|
 
Contact: Mary Beth Quist
September 3, 2008 FDIC Provides Hurricane Information Via
Web
FDIC announced on Sept. 1 that it is working cooperatively with
state and federal banking agencies and other organizations to determine
the status of the financial institutions located in the areas affected
by Hurricane Gustav. Through a Web page, the agency is providing the
best available consumer contact and branch information for all
institutions headquartered in the affected areas. The information will
be updated as it becomes available to FDIC and other state and federal
regulators. FDIC also is making available a housing recover guide it
developed with NeighborWorks for victims of Hurricanes Katrina, Wilma
and Rita and other resources. More
information
August 21, 2008 FTC Hosts Free Workshop on Radio Frequency
Technology
The Federal Trade Commission will host a free “Transatlantic RFID
Workshop on Consumer Privacy and Data Security” on Sept. 23 in
Washington, D.C., to explore emerging applications of radio frequency
identification technology and their implications for consumer protection
policy. The workshop will bring together industry representatives,
government officials and consumer advocates from Europe and the United
States to discuss security and privacy concerns associated with RFID
technology. The workshop will explore the increasing prevalence of
contactless payment devices in everyday consumer transactions, including
credit card purchases and public transit, as well as the growing use of
item-level tagging in the retail sector. The workshop will examine
consumer awareness and education initiatives regarding these
developments; security and privacy threats and proposed solutions; and
emerging technologies and practices that may shape the marketplace in
the coming years. FTC will provide a live Web cast of the workshop on
its Web site. More information
July 30, 2008 Mavent Awarded Patent For Mortgage
Compliance Software
Mavent Inc. today announced that it has been awarded a U.S. patent for
technology used for compliance with consumer credit regulation. The
patent covers systems, software programs and methods of use for
businesses that originate and close loans secured by real estate in
order to audit such loans for compliance with state and federal laws and
regulations. This is the first time an automated regulatory compliance
vendor to the mortgage industry has received such a patent. Licenses to
utilize the patent are currently available to Mavent clients as a
component of its integrated services. Mavent analyzes electronic loan
data to determine whether a loan complies with more than 300 federal and
state consumer protection laws related to mortgage lending.
Mavent’s compliance rules are maintained by its in-house attorneys
in coordination with, and subject to ultimate approval by, its network
of nationally recognized law firms. More information
July 25, 2008 GENESYS Corrections for the March 2008 Call
Report Changes
Certain changes to the Call Report were implemented effective March 31,
2008. Details of these revisions can be found at the link noted at
the end of this message. The eXamination Download System (XDS) and
the General Examination System (GENESYS) have not yet been updated to
reflect these changes. Consequently, some of the figures and
ratios generated in these systems using March 31, 2008 Call Report
information may be inaccurate. Until XDS and GENESYS can be updated,
examiners will need to correct inaccurate data manually.
Instructions for manually correcting figures and ratios in GENESYS are
outlined below. Click here to see more information
July 22, 2008 FinCEN to Replace BSA Magnetic Filing With
E-Filing
The Financial Crimes Enforcement Network announced on July 21 that it
will discontinue the Bank Secrecy Act Magnetic Media Filing program by
the end of year. Current Magnetic Media filers must transition to BSA
electronic filing system by no later than Dec. 31, 2008. FinCEN said the
change will provide a filing system that is more secure, efficient and
effective. The BSA E-Filing is a Web-based system that uses an
identification name and password and does not require storage media. The
system supports the filing of both single and multiple BSA reports and
uses the same file format as the Magnetic Media program. The new system
should reduce reporting costs and speed the filing time for a wide range
of BSA forms. Financial institutions currently using the Magnetic Media
program may register to use the BSA E-Filing system at any time, FinCEN
said. More information
July 18, 2008 Study Finds Encrypted Hard Drives
Vulnerable
Researchers at the University of Washington and BT report that
encryption software intended to keep part of a computer's hard drive
private, may not be totally secure. Tadayoshi Kohno, an assistant
professor at the University of Washington in Seattle found that popular
programs like Word and Google Desktop store data on unencrypted sections
of a computer's hard drive - even when the programs are working with
encrypted files. "Information is spilling out from the encrypted region
into the unencrypted region," Kohno said. He believes that there are
probably many other applications and operating system components that
leak out information in a similar way. The study found that people who
are using full-disk encryption, where every piece of data on their hard
drive is encrypted, do not have to worry. However the issue pops up when
users create an encrypted partition or virtual disk on their hard
drives, leaving part of the drives unencrypted, or even when they store
data on encrypted USB devices, Kohno said. With Google Desktop, the
researchers were able to read snapshots of encrypted files when the
program's Enhanced Search option was enabled.More information
July 10, 2008 BITS White Paper Offers Subcontractor
Guidance
BITS, the technology subsidiary of the Financial Services
Roundtable, recently published a white paper on how to manage vendor
subcontractor relationships. The white paper – Key Considerations
for Managing Subcontractors -- examines the risks for financial
institutions as their primary vendors increasingly distribute services
to subcontractors. As outsourcing practices mature and develop
throughout the industry, the use of subcontractors has increased.
“Financial institutions must increasingly manage risks associated
with vendors with whom they have no direct relationship,” said
BITS President Leigh Williams. The paper provides guidelines to help
financial institutions evaluate the processes associated with the use of
subcontractors. It discusses regulatory requirements, policy
considerations, due diligence, contracting considerations, subcontractor
approval, and ongoing monitoring. The paper was developed under the
direction and guidance of the BITS Vendor Management Steering Committee
and other BITS member companies. More information
July 9, 2008 Massive Patch To Address DNS
Flaw
Vendors of Domain Name System (DNS) servers plan to make an
unprecedented coordinated release of patches for a fundamental flaw in
DNS, a core component of the Internet. Most vendors are releasing
patches today, and others are expected to follow soon, said Dan
Kaminsky, director of penetration testing at IOActive Inc., who
discovered the vulnerability about six months ago. Automatic updates
will handle patching on most servers, but it is critical for all
organizations to identify DNS servers in their networks and make sure
that the proper patches are applied, Kaminsky said. According to a
bulletin from the U.S. Computer Emergency Readiness Team (US-CERT), the
vulnerability (VU#800113) could allow cache poisoning and misdirection
of Web requests, sending users to unknown Web sites. DNS is a
hierarchical system that translates written names, such as URLs and
e-mail addresses, into IP addresses. That function makes DNS essential
to almost all uses of the Internet. Because the vulnerability is in the
basic design of the protocol, it is found in nearly all its
implementations. Kaminsky is scheduled to release details of the
vulnerability next month at the Black Hat Briefings security conference
in Las Vegas. More information
July 8, 2008 Security Firm Outlines Common ATM
Vulnerabilities
Financial institutions need to do a better job of protecting their
automated teller machines from hackers, according to the TraceSecurity
security compliance company. During the past five years, TraceSecurity
said its personnel have uncovered thousands of unpatched ATM processing
servers while performing routine security compliance inspections.
The company said the ATMs are often not patched because third-party
vendors have not approved the patches to be applied to systems running
their ATM software. “As a result, hackers could easily exploit
known security holes in operating systems such as Microsoft, which are
used by many ATM solutions available today,” said Jim Stickley,
chief technology officer at TraceSecurity. Another problem is the
failure of a financial institution to place their ATM servers into
secured private segments on the financial institution’s network.
“Unfortunately many organizations make the assumption that as long
as the servers are behind a firewall they are safe. That is simply not
the case," Stickley said. More information
June 30, 2008 Fed Changes Liability Rules for Certain
Internet Transactions
The Federal Reserve System’s Retail Payments Office announced a
policy change to its operating rules to hold sending banks liable for
remotely created payment orders that bypass the rules and monitoring of
the National Automated Clearing House Association. The change to
Operating Circular 3 will go into effect on July 15. The rule change
takes aim at a product offered by certain vendors that purports to take
Internet payment instructions for goods or services purchased from an
Internet firm, convert them to an electronic template and then further
convert the electronic template to an imaged check for clearing through
the Fed or other check clearing networks. The Fed said it was concerned
because of some instances of fraud associated with these activities and
because it removes the transactions from monitoring. The Fed said banks
using these services “will be providing warranties and assuming
liability for the legitimacy of the item.” The Fed added,
“in essence, we will look to the sending bank to make us whole if
we suffer any loss because the sending bank sent us an electronic item
that did not actually originate from a paper check.” More information
June 27, 2008 ALERT Modernization
The FDIC hosted an interagency Stakeholders meeting this week in
Virginia. This group is tasked with evaluating the current ALERT
functionality needs and ensuring that it remains a viable and effective
tool for the Agencies. The group continued to work through
“use cases” and discuss business processes. The
following states participated in this meeting: GA, IA and IL.
System development is planned through the end of this year. User
Acceptance Testing and implementation is scheduled for
2009. More information
June 20, 2008 Study Analyzes Source, Cause of Data
Breaches
Nearly nine in 10 corporate data breaches could have been
prevented had reasonable security measures been in place, according to a
comprehensive report issued in June by Verizon Business. The “2008
Data Breach Investigations Report” spanned four years and more
than 500 forensic investigations involving 230 million records, and
analyzes hundreds of corporate breaches including three of the five
largest ones ever reported. The study found that 73 percent of breaches
resulted from external sources versus 18 percent from insider threats,
and most breaches resulted from a combination of events rather than a
single hack or intrusion. Financial institutions accounted for 14
percent of the breaches studied, while retail and food beverage
industries accounted for more than half of the cases. Some of the key
findings included: 39 percent of breaches were attributed to business
partners, a number that rose five-fold during the course of the period
studied; 59 percent of the deliberate breaches were the result of
hacking and intrusion; 75 percent of breaches were discovered by a third
party rather than the victimized organization and went undetected for a
lengthy period of time. More information
June 19, 2008 GAO Reports On FDIC Information Security
Systems
FDIC is making progress, but still needs to improve the management of
key financial systems, according to a report released by the General
Accountability Office. The report found that FDIC had corrected or
mitigated 16 of the 21 weaknesses that GAO had previously reported as
unresolved at the completion of its 2006 audit. For example, FDIC has
improved physical security controls over access to its Virginia Square
computer processing facility, instructed personnel to use more secure
e-mail methods to protect the integrity of certain accounting data
transferred over an internal communication network, and updated the
security plan and contingency plan of a key financial system. However,
GAO said old and new weaknesses could limit the corporation's ability to
effectively protect the confidentiality, integrity and availability of
its financial systems and information. Some of the problems identified
in the report included failing to: maintain a full and complete baseline
for system requirements; assign unique identifiers to configuration
items; authorize, document and report all configuration changes; and
perform configuration audits. GAO said a key reason for these weaknesses
is that “FDIC did not always fully implement key information
security program activities.” Read
more
June 19, 2008 IER User Acceptance Testing
The FDIC is in the process of improving the Interagency
Examination Repository (IER) Project over the past several months.
A group of FDIC and State examiners will test the IER during the week of
July 7, 2008. For more information on this project and
development details click here.
May 14, 2008 Federal Reserve Working on Electronic Record
Requirement
The Federal Reserve is working on rules for banks to supply
information for subpoenas in electronic form, according to the May issue
of the SAR Activity Trends, Tips and Issues published by the Financial
Crimes Enforcement Network. FinCEN said the Justice Department, Federal
Bureau of Investigation and Internal Revenue Service have developed a
standardized attachment for grand jury subpoenas that requires the
production of bank records in their original electronic form. FinCEN
said the scope of the records to be produced has not changed, but the
form of production will be specified to be electronic data. “The
Federal Reserve is in the process of revising Regulation S, including
reimbursement terms for production of electronic records,” the
report said. The instructions will call for the use of encryption when
transmitting data and for data verification, such as hash coding. FinCEN
said the agencies are committed to working with financial institutions
during the transition period. Other issues covered in the publication
included trends in mortgage and real estate fraud, and case studies
highlighting how SARs were used by law enforcements. More information
May 13, 2008 FBI Warns of Direct Deposit Ploy on Tax Rebate
Checks
The Federal Bureau of Investigation recently issued a warning about
e-mails claiming to be from the Internal Revenue Service that attempts
to steal consumers’ information by suggesting the use of direct
deposit to obtain their economic stimulus tax rebates. The message
contains a hyperlink to a fraudulent form that requests the recipient's
personal data, including bank account information. To convince consumers
to reply, the e-mails warn the recipients that failure to complete the
form in a timely manner will delay the issuance of their rebate checks.
One example of the message is: “Our records indicate that you are
qualified to receive the 2008 Economic Stimulus Refund. The fastest and
easiest way to receive your refund is by direct deposit to your
checking/savings account. Please follow the link and fill out the form
and submit before May 10th, 2008 to ensure that your refund will be
processed as soon as possible. Submitting your form on May 10th, 2008 or
later means that your refund will be delayed due to the volume of
requests we anticipate for the Economic Stimulus Refund.” The FBI
warned consumers not to click on the links. Read more
May 7, 2008 Data Encryption Paper Outlines Best Practices for
Key Management
BITS, the technology arm of the Financial Services Roundtable, published
a paper on May 6 to provide a framework for financial services companies
to consider when developing their key management programs. The paper
provides an opportunity for all financial institutions to
“leverage the best practices around encryption and associated key
management,” said Tom Doughty, who chairs the BITS Security
Steering Committee and is vice president and chief information security
officer at Prudential Financial. The paper discusses critical success
factors for an enterprise-wide program, offers examples of key
management programs, and addresses practical adoption issues for
encryption and key management. The report calls for encryption keys to
be managed with the same care given to the confidential data they
protect for the duration of their use to ensure that they are not easily
guessed, disclosed or lost. More information
May 2, 2008 Federal Reserve to Start Electronic Filing
System
The Federal Reserve issued a proposal on April 29 to allow banks, bank
holding companies, foreign bank organizations and others to file
applications, notices and other requests through an electronic system by
the end of the year. The Fed said the electronic system would be
voluntary and would begin in the second quarter as a pilot program with
20 participants. The system would be finalized during the fourth quarter
and could begin operation next year. "The Federal Reserve anticipates
that the electronic submission of filings through E-Apps would reduce
the burden filers experience with current requirements for paper-based
submissions," the agency said. Banks that voluntarily choose to submit
filings through E-Apps would save the time and expense associated with
photocopying and mailing or otherwise filing copies. More information
April 24, 2008 Technology Company Announces Check Processing
Settlement
DataTreasury Corp. announced on April 21 it has settled a
patent infringement lawsuit against The PNC Financial Services Group,
Inc. and PNC Bank for check-processing patents. The patents cover image
capture, centralized processing and electronic storage of documents and
check information, and a central check clearing system. The company said
it is actively pursuing lawsuits against 53 other defendants. In the
settlement, DataTreasury granted PNC a worldwide license for its
patents. Other terms of the agreement are confidential. The U.S. Patent
& Trademark Office recently re-examined DataTreasury’s patents
and confirmed the validity of the company’s claims. “We are
now preparing to take the remaining defendants to trial,” said
DataTreasury’s lead trial counsel, Nelson Roach of Nix, Patterson
& Roach, LLP. More information
April 23, 2008 GENESYS 5.3
This update is now available on the CSBS website for state
banking departments to download. Click here for installation instructions and the
install file.
April 17, 2008 SanDisk Warns on USB Drive
Threat
SanDisk has warned that IT managers are unaware of the extent
to which unsecured flash drives are being brought into their
organisations, backing this with a new study of corporate end-users and
IT executives.
The study found that 77 percent corporate end-users surveyed have
admitted to using personal flash drives for work-related purposes.
However, when asked to estimate what percentage of the workforce uses
personal flash drives, corporate IT respondents said only 35
percent.
Users meanwhile admitted that data files most likely to be copied to a
personal flash drives includes customer records (25 percent), financial
information (17 percent), business plans (15 percent), employee records
(13 percent), marketing plans (13 percent), intellectual property (6
percent), and source code (6 percent).
The survey highlights that due to the highly portable nature of USB
flash drives, they represent a significant risk of data loss for
enterprises. Approximately one in ten (12 percent) of corporate end
users reported finding a flash drive in a public place. Additionally,
when asked to pick the three most likely actions they would take if they
found a flash drive in a public place, 55 percent indicated they would
view the data.
SanDisk meanwhile hopes to give IT managers a fighting chance of
controlling the usage of flash drives in organisations, and earlier this
week unveiled a new version of its CMC (Central Management &
Control) software used to manage its Cruzer Enterprise USB flash
drives.
The SanDisk Cruzer Enterprise flash drive comes in 1GB, 2GB, 4GB, and
8GB storage capacities.
Version 3.0 of the CMC software is designed to give IT managers an
easier way to manage the lifecycle of Cruzer Enterprise USB flash
drives, including deployment throughout the organisation, password
recovery and renewal through the network, central back-up and restore,
central usage tracking, and remote termination of lost drives.
"CMC is at the centre of SanDisk’s mission to make flash memory
the preferred solution for authentication, workspace virtualisation and
endpoint security," said Etti Berger, product marketing manager for CMC
in SanDisk's Enterprise Division.
Specifically, CMC 3.0 allows IT managers to rapidly introduce new
applications through the network, without users having to initiate an
installation process or having to bring their drives to the IT
department. It also keeps track of application and seat licences on
Cruzer Enterprise drives.
In addition, CMC 3.0 allows for Cruzer Enterprise drives to be remotely
configured from any corporate PC without requiring pre-installation of a
software agent. SanDisk says this reduces the time and effort needed to
add new drives, especially in large organisations with multiple
locations and many remote workers.
IT managers can also create pre-defined reports on user activity, giving
the IT department new tools for uncovering violations of the
organisation’s data security policies, and for providing
confirmation of regulatory compliance through an enhanced audit
trail.
Finally, CMC 3.0 features improved password policy control, and
passwords can now be set to expire after a number of days selected by
the IT department. It can also synchronise with Active Directory
password policies.
SanDisk said that CMC 3.0 is expected to be available in the third
quarter, with pricing provided on request to enterprise clients.
SanDisk also revealed that Cruzer Enterprise drives also now have the
ability to deploy, store and use RSA SecurID software tokens from RSA.
This gives end-users a single device for secure data storage and
two-factor authentication, an alternative to carrying both a flash drive
and a separate hardware authenticator.
April 16, 2008 NACHA Launches E-Bill Service
With Verizon Transaction
The National Automated Clearing House Association announced the
launch of an Electronic Billing Information Delivery Service on April 14
to speed the ability of consumers to receive electronic bills at the
online provider of their choice. The first transaction presented and
paid using the system was from Verizon. NACHA said the system expands
the capabilities of the ACH network to include the distribution of
consumer bills to financial institutions. NACHA said some of the
benefits of the system are: increased revenue for banks; reduced cost
and extended reach for businesses; privacy for consumers; and the
advantages of paperless transactions. More information
April 7, 2008 FinCEN Stops New Applications
for Filing Via Magnetic Media
The Financial Crimes Enforcement Network announced on April 4
that it is no longer accepting new applications to batch file Bank
Secrecy Act forms using tapes and/or diskettes. FinCEN plans to retire
the magnetic media program and in the future will announce the deadline
for transitioning from magnetic media to the BSA E-filing system.
New users who wish to batch file their BSA forms will have to submit
these files using the BSA E-filing system. More
information
April 3, 2008 SBA Seeks Information on
E-Portal for Small Business Lending
The Small Business Administration is seeking innovative ideas
from lenders and the business community on ways to establish a new
e-commerce portal to help expand credit availability for businesses and
give lenders access to new potential small-business customers. The
agency put out a request for information from potential vendors on
setting up an online lending portal to connect small-business loan
applicants and commercial lenders. The request is not an official
solicitation for a contract, but instead will be used by the agency to
gather information in such areas as specifications, pricing strategies
and project management. SBA envisions a system where business users
would enter relevant information on financial needs and key financial
performance information that is critical to the underwriting decision.
The portal then would facilitate matching interested lenders with these
prospective borrowers. SBA is looking for input in such areas a user
friendliness and transparency, market coverage, privacy policies,
revenue sharing, timeline and risks. The deadline for submitting
information is April 28. More
information
March 24, 2008 Washington State Agency Stops Use of
External Thumb Drives
Employees of the Washington State Division of Child Support will now be
required to use state-owned USB flash drives as part of an effort to
eliminate the use of privately-owned thumb drives. External flash drives
used by field workers hold the names, dates of birth and Social Security
numbers of children served by the agency. They may also hold client tax
documents, employer records, criminal histories and passport data. The
state began rolling out 200 SanDisk Cruzer drives late last year after
recalling suspect devices used by workers in the agency's 10 field
offices. Most of those had been purchased independently by employees,
causing myriad problems for the agency, said Brian Main, the division's
data security officer. The Cruzer Enterprise drives provide 256-bit AES
encryption and are password-protected. Main noted that the state does
periodic risk analysis of its systems, identifying a problem with the
proliferation of privately-owned thumb drives. More information
March 19, 2008 Firm Hacks Encrypted Data
LuciData Inc., a Minneapolis-based computer forensic and internal threat
management company, reports that it successfully cracked an encrypted
laptop on behalf of a corporate client. The laptop reportedly was using
Pointsec Full Disk Encryption. LuciData noted that the default
configuration for many companies use leaves them vulnerable to a very
simple attack that effectively gives complete administrative control of
the machine to anyone with physical access. This simple
attack takes advantage of the FireWire protocol and its ability to
directly access and modify the RAM of a target machine with a FireWire
port installed. Using a simple and readily available forensics software
tool, it is possible to connect a FireWire cable to a computer, and
within seconds bypass the Windows authentication and log in as a local
administrator. While the long term implications
of this attack have not yet been fully investigated, the most immediate
recommendation is for companies using Pointsec to redeploy its whole
disk encryption solution so that preboot authentication is
enabled. More information
March 19, 2008 Update to FFIEC Business Continuity Planning
Booklet
The Federal Financial Institutions Examination Council (FFIEC) today
issued updated guidance for examiners, financial institutions, and
technology service providers to identify business continuity risks and
evaluate controls and risk management practices for effective business
continuity planning. The guidance is an update to the “Business
Continuity Planning Booklet,” which was issued in March
2003. More Information
March 18, 2008 FTC Fines
ValueClick Over Advertising, Security Issues
Online advertiser ValueClick, Inc., will pay a record $2.9
million to settle Federal Trade Commission charges that its advertising
claims and e-mails were deceptive and violated federal law. The agency
also charged that ValueClick and its subsidiaries, Hi-Speed Media and
E-Babylon, failed to secure consumers’ sensitive financial
information despite their claims to do so. The settlement requires
ValueClick to clearly and conspicuously disclose the costs and
obligations consumers must incur to receive the products it claimed were
free. FTC said ValueClick’s subsidiary Hi-Speed Media used
deceptive e-mails, banner ads and pop-ups to drive consumers to its Web
sites. The e-mails and online ads claimed that consumers were eligible
for free gifts, such as laptops, iPods and high-value gift cards. FTC
alleged that consumers lured to ValueClick’s Web sites by these
promises were led through a maze of expensive and burdensome third-party
offers – including car loans and satellite television
subscriptions – which they were required to participate in at
their own expense to receive the promised free merchandise. On the
security issue, FTC alleged the companies published online privacy
policies claiming they encrypted customer information, but either failed
to encrypt the information at all or used a non-standard and insecure
form of encryption. The agency also charged that several of the
companies’ e-commerce Web sites were vulnerable to hacker
attacks. More information
March 18,
2008 Survey Reports on Mobile Banking Interest, Concerns
A Harris Interactive study found that mobile phone users are
becoming more comfortable about making banking and purchase
transactions, but security remains a major concern. The survey found 16
percent of mobile phone subscribers used mobile banking services.
Thirty-five percent were open to checking bank account balances and
transferring funds via their mobile devices. A third of those surveyed
also said they would like to receive text message alerts from their
financial institutions. The survey also found that mobile purchases were
on the rise. About 25 percent of mobile phone users with mobile access
to the Internet used their phones to buy goods and services online via
credit cards. One in five said they would like to someday use their
phones like a mobile wallet, where charges would be billed directly to
their mobile accounts. However, the biggest barrier affecting consumer
acceptance of mobile banking and commerce was security concerns over
personal data. Two-thirds of those interviewed expressed apprehension
about using their mobile phone to transmit sensitive financial
information. Sixty-three percent reported fears about this medium
exposing them to potential fraud and financial scams. Sixty-one percent
also worried about losing a mobile phone containing personal financial
information. The online survey was conducted in December 2007 with 1,072
U.S. adults aged 18 and older. More information
March 4, 2008 Reserve Banks
Plans Change for ACH Postings
The Federal Reserve issued a proposal recently to change its
daylight overdraft posting rules to align the posting times for
automated clearing house credit and debit transfers. Under the current
posting rules, commercial and government ACH credit transfers processed
by the Federal Reserve Banks are posted at 8:30 a.m. ET, while
commercial and government ACH debit transfers are posted at 11 a.m. ET.
Under the Fed proposal, Reserve Banks would change the posting time for
commercial and government ACH debit transfers to 8:30 a.m. ET. The Fed
also said it would consult with the Treasury Department to move the
posting time for Treasury tax and loan investments to 8:30 a.m. ET. The
deadline for comments is June 4. More information
February 27, 2008
Princeton Research Group Finds Security Threat In File Encryption
A new breed of identity thieves may be able to gain access to
encrypted files including those containing bank account information and
credit card numbers, according to a recent study by a Princeton
University research team. The group, led by Princeton Public Affairs
Professor Ed Felten, published a 22-page white paper and additional
information about their findings on the University Center for
Information Technology Policy (CITP) website. The research team
discovered that the encryption key, which is a long series of bits (0s
or 1s), could easily be retrieved from the memory chips of computers.
The research team found that information remains in computer memory
chips for five to 45 seconds after shutting down. Information stored on
the computer can be read directly off the memory chips. Cooling the
chips with liquid nitrogen or compressed air can increase the retention
of information from seconds up to several hours. “The secret key
that can decrypt everything is sitting in the computer’s memory
chip, and because information can be captured from the memory chips,
that means these encrypted files are not nearly as safe as people
thought,” Felten explained. The biggest impact of the lingering
data will be on the data- encryption methods used to protect the files
on laptop computer hard drives, he said. Researcher John Halderman GS
said he was particularly concerned about the vulnerability of the
financial data stored on bank and credit card company computers.
“A laptop with bank account numbers or credit card numbers for
thousands of people is an enormous risk,” he said. “To
better protect this kind of information, companies should store it
exclusively on desktop machines, which are harder to lose or steal than
laptops," Halderman said, adding, "If the information needs to be kept
on laptops, others should be careful to always shut them off when not in
use.” More information
February 19, 2008 Reserve Banks
Publish Survey on Fedwire Message Changes
The Federal Reserve Banks are considering changes to the
Fedwire message format to enhance the transparency of cover payments and
to include structured business remittance information. Before making
these changes, the Reserve Banks are seeking feedback from Fedwire
participants and other interested parties through a survey. Cover
payments are used in correspondent banking, usually to facilitate
international transactions. They are payments made through a chain of
correspondent banks to settle a credit transfer message that travels a
more direct route to the ultimate beneficiary’s bank. The deadline
for responding to the survey is March 14. More information
February 14, 2008 Everify
Employers Using E-Verify More than 52,000 employers have
voluntarily signed up to use the nation’s employment status
verification system known as E-Verify, said the U.S. Citizen and
Immigration Service on Feb. 12. The service started with a pilot group
of employers in five states and is now adding about 1,000 new employers
each week. E-verify is a free, Web-based system that allows
participating employers to electronically verify the employment
eligibility of newly hired employees. The E-verify system compares
employee information against more than 425 million records in the
database of the Social Security Administration and more than 60 million
records stored in the Department of Homeland Security database. A
recently added feature allows employers to compare photos of a new
hire’s employment authorization document or permanent resident
card against nearly 15 million images stored in DHS immigration
databases. Read more
February 13, 2008 Fed Alters
Check Processing for Dallas, Kansas City
The Federal Reserve Board on Feb. 12 amended Regulation CC to
reflect the check processing changes in the operations of its 10th and
11th Federal Reserve Districts. Starting on April 19, 2008, the head
office of the Federal Reserve Bank of Kansas City no longer will process
checks, and banks currently served by that office will be reassigned to
the head office of the Federal Reserve Bank of Dallas. As a result of
these changes, some checks deposited in the affected regions that
currently are nonlocal checks will become local checks that are subject
to shorter permissible hold periods. More information
February 7, 2008 Reserve Banks
See Acceleration of E-Payments
The Federal Reserve predicted an all-electronic payment system in the
not too distant future. In an article in its FedFocus publication, the
Federal Reserve Banks said this past September more than 50 percent of
the forward items they processed were deposited in a FedForward image
cash letter rather than as a traditional paper deposits. "It has taken
us three years to move half of the forward volume to electronics, but we
expect the remaining half to move much more quickly. We’re pasting
the tipping point," said Fred Herr, senior vice president in the Federal
Reserve Banks’ Retail Payments Office. Between the 2003 and 2006,
the number of checks paid decreased by 6.4 percent per year, while the
use of debit card payments grew from 19 percent to 27 percent and
automated clearing house payments grew from 11 percent to 16
percent. More information
February
1, 2008 FTC Offers Malware Advice
The Federal Trade Commission on Thursday announced a new
publication to help consumers protect their computers against malware
and reclaim their computers and electronic information if malware is
already on their computers. The publication, “Minimizing the
Effects of Malware,” provides tips on spotting malware and urges
consumers to act immediately if they suspect their computers are
affected by malware. The agency noted that criminals use appealing Web
sites, desirable downloads and compelling stories to lure consumers to
links that will download malware. Installed malware is then used to
steal personal information, send spam and commit fraud. The publication
is available on FTC’s Web site. Read
more
January
22, 2008 Internet Crime Center Issues Alert on New Bank Scams
The Internet Crime Complaint center on Jan. 17 reported an
alarming rate of increase in “vishing” attacks against U.S.
financial institutions and their customers. The IC3 center is a joint
partnership of the FBI and the National White Collar Crime Center. In
vishing attacks, consumers receive an e-mail, text message or telephone
call supposedly from their credit/debit card companies directing them to
contact a telephone number to re-activate their cards due to a security
issue. In the schemes, people are persuaded to divulge their personally
identifiable information because they are told their accounts were
suspended, deactivated or terminated. Recipients are directed to contact
their banks via a telephone number. Upon calling the telephone number,
the recipients are greeted with "Welcome to the bank of ……"
and then requested to enter their card numbers to resolve a pending
security issue, I3C said. To promote authenticity, some of the
fraudulent e-mails claim that the bank would never contact customers to
obtain their personal information by any means, including e-mail, mail
or instant messenger. Another version of the scam involves text messages
to customers’ cell phones claiming the recipients’ online
bank accounts have expired. To avoid the scam, IC3 said customers should
always call their banks using telephone numbers obtained
independently. More information
January
9, 2008 Security Firm Identifies Top 10 Internet Security Threats
Mass mailer worms accounted for many of the top 10 Internet
security threats in December, according to Fortinet's FortiGuard Global
Security Research Team. The “Netsky!similar” threat
accounted for the highest volume of activity detected by the security
company in December, representing 11.05 percent of the overall reported
activity. Other mass mailer threats on the top 10 list were: MyTob.FR at
3.4 percent, Lovgate.X2 at 2.9 percent and Zafi.D at 2.2 percent. TCent
and Bdsearch adware, which also appeared in the November report,
maintained their positions in the top 10 list. The company also said the
ANI07.A exploit remained very active, claiming a strong position in the
top 10 for the ninth consecutive month. The Istbar.PK trojan, which
installs a search toolbar on the user's Web browser and can download
various adware and trojans, reached the eighth position on the top 10
list -- up from the 25th position in November. More information
January
8, 2008 Identity Theft Challenges
Identity theft will continue to be a persistent and increasing
complex crime, according to the Identity Theft Assistance Center. On the
positive side, the center noted the growing cooperation between the
public and private sector, the growth of state and regional task forces
devoted to identity theft and more successful persecutions. Some of the
challenges identified by the center were: the use of new technologies by
criminals to commit identity theft; the increase in importance of
identity theft as a business issue; and the difficulty in profiling
identity thieves. The center is a nonprofit coalition of financial
services companies committed to protecting their customers from identity
theft. Read more
January
7, 2008 Treasury to Deliver Federal Benefits Through Debit Cards
The Treasury Department announced a new initiative to provide
Social Security and other federal benefits to recipients without banking
relationships through prepaid debit cards. Treasury’s Financial
Management Service will introduce the Direct Express Card in the spring
of 2008 through Comerica Bank and plans to provide national distribution
by the end of the summer. Federal benefit recipients who chose the
Direct Express option will have payments automatically deposited on
their Direct Express Card accounts on the federal beneficiary's
designated payment day. Cardholders will be able to access their money
at automated teller machines and financial institutions nationwide. They
also will be able to use their cards to get cash back and make purchases
at retail locations, as well as pay bills and make purchases online.
Treasury estimates that 4 million Social Security and Supplemental
Security Income check recipients do not have bank accounts. "The
explosive growth in the prepaid card industry offers an important
opportunity for Treasury to give unbanked payment recipients secure,
easy access to their funds, at low or no cost to the cardholder. We
ultimately would like to see an all-electronic Treasury -- with all the
security, efficiency and cost savings that would entail," said FMS
Commissioner Judy Tillman.More information
January
3, 2008 Federal Reserve Continues Check Processing Adjustments
The Federal Reserve announced on Jan. 2 changes to Regulation
CC to reflect the restructuring of its check processing operations.
Effective Feb. 23, banks with routing numbers 0220, 2220, 0223 and 2223
will be reassigned to the head office of the Federal Reserve Bank of
Cleveland. Effective March 29, banks with routing numbers 0213 and 2213
will be reassigned to the head office of the Federal Reserve Bank of
Philadelphia. As a result of these changes, some checks deposited in the
affected regions that currently are nonlocal checks will become local
checks that are subject to shorter permissible hold periods, the Fed
said. Between 2008 and early 2011, the Fed will reduce its check
processing operations to four Federal Reserve Banks – Cleveland,
Philadelphia, Atlanta and Dallas. The Fed has set tentative plans to
transfer the processing for Memphis, Tenn., to Atlanta during the third
quarter of 2008 and the check processing for Cincinnati to Cleveland in
the fourth quarter of 2008. Other fourth quarter 2008 transfers expected
are Seattle to Dallas and Windors Lock, Conn., to Philadelphia. More information
January
2, 2008 FTC Reports on Use of Spam for Financial Crimes
Internet spam has increasingly become a significant global
avenue for the dissemination of malware and financial crime schemes,
according to a Federal Trade Commission staff report on a spam summit
held in July 2007. Panelists at the summit concluded that, in most
instances, the acts of malicious spammers are inherently criminal, and
criminal law enforcement agencies are best suited to shut down their
criminal operations. The report noted that there has been a dramatic
increase in the number of Web sites that either knowingly or unwittingly
host “crimeware code” that collects information about
end-users for the purposes of stealing the user’s personal
information, including their financial data. Summit speakers also
identified collaborative efforts throughout the public and private
sectors that have played, and will continue to play, a significant role
in the fight against malicious spam and phishing. Some of these
solutions include e-mail authentication and e-mail reputation services.
The report noted that BITS, the technology division of the Financial
Services Roundtable, has strongly recommended that it member financial
institutions adopt authentication by the end of 2008. More information
December
14, 2007 FinCEN Reports on E-mail Service
More than 18,000 people have subscribed to the free e-mail
subscription management service offered by the Financial Crimes
Enforcement Network’ during the past year. FinCEN said of the 25
topics to which users may subscribe, the most popular are Bank Secrecy
Act guidance (12,538 subscriptions), Suspicious Activity Report
information (12,236 subscriptions) and advisories/bulletins/rulings/fact
sheets (12,223 subscriptions). Subscribers may opt to have FinCEN
updates sent immediately, daily, weekly or monthly to their e-mail
accounts or directly to a wireless device. In the past year, FinCEN has
sent 709,577 e-mails alerting users to these various announcements, such
as guidance to financial institutions on the increasing money laundering
threat involving illicit Iranian activity. Read
more
December
14, 2007 FBI Fights Botnets
The FBI recently reported success in its program to find and
stop botnets, which are armies of personal computers used by cyber
criminals to commit crimes. Botnets are used for such crimes as identity
theft, denial of service attacks and massive spam campaigns. In the
first phase of its operation in June, the FBI was able to pinpoint more
than a million victimized computers and charged a number of individuals
around the country with various cyber-related crimes. In the second
phase, three more indictments were issued and the agency has uncovered
more than $20 million in economic losses. A pair of men also were
recently sentenced who were involved in a major phishing scheme
targeting a Midwest bank that led to millions of dollars in
losses. Read more
December
11, 2007 Federal Reserve Study Finds Growing E-Payments Replacing
Checks
Electronic payments are growing, while the number of check
payments continues to decline, according to a study published on Dec. 10
by the Federal Reserve. Of the 93 billion noncash payments in 2006,
about 63 billion were electronic and around 30 billion were checks, the
Fed said. Among the three main types of electronic payments, the annual
use of debit cards increased between 2003 and 2006 by about 10 billion
payments to 25.3 billion payments in 2006. Debit cards now surpass
credit cards as the most frequently used electronic payment type.
Over the same period, automated clearinghouse payments grew to 14.6
billion, an increase of almost 6 billion payments. Credit cards grew by
almost 3 billion payments to 21.7 billion in 2006. The highest rate of
growth from 2003 to 2006 was in ACH payments, which grew about 19
percent per year, followed closely by debit card payments at almost 18
percent. Meanwhile, checks declined by an average of 6.4 percent per
year since 2003. Another significant finding in the study was the
increasing proportion of checks processed electronically. During 2006,
almost 3 billion consumer checks, including checks sent to billers or
used as source documents to initiate electronic payments at the point of
sale, were converted and cleared as ACH payments rather than as check
payments. This was an eight-fold increase since 2003. More information
December
5, 2007 FDIC Revises Technology Examination Questionnaire
FDIC on Dec. 4 announced an update to its risk-focused
information technology examination procedures. As part of the revision,
the IT officer's questionnaire was enhanced to provide greater coverage
of vendor management and outsourcing topics, credit card and automated
clearing house payment system risks, and an institution's overall
information security program. The update includes a new a vendor
management and service provider oversight section to reflect potential
reliance on outside firms for technology-related products and services.
New questions were added for payment system risks, including questions
relating to the originating financial institution, wire transfers,
credit card merchant processing, and remote deposit capture. The IT
officer's questionnaire must be completed and signed by an executive
officer of the financial institution and returned to the FDIC
examiner-in-charge prior to the on-site portion of the examination. FDIC
said its reference document should assist banks in conducting
self-assessments of their information security programs. More information
November
26, 2007 Senate Passes ID Theft Bill
The Senate on Nov. 15 unanimously passed legislation to give
federal prosecutors new tools to fight identity theft and cyber
crime. The Identity Theft Enforcement and Restitution Act (S.
2168) would give victims of identity theft the ability to seek
restitution for the loss of time and money spent restoring credit and
remedying the harm of identity theft. Another provision would ensure
that identity thieves who impersonate businesses to steal sensitive
personal data could be prosecuted under federal identity theft laws.
Currently, the law only provides for prosecution of identity theft
against an individual. Other features of the bill would enable
prosecution of those who steal personal information from a computer even
when the victim’s computer is located in the same state as the
thief’s computer; would eliminate the requirement that damage to a
victim’s computer exceed $5,000 before charges can be brought for
unauthorized access to a computer; would make it a felony to employ
spyware or keyloggers to damage 10 or more computers regardless of the
aggregate amount of damage caused; and would make it a crime to threaten
to steal or release information from a computer. Read more
October
31, 2007 FTC Warns of Fraudulent E-mail
The Federal Trade Commission issued a warning on Tuesday about
a bogus e-mail that refers to a “complaint” filed with
FTC against the e-mail’s recipient. FTC said the e-mail includes
links and an attachment that would download a virus if opened. The
e-mail has a phony sender’s address, making it appear that it is
from frauddep@ftc.gov . It also
spoofs the return-path and reply-to fields to hide the e-mail’s
true origin. While the e-mail includes the FTC seal, it has grammatical
errors, misspellings and incorrect syntax. Recipients should forward the
e-mail to spam@uce.gov and then
delete it, the agency said. While simply opening the e-mail does not
appear to cause harm. People who opened the attachment or clicked on the
links should run an anti-virus program. The virus appears to install a
“key logger” that could potentially grab passwords and
account numbers. Read
more
October
30, 2007 Hackers Exploit PDF Vulnerability To Steal Data
SecureWorks reports that Russian hackers have been exploiting a
vulnerability in Adobe Acrobat and Reader on Windows to download a
variant of the Gozi Trojan via a PDF file which can capture data on
secure Web sites to glean personal and account data in financial and
other transactions. The latest version of it, Gozi.F, was detected by
only 26 percent of the 32 largest anti-malware vendors as of Oct. 23,
SecureWorks said. Adobe rated this vulnerability, which affects users on
Windows XP or Windows 2003 with Internet Explorer 7 installed, as
critical. Exploitation requires downloading the malicious file. The
company on Oct. 22 recommended that affected users upgrade to Adobe
Reader 8.1.1 or Acrobat 8.1.1. The PDF is labeled as a bill or invoice.
When opened, it downloads a first-stage downloader EXE file from the
hacker site (Russian Business Network) by
|
