 companies asking them to take part in a “cyber governance health check”, in a bid to raise awareness at the top of the corporate food chain and highlight internal vulnerabilities. http://www.computerworlduk.com/news/security/3460812/mi5-gchq-urge-ftse-chiefs-carry-out-cyber-security-health-check/

FYI - Banking trojan KINS resembles architecture of Zeus, targets Windows users - A new banking trojan designed to steal financial information from Windows users is up for sale, and researchers may be mixing it up with other malware. http://www.scmagazine.com/banking-trojan-kins-resembles-architecture-of-zeus-targets-windows-users/article/304236/?DCMP=EMC-SCUS_Newswire

FYI - Hack of Chipotle's Twitter account faked by company - Considering a number of high-profile companies have fallen victim to Twitter account hijacks, prompting the service to install additional protections, a bizarre string of tweets sent by Chipotle Mexican Grill's account on Sunday appeared to fit the pattern of a hack. http://www.scmagazine.com/hack-of-chipotles-twitter-account-faked-by-company/article/304618/?DCMP=EMC-SCUS_Newswire

FYI - High court bans publication of car-hacking paper - Researchers won't publish redacted version because info is already online. A high court judge has ruled that a computer scientist cannot publish an academic paper over fears that it could lead to vehicle theft. http://arstechnica.com/tech-policy/2013/07/high-court-bans-publication-of-car-hacking-paper/

FYI - Five charged in hacking corporate networks to steal 160M card numbers - Federal prosecutors in New Jersey announced Thursday that five men have been charged for their role in one of the country's largest-ever hacking operations to be dismantled.
http://www.scmagazine.com/five-charged-in-hacking-corporate-networks-to-steal-160m-card-numbers/article/304580/?DCMP=EMC-SCUS_Newswire
http://www.computerworld.com/s/article/9241078/Five_indicted_in_massive_hacking_scheme?taxonomyId=17

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - NYC's new Citi Bike program exposes card info of riders - New York City's two-month-old bike-sharing program, Citi Bike, sustained a data breach that exposed the personal and financial information of people who signed up for annual membership.
http://www.scmagazine.com/nycs-new-citi-bike-program-exposes-card-info-of-riders/article/304315/?DCMP=EMC-SCUS_Newswire
http://ct.cnet-ssa.cnet.com/clicks?t=1199140986-183be54620d9785ea1f4b2382fd5f285-bf&brand=CNET-SSA&s=5

FYI - Medical supply company files lawsuit after breach - San Jose Medical Supply Co. in California has filed a lawsuit against former employees for allegedly disclosing customer information to two competitors, which it also is suing. http://www.scmagazine.com/medical-supply-company-files-lawsuit-after-breach/article/304408/?DCMP=EMC-SCUS_Newswire

FYI - Top server host OVH warns of 'multi-stage' hacking attack - 'Higher level of paranoia' suggests EU and US users should change passwords - French-based server host OVH has warned that its systems have been penetrated in a multi-stage attack that leaves US and European customers at risk. http://www.theregister.co.uk/2013/07/23/top_server_host_ovh_warns_of_multistage_hacking_attack/

FYI - Syrian Electronic Army hacks Viber App Store account listing - Apple iOS users who checked out the Israeli start-up's Apple App Store page this weekend may have noticed an updated description reading: “We created this app to spy on you, PLEASE DOWNLOAD IT!” http://www.scmagazine.com/syrian-electronic-army-hacks-viber-app-store-account-listing/article/305026/?DCMP=EMC-SCUS_Newswire

FYI - Patients notified after resident doctors store their data on Google - Portland-based Oregon Health & Science University (OSHU) notified more than 3,000 patients that their information had been stored in an unauthorized cloud service. http://www.scmagazine.com/patients-notified-after-resident-doctors-store-their-data-on-google/article/304960/?DCMP=EMC-SCUS_Newswire

FYI - White House Employees’ Personal Email Hacked - Three White House staffers have had their personal Gmail accounts breached in what appears to be a malicious operation directed at the team responsible for the Obama administration's social media outreach, according to individuals familiar with the incident. http://www.nextgov.com/cybersecurity/2013/07/white-house-employees-personal-email-hacked/67556/?oref=ng-channeltopstory

FYI - Don’t Get Sucker Pumped - Gas pump skimmers are getting craftier. A new scam out of Oklahoma that netted thieves $400,000 before they were caught is a reminder of why it’s usually best to pay with credit versus debit cards when filling up the tank. http://krebsonsecurity.com/2013/07/dont-get-sucker-pumped/

FYI - Professor fools $80M superyacht’s GPS receiver on the high seas - One of the world’s foremost academic experts in GPS spoofing - A University of Texas assistant professor - released a short video on Monday showing how he and his students deceived the GPS equipment aboard an expensive superyacht. http://arstechnica.com/security/2013/07/professor-spoofs-80m-superyachts-gps-receiver-on-the-high-seas/

FYI - Stanford University Network Hacked - Stanford University says it has been hacked and is trying to determine the extent of the breach. http://www.informationweek.com/education/security/stanford-university-network-hacked/240158977

FYI - Oil, gas field sensors vulnerable to attack via radio waves - Researchers with IOActive say they can shut down a plant from up to 40 miles away by attacking industrial sensors - Sensors widely used in the energy industry to monitor industrial processes are vulnerable to attack from 40 miles away using radio transmitters, according to alarming new research. http://www.computerworld.com/s/article/9241109/Oil_gas_field_sensors_vulnerable_to_attack_via_radio_waves?taxonomyId=17

FYI - Seventeen companies, including banks and retailers, named as victims in hacker campaign - Numerous companies have been identified as victims of a nearly seven-year-long hacking operation that resulted Wednesday with the indictment of five more individuals. http://www.scmagazine.com/seventeen-companies-including-banks-and-retailers-named-as-victims-in-hacker-campaign/article/304605/?DCMP=EMC-SCUS_Newswire

FYI - BlackBerry purportedly sending users' email credentials in cleartext - Upset that BlackBerry has yet to address a potentially major security and privacy vulnerability in the email client of its latest version, a security company said Monday that it's fed up with the response and has notified federal authorities. http://www.scmagazine.com/blackberry-purportedly-sending-users-email-credentials-in-cleartext/article/305229/?DCMP=EMC-SCUS_Newswire#

FYI - US Airways employees notified of potential data compromise - Letters have been mailed to US Airways employees after payroll vendor Automatic Data Processing (ADP) inadvertently made personal information visible to fellow airline staffers. http://www.scmagazine.com/us-airways-employees-notified-of-potential-data-compromise/article/305044/?DCMP=EMC-SCUS_Newswire

FYI - Laptop theft leads to compromised student health records - The health records for 2,000 Fairfax County public school students in Virginia were compromised after a laptop containing personal information was stolen out of an employee's vehicle. http://www.scmagazine.com/laptop-theft-leads-to-compromised-student-health-records/article/305143/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 7 of 10)

B. RISK MANAGEMENT TECHNIQUES

Planning Weblinking Relationships

Agreements

If a financial institution receives compensation from a third party as the result of a weblink to the third-party's website, the financial institution should enter into a written agreement with that third party in order to mitigate certain risks. Financial institutions should consider that certain forms of business arrangements, such as joint ventures, can increase their risk. The financial institution should consider including contract provisions to indemnify itself against claims by:

1) dissatisfied purchasers of third-party products or services;

2) patent or trademark holders for infringement by the third party; and

3) persons alleging the unauthorized release or compromise of their confidential information, as a result of the third-party's conduct.

The agreement should not include any provision obligating the financial institution to engage in activities inconsistent with the scope of its legally permissible activities. In addition, financial institutions should be mindful that various contract provisions, including compensation arrangements, may subject the financial institution to laws and regulations applicable to insurance, securities, or real estate activities, such as RESPA, that establish broad consumer protections.

In addition, the agreement should include conditions for terminating the link. Third parties, whether they provide services directly to customers or are merely intermediaries, may enter into bankruptcy, liquidation, or reorganization during the period of the agreement. The quality of their products or services may decline, as may the effectiveness of their security or privacy policies. Also potentially just as harmful, the public may fear or assume such a decline will occur. The financial institution will limit its risks if it can terminate the agreement in the event the service provider fails to deliver service in a satisfactory manner.

Some weblinking agreements between a financial institution and a third party may involve ancillary or collateral information-sharing arrangements that require compliance with the Privacy Regulations. For example, this may occur when a financial institution links to the website of an insurance company with which the financial institution shares customer information pursuant to a joint marketing agreement.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INFORMATION SECURITY RISK ASSESSMENT

KEY RISK ASSESSMENT PRACTICES (1 of 2)

A risk assessment is the key driver of the information security process. Its effectiveness is directly related to the following key practices:

1) Multidisciplinary and Knowledge - based Approach - A consensus evaluation of the risks and risk mitigation practices followed by the institution requires the involvement of a broad range of users, with a range of expertise and business knowledge. Not all users may have the same opinion of the severity of various attacks, the importance of various controls, and the importance of various data elements and information system components. Management should apply a sufficient level of expertise to the assessment.

2) Systematic and Central Control - Defined procedures and central control and coordination help to ensure standardization, consistency, and completeness of risk assessment policies and procedures, as well as coordination in planning and performance. Central control and coordination will also facilitate an organizational view of risks and lessons learned from the risk assessment process.

3) Integrated Process - A risk assessment provides a foundation for the remainder of the security process by guiding the selection and implementation of security controls and the timing and nature of testing those controls. Testing results, in turn, provide evidence to the risk assessment process that the controls selected and implemented are achieving their intended purpose. Testing can also validate the basis for accepting risks.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

5) When the subsequent delivery of a privacy notice is permitted, does the institution provide notice after establishing a customer relationship within a reasonable time? [§4(e)]