REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - The Federal Financial Institutions Examination Council today issued a Press Release concerning Microsoft’s discontinuation of support for its Windows XP operating system as of April 8, 2014. www.ffiec.gov/press/pr100713.htm

FYI - Developing a Talent That Becomes A Career - In coming years, conflicts with serious real world consequences will be fought online. The risk of your private information falling into the wrong hands is also rapidly rising. http://www.huffingtonpost.com/arlan-jaska-/computer-security-club_b_4029601.html?utm_hp_ref=teen

FYI - German Teen Arrested for DDoS Attack on Government Web Site - RP Online reports that an 18-year-old student from Hamburg, Germany has been arrested for launching a cyber attack on the official Web site for the German state of Saxony-Anhalt. http://www.esecurityplanet.com/hackers/german-teen-arrested-for-ddos-attack-on-government-web-site.html

FYI - US demanded access to encryption keys of email provider Lavabit - Lavabit said in August it was shutting down its service rather than be complicit in crimes against Americans - The U.S. government demanded from email service provider Lavabit that it hand over access to all user communications and a copy of the encryption keys used to secure web, instant message and email traffic for its investigation into several Lavabit user accounts. http://www.computerworld.com/s/article/9242930/US_demanded_access_to_encryption_keys_of_email_provider_Lavabit?taxonomyId=17

FYI - DHS will expand cybersecurity intern program - A U.S. Department of Homeland Security (DHS) summer internship program for community college students focusing on cybersecurity was so successful, the department plans to ramp it up. http://www.communitycollegetimes.com/Pages/Technology/DHS-will-expand-cybersecurity-intern-program.aspx

FYI - Supreme Court Declines to Decide When Online Speech Becomes an Illegal Threat - The Supreme Court declined Monday to weigh into the legal thicket of when an online threat becomes worthy of prosecution, a decision leaving conflicting federal appellate court views on the topic. http://www.wired.com/threatlevel/2013/10/scotus-internet-threats/

FYI - Banks put to the test over cyber security - Simulated online attack will test UK’s banking, payments and markets systems - Banks will next month launch the most extensive cyber threat exercise in two years as the authorities test the preparedness of the financial system to survive a sustained online attack. http://www.telegraph.co.uk/finance/newsbysector/banksandfinance/10359520/Banks-put-to-the-test-over-cyber-security.html

FYI - MasterCard joins FIDO Alliance march to standardize biometric auth, other password alternatives - MasterCard has joined forces with an organization that aims to eliminate consumers' dependency on passwords and PINs for authentication. http://www.scmagazine.com/mastercard-joins-fido-alliance-march-to-standardize-biometric-auth-other-password-alternatives/article/315622/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Adobe hacked, 3 million accounts compromised - Adobe announced on Thursday that it has been the target of a major security breach in which sensitive and personal data about millions of its customers have been put at risk. http://news.cnet.com/8301-1009_3-57605962-83/adobe-hacked-3-million-accounts-compromised/

FYI - Burglary compromises info of thousands at Calif. medical center - More than 3,500 patients of University of California San Francisco Medical Center (UCSF) may have had data compromised after a hospital laptop was stolen from an employee's vehicle. http://www.scmagazine.com/burglary-compromises-info-of-thousands-at-calif-medical-center/article/314912/?DCMP=EMC-SCUS_Newswire

FYI - Insecure email puts more than a thousand NC patients at risk - An employee with North Carolina-based CaroMont Health sent out an insecure email containing personal information on more than 1,300 patients. http://www.scmagazine.com/insecure-email-puts-more-than-a-thousand-nc-patients-at-risk/article/315210/?DCMP=EMC-SCUS_Newswire

FYI - Not in Kansas anymore, thousands affected by Wichita website hack - The city of Wichita had its website hacked over the weekend, consequently compromising sensitive information for tens of thousands of current and former vendors who have done business with the city and employees who have been reimbursed for expenses since 1997. http://www.scmagazine.com/not-in-kansas-anymore-thousands-affected-by-wichita-website-hack/article/315305/?DCMP=EMC-SCUS_Newswire

FYI - Compromised websites possibly the result of DNS redirection attack - A hacktivist group calling itself Kdms Team, known on Twitter as @KdmsTeam and claiming to hail from Palestine, took credit on Twitter for several recent attacks against websites, including those belonging to cross-platform instant messaging service WhatsApp, computer security company AVG Technologies, and anti-virus software company Avira. http://www.scmagazine.com/compromised-websites-possibly-the-result-of-dns-redirection-attack/article/315408/?DCMP=EMC-SCUS_Newswire

FYI - Peel Health Program hit with data breach - Ontarian regional municipality Peel admitted this week to losing the personal information of more than 18,000 people in a security breach. http://www.scmagazine.com/peel-health-program-hit-with-data-breach/article/315612/?DCMP=EMC-SCUS_Newswire

FYI - Nearly 50k patient credit cards compromised by insider - As many as 46,000 patients of Arizona-based Scottsdale Dermatology may have had personal information compromised, but two suspects - one of them an employee of the medical practice's billing firm - have been arrested. http://www.scmagazine.com/nearly-50k-patient-credit-cards-compromised-by-insider/article/315695/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the Federal Financial Institutions Examination Council Guidance on Electronic Financial Services and Consumer Compliance.

Electronic Fund Transfer Act, Regulation E  (Part 1 of 2)

Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.
 
Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Shared Secret Systems (Part 1 of 2)

Shared secret systems uniquely identify the user by matching knowledge on the system to knowledge that only the system and user are expected to share. Examples are passwords, pass phrases, or current transaction knowledge. A password is one string of characters (e.g., "t0Ol@Tyme"). A pass phrase is typically a string of words or characters (e.g., "My car is a shepherd") that the system may shorten to a smaller password by means of an algorithm. Current transaction knowledge could be the account balance on the last statement mailed to the user/customer. The strength of shared secret systems is related to the lack of disclosure of and about the secret, the difficulty in guessing or discovering the secret, and the length of time that the secret exists before it is changed.

A strong shared secret system only involves the user and the system in the generation of the shared secret. In the case of passwords and pass phrases, the user should select them without any assistance from any other user, such as the help desk. One exception is in the creation of new accounts, where a temporary shared secret could be given to the user for the first login, after which the system prompts the user to create a different password. Controls should prevent any user from re - using shared secrets that may have been compromised or were recently used by them.

Passwords are the most common authentication mechanism. Passwords are generally made difficult to guess when they are composed from a large character set, contain a large number of characters, and are frequently changed. However, since hard - to - guess passwords may be difficult to remember, users may take actions that weaken security, such as writing the passwords down. Any password system must balance the password strength with the user's ability to maintain the password as a shared secret. When the balancing produces a password that is not sufficiently strong for the application, a different authentication mechanism should be considered. Pass phrases are one alternative to consider. Due to their length, pass phrases are generally more resistant to attack than passwords. The length, character set, and time before enforced change are important controls for pass phrases as well as passwords.

Shared secret strength is typically assured through the use of automated tools that enforce the password selection policy. Authentication systems should force changes to shared secrets on a schedule commensurate with risk.

Passwords can also be dynamic. Dynamic passwords typically use seeds, or starting points, and algorithms to calculate a new - shared secret for each access. Because each password is used for only one access, dynamic passwords can provide significantly more authentication strength than static passwords. In most cases, dynamic passwords are implemented through tokens. A token is a physical device, such as an ATM card, smart card, or other device that contains information used in the authentication process.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

14. Does the institution describe the following about its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information:

a. who is authorized to have access to the information; and [§6(c)(6)(i)]

b. whether security practices and policies are in place to ensure the confidentiality of the information in accordance with the institution's policy?  [§6(c)(6)(ii)]

(Note: the institution is not required to describe technical information about the safeguards used in this respect.)