Internet Banking News

November 10, 2013

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Florida health department employees stole data, committed tax fraud - Two former Orange County Health Department employees and an accomplice have been arrested in Florida and charged with using information from thousands of electronic patient records to commit tax fraud. http://www.scmagazine.com/florida-health-department-employees-stole-data-committed-tax-fraud/article/318843/?DCMP=EMC-SCUS_Newswire

FYI - Chicago Fed Letter - Bitcoin: A Primer - Bitcoin is a digital currency that was launched in 2009, and it has attracted much attention recently. This article reviews the mechanics of the currency and offers some thoughts on its characteristics. http://www.chicagofed.org/webpages/publications/chicago_fed_letter/index.cfm

FYI - Los Angeles creates 'Cyber Intrusion Command Center' - Los Angeles Mayor Eric Garcetti, citing warnings by President Barack Obama and National Intelligence Director James Clapper about the threat of attacks on computer networks, on Wednesday announced the creation of the city's first "Cyber Intrusion Command Center." http://www.nbcnews.com/technology/los-angeles-creates-cyber-intrusion-command-center-8C11500067

FYI - ICE Hacked Its Own Employees to Teach Self-Defense in Cyberspace - One federal agency is replacing workforce security awareness tutorials with real world hack attempts to test employee reflexes. So far, 80 percent of the personnel trained have successfully fought off potential cyberspies.
http://www.nextgov.com/cio-briefing/2013/10/ice-hacks-employees-teach-self-defense-cyberspace/72800/?oref=ng-HPrivers
SANS do-it-yourself: http://www.securingthehuman.org/

FYI - Switzerland to set up 'Swiss cloud' free of NSA, GCHQ snooping (it hopes) - Swisscom, the Swiss telco that's majority owned by its government, will set up a "Swiss cloud" hosted entirely in the land of cuckoo clocks and fine chocolate – and try to make the service impervious to malware and uninvited spooks. http://www.theregister.co.uk/2013/11/04/switzerland_to_set_up_swiss_cloud_free_of_nsa_snooping/

FYI - Thanks to a False Sense of Security, Small Businesses Are Skipping Cyber-Protection - Small and medium-sized businesses (SMB) should be paying more attention to the growing threat of cybercrime - but they are not. http://www.infosecurity-magazine.com/view/35374/thanks-to-a-false-sense-of-security-small-businesses-are-skipping-cyberprotection/

FYI - The Federal Financial Institutions Examination Council today issued a Press Release concerning Microsoft’s discontinuation of support for its Windows XP operating system as of April 8, 2014. www.ffiec.gov/press/pr100713.htm

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Adobe Breach Impacted At Least 38 Million Users - The recent data breach at Adobe that exposed user account information and prompted a flurry of password reset emails impacted at least 38 million users, the company now says. http://krebsonsecurity.com/2013/10/adobe-breach-impacted-at-least-38-million-users/

FYI - Finland’s Foreign Ministry gets pwned by worse-than-Red October malware - Nordic nation suspects Chinese, Russian intel services behind attack. Citing unnamed sources, Finnish television channel MTV3 reports (Google Translate) that the Finnish Ministry of Foreign Affairs was penetrated by malware over a period of four years. http://arstechnica.com/tech-policy/2013/10/finlands-foreign-ministry-gets-pwned-by-red-october-malware/

FYI - Hackers Take Limo Service Firm for a Ride - A hacker break in at a U.S. company that brokers reservations for limousine and Town Car services nationwide has exposed the personal and financial information on more than 850,000 well-heeled customers, including Fortune 500 CEOs, lawmakers, and A-list celebrities. http://krebsonsecurity.com/2013/11/hackers-take-limo-service-firm-for-a-ride/

FYI - Thousands of cards compromised in classic skimming operation - Four Romanian nationals have been arrested and charged with targeting MTA Long Island Rail Road ticket vending machines in a classic skimming operation that netted the suspects thousands of credit and debit card numbers, along with PIN codes. http://www.scmagazine.com/thousands-of-cards-compromised-in-classic-skimming-operation/article/319428/?DCMP=EMC-SCUS_Newswire

FYI - Cleveland hospital's unencrypted hard drive stolen, thousands affected - More than 7,100 patients who received care at University Hospitals of Cleveland are being notified that an unencrypted hard drive containing their data has been stolen. http://www.scmagazine.com/cleveland-hospitals-unencrypted-hard-drive-stolen-thousands-affected/article/319537/?DCMP=EMC-SCUS_Newswire

FYI - Unencrypted laptop stolen, 11,000 dialysis patients impacted - More than 11,000 patients and some employees of Colorado-based kidney care company DaVita are being alerted after an unencrypted laptop containing their personal data was stolen from a staffer's vehicle. http://www.scmagazine.com/unencrypted-laptop-stolen-11000-dialysis-patients-impacted/article/319921/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Truth in Lending Act (Regulation Z)

The commentary to regulation Z was amended recently to clarify that periodic statements for open-end credit accounts may be provided electronically, for example, via remote access devices. The regulations state that financial institutions may permit customers to call for their periodic statements, but may not require them to do so. If the customer wishes to pick up the statement and the plan has a grace period for payment without imposition of finance charges, the statement, including a statement provided by electronic means, must be made available in accordance with the "14-day rule," requiring mailing or delivery of the statement not later than 14 days before the end of the grace period.

Provisions pertaining to advertising of credit products should be carefully applied to an on-line system to ensure compliance with the regulation. Financial institutions advertising open-end or closed-end credit products on-line have options. Financial institutions should ensure that on-line advertising complies with the regulations. For on-line advertisements that may be deemed to contain more than a single page, financial institutions should comply with the regulations, which describe the requirements for multiple-page advertisements.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

AUTHENTICATION - Public Key Infrastructure (Part 1 of 3)

Public key infrastructure (PKI), if properly implemented and maintained, may provide a strong means of authentication. By combining a variety of hardware components, system software, policies, practices, and standards, PKI can provide for authentication, data integrity, defenses against customer repudiation, and confidentiality. The system is based on public key cryptography in which each user has a key pair - a unique electronic value called a public key and a mathematically related private key. The public key is made available to those who need to verify the user's identity.

The private key is stored on the user's computer or a separate device such as a smart card. When the key pair is created with strong encryption algorithms and input variables, the probability of deriving the private key from the public key is extremely remote. The private key must be stored in encrypted text and protected with a password or PIN to avoid compromise or disclosure. The private key is used to create an electronic identifier called a digital signature that uniquely identifies the holder of the private key and can only be authenticated with the corresponding public key.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

18. If the institution, in its privacy policies, reserves the right to disclose nonpublic personal information to nonaffiliated third parties in the future, does the privacy notice include, as applicable, the:

a. categories of nonpublic personal information that the financial institution reserves the right to disclose in the future, but does not currently disclose; [§6(e)(1)] and

b. categories of affiliates or nonaffiliated third parties to whom the financial institution reserves the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal information? [§6(e)(2)]