FYI - Information Security Forum releases free best practices standard - The Information Security Forum (ISF), a nonprofit IT security group, announced the availability of its updated Standard of Good Practice, a free benchmark that organizations can use to assess and reduce risks related to information systems. http://www.scmagazineus.com/Information-Security-Forum-releases-free-best-practices-standard/article/58021/

FYI - Freeman online payment system's firewall deactivated - For a period of more than a month this spring, the firewall for protecting data in the patient-payment system for Freeman Health System was deactivated, but no identifiable patient information was released, hospital officials said. http://www.joplinglobe.com/local/local_story_235220445.html

FYI - ABN Amro customer deets tip up on BearShare - Social security numbers and other sensitive information belonging to more than 5,000 customers of ABN Amro Mortgage Group have been leaked onto the BearShare file-sharing network by a former employee, according to news reports. http://www.theregister.co.uk/2007/09/21/abn_amro_leak_on_bearshare/print.html

FYI - SWIFT to stop processing EU banking data in the US - Payments processing body SWIFT will stop processing European banking transactions in the US in 2009. It is planning a restructuring of its network and the building of a new operations centre in Switzerland. http://www.theregister.co.uk/2007/10/15/swift_processing_halt/print.html

FYI - California Bans Forced RFID Implants For Humans - A California state senator criticized the RFID industry for being AWOL on the issue and says it should have supported the legislation. California has enacted a law banning mandatory RFID implants for people. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=202402856

FYI - Local councils don't encrypt - Just one in 10 local authorities in the UK encrypts all its sensitive data, according to new research. http://www.techworld.com/security/news/index.cfm?newsID=10328

MISSING COMPUTERS/DATA

FYI - US regional bank hacked - Hackers infiltrated the systems of Commerce Bank and accessed the records of 20 customers, the US regional bank said. http://www.theregister.co.uk/2007/10/11/commerce_bank_hack/print.html

FYI - California state site can't shake problems - Site taken down for second time - The Web site blamed for last week's Internet problems within the state of California has been taken offline after links to unacceptable material reappeared on the site. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9042118&source=rss_topic17

FYI - Two TSA contractor laptops with personal information are missing - Two laptop computers with detailed personal information about commercial drivers across the country who transport hazardous materials are missing and considered stolen. The laptops belong to a contractor working for the Transportation Security Administration and contain the names, addresses, birthdays, commercial driver's license numbers and, in some cases, Social Security numbers of 3,930 people. http://www.examiner.com/a-990833~2_TSA_contractor_laptops_with_personal_information_are_missing.html

FYI - Prof's Laptops Stolen At Carnegie Mellon - Two laptops were removed from a locked office during the first weekend of September at Carnegie Mellon University; these laptops contained personally identifying information about students.
http://www.securitypronews.com/news/securitynews/spn-45-20071009ProfsLaptopsStolenAtCarnegieMellon.html
http://www.post-gazette.com/pg/07283/824157-298.stm

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the FDIC's Supervisory Policy on Identity Theft.  (Part 2 of  6)

Characteristics of Identity Theft

At this time, the majority of identity theft is committed using hard-copy identification or other documents obtained from the victim without his or her permission. A smaller, but significant, amount of identity theft is committed electronically via phishing, spyware, hacking and computer viruses.  Financial institutions are among the most frequent targets of identity thieves since they store sensitive information about their customers and hold customer funds in accounts that can be accessed remotely and transferred electronically.

Identity theft may harm consumers in several ways. First, an identity thief may gain access to existing accounts maintained by consumers and either transfer funds out of deposit accounts or incur charges to credit card accounts. Identity thieves may also open new accounts in the consumer's name, incur expenses, and then fail to pay. This is likely to prompt creditors to attempt to collect payment from the consumer for debts the consumer did not incur. In addition, inaccurate adverse information about the consumer's payment history may prevent the consumer from obtaining legitimate credit when he or she needs it. An identity theft victim can spend months or years attempting to correct errors in his or her credit record.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet." 

SECURITY MEASURES

Digital Signatures 

Digital signatures authenticate the identity of a sender, through the private, cryptographic key.  In addition, every digital signature is different because it is derived from the content of the message itself. T he combination of identity authentication and singularly unique signatures results in a transmission that cannot be repudiated. 

Digital signatures can be applied to any data transmission, including e-mail.  To generate a digital signature, the original, unencrypted message is run through a mathematical algorithm that generates what is known as a message digest (a unique, character representation of the data).  This process is known as the "hash."  The message digest is then encrypted with a private key, and sent along with the message.  The recipient receives both the message and the encrypted message digest.  The recipient decrypts the message digest, and then runs the message through the hash function again.  If the resulting message digest matches the one sent with the message, the message has not been altered and data integrity is verified.  Because the message digest was encrypted with a private key, the sender can be identified and bound to the specific message.  The digital signature cannot be reused, because it is unique to the message.  In the above example, data privacy and confidentiality could also be achieved by encrypting the message itself. The strength and security of a digital signature system is determined by its implementation, and the management of the cryptographic keys.

Return to the top of the newsletter

IT SECURITY QUESTION:  Fedline computer and security configuration:

a. Is the Fedline computer located in a secure area?
b. Is the Fedline computer properly configured for security?
c. Does the Fedline computer require a password?
d. Is the Fedline computer regularly backed up?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Account number sharing

A. If available, review a sample of telemarketer scripts used when making sales calls to determine whether the scripts indicate that the telemarketers have the account numbers of the institution's consumers ('12).

B. Obtain and review a sample of contracts with agents or service providers to whom the financial institution discloses account numbers for use in connection with marketing the institution's own products or services. Determine whether the institution shares account numbers with nonaffiliated third parties only to perform marketing for the institution's own products and services. Ensure that the contracts do not authorize these nonaffiliated third parties to directly initiate charges to customer's accounts ('12(b)(1)).

C. Obtain a sample of materials and information provided to the consumer upon entering a private label or affinity credit card program. Determine if the participants in each program are identified to the customer when the customer enters into the program ('12(b)(2)).