Happy New Year

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - AGREEMENT BY AND BETWEEN - Jack Henry & Associates, Inc., Monett, Missouri, a technology service provider to depository institutions and their subsidiaries and affiliates, (“TSP”), and the Comptroller of the Currency of the United States of America (“Comptroller” or “OCC”), the Federal Deposit Insurance Corporation (“FDIC”), and the Federal Reserve Bank of St. Louis (“Reserve Bank”) (collectively “the Regulators”), wish to protect the interests of the TSP’s depository institution clients', their depositors, and other customers. http://www.occ.gov/static/enforcement-actions/ea2013-181.pdf

FYI - Experts discuss implications of massive Target breach - Retail giant Target has yet to announce exactly how attackers compromised its point-of-sale (POS) devices to steal roughly 40 million credit and debit cards and CVV codes in two and a half weeks, but researchers and security experts have already begun weighing in on the implications of such a colossal breach. http://www.scmagazine.com/experts-discuss-implications-of-massive-target-breach/article/326685/?DCMP=EMC-SCUS_Newswire&spMailingID=7642399&spUserID=MjI5OTI3MzMyMQS2&spJobID=108259663&spReportId=MTA4MjU5NjYzS0

FYI - Code-busters lift RSA keys simply by listening to the noises a computer makes - Computer scientists have shown how it might be possible to capture RSA decryption keys using the sounds emitted by a computer while it runs decryption routines. http://www.theregister.co.uk/2013/12/19/acoustic_cryptanalysis/

FYI - Another Massive Problem With U.S. Democracy: The FEC Is Broken - As cash floods the political system, the federal watchdog is beset with Chinese hackers, staff vacancies, feuding among commissioners, and a huge backlog of cases - to name just a few. http://www.theatlantic.com/politics/archive/2013/12/another-massive-problem-with-us-democracy-the-fec-is-broken/282404/

FYI - China's central bank hit in net attack - Bitcoin sign Bitcoins are starting to be used to pay for real world goods and services - The attack is thought to have been in retaliation for government action to restrict trading in bitcoins. http://www.bbc.co.uk/news/technology-25447073 

FYI - Senators call on FTC to investigate Target breach - The FTC should have more authority to sanction victoms of data breaches, Senator Richard Blumenthal says - A U.S. senator has called on the Federal Trade Commission to investigate Target's security practices after the large retailer reported a data breach affecting 40 million customer credit and debit cards. http://www.computerworld.com/s/article/9244962/Senators_call_on_FTC_to_investigate_Target_breach?taxonomyId=17

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - POS attack enabled hackers to steal 40M card numbers from Target, researchers say - Retail giant Target announced Thursday that it had become the victim of a more than two-week-long attack that may have compromised approximately 40 million credit and debit cards and CVV codes, as well as customer names.
http://www.scmagazine.com/pos-attack-enabled-hackers-to-steal-40m-card-numbers-from-target-researchers-say/article/326479/?DCMP=EMC-SCUS_Newswire&spMailingID=7624640&spUserID=MjI5OTI3MzMyMQS2&spJobID=106983616&spReportId=MTA2OTgzNjE2S0
http://www.wired.com/threatlevel/2013/12/target-hack-hits-40-million/

FYI - Washington Post says attackers breached its servers - For the second time in recent months, The Washington Post has experienced a breach at the hands of cyber attackers. http://www.scmagazine.com/washington-post-says-attackers-breached-its-servers/article/326481/?DCMP=EMC-SCUS_Newswire&spMailingID=7624640&spUserID=MjI5OTI3MzMyMQS2&spJobID=106983616&spReportId=MTA2OTgzNjE2S0

FYI - Unemployment recipients hit hard in JPMorgan Chase breach - Roughly 20,000 unemployment insurance recipients in Texas are among the 465,000 individuals who had prepaid cash cards compromised in the breach of banking and financial services holding company JPMorgan Chase, disclosed earlier this month, according to a San Antonio Express report. http://www.scmagazine.com/unemployment-recipients-hit-hard-in-jpmorgan-chase-breach/article/326494/?DCMP=EMC-SCUS_Newswire&spMailingID=7624640&spUserID=MjI5OTI3MzMyMQS2&spJobID=106983616&spReportId=MTA2OTgzNjE2S0

FYI - Coding error compromises data for thousands in Washington state - The state of Washington's Department of Social and Health Services' Economic Services Administration (ESA) is notifying up to 7,000 clients that their personal information may have been compromised after a coding error caused ESA letters to be mailed to old addresses. http://www.scmagazine.com/coding-error-compromises-data-for-thousands-in-washington-state/article/326668/?DCMP=EMC-SCUS_Newswire&spMailingID=7642399&spUserID=MjI5OTI3MzMyMQS2&spJobID=108259663&spReportId=MTA4MjU5NjYzS0

FYI - Affinity Casino Company Warns of Data Breaches - A Las Vegas company that owns casinos in Nevada, Colorado, Iowa and Missouri fell victim to a cyberattack earlier this year, compromising the credit and debit card information of patrons at 11 sites, company officials said Friday.
http://abcnews.go.com/Technology/wireStory/affinity-casino-company-warns-data-breaches-21293510
http://www.scmagazine.com/hundreds-of-thousands-of-card-numbers-stolen-in-casino-company-breach/article/327054/?DCMP=EMC-SCUS_Newswire&spMailingID=7659293&spUserID=MjI5OTI3MzMyMQS2&spJobID=108779273&spReportId=MTA4Nzc5MjczS0

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 2 of 2)

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code.  According to the Official Staff Commentary (OSC,) an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated," is a consumer's authorization via a home banking system.  To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request).  The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability.  A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device.  Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.
 
Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

Examples of Common Authentication Weaknesses, Attacks, and Offsetting Controls (Part 2 of 2)

Social engineering involves an attacker obtaining authenticators by simply asking for them. For instance, the attacker may masquerade as a legitimate user who needs a password reset, or a contractor who must have immediate access to correct a system performance problem. By using persuasion, being aggressive, or using other interpersonal skills, the attackers encourage a legitimate user or other authorized person to give them authentication credentials. Controls against these attacks involve strong identification policies and employee training.

Client attacks are an area of vulnerability common to all authentication mechanisms. Passwords, for instance, can be captured by hardware -  or software - based keystroke capture mechanisms. PKI private keys could be captured or reverse - engineered from their tokens. Protection against these attacks primarily consists of physically securing the client systems, and, if a shared secret is used, changing the secret on a frequency commensurate with risk. While physically securing the client system is possible within areas under the financial institution's control, client systems outside the institution may not be similarly protected.

Replay attacks occur when an attacker eavesdrops and records the authentication as it is communicated between a client and the financial institution system, then later uses that recording to establish a new session with the system and masquerade as the true user. Protections against replay attacks include changing cryptographic keys for each session, using dynamic passwords, expiring sessions through the use of time stamps, expiring PKI certificates based on dates or number of uses, and implementing liveness tests for biometric systems.

Hijacking is an attacker's use of an authenticated user's session to communicate with system components. Controls against hijacking include encryption of the user's session and the use of encrypted cookies or other devices to authenticate each communication between the client and the server.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

27. If each joint consumer may opt out separately, does the institution permit:

a. one joint consumer to opt out on behalf of all of the joint consumers; [§7(d)(3)]

b. the joint consumers to notify the institution in a single response; [§7(d)(5)] and

c. each joint consumer to opt out either for himself or herself, and/or for another joint consumer? [§7(d)(5)]