|
 
Contact: Mary Beth Quist
June 17, 2009 Technology Consortium Begins Final Phase of
Mobile Banking Project
The Financial Services Technology Consortium announced on June
16 plans to move into the third and final phase of a Mobile Payment
Technology Project. The goal of the project is to aid financial
institutions in offering mobile banking and payments services with
appropriate controls. The program builds off of two previous
projects to examine various technology models supporting mobile payments
with a strong emphasis on opportunities to improve transaction security
over more traditional existing payment systems. The program has involved
140 people from more than 50 member institutions. The consortium is a
division of the Financial Services Roundtable, which represents the 100
largest integrated financial services companies. More information
June 10, 2009 Authentication Paper Aims to Halt Phishing
E-mails
BITS and eCert on June 9 released a paper to serve as a guide for
financial services companies to adopt sender authentication protocols
for e-mails. BITS is the technology division of the Financial Services
Roundtable, which represents the 100 largest financial services
companies. ECert is an intermediary that accredits domains that send
e-mails and certifies that their traffic defends against e-mail fraud
activities, such as phishing. The paper – E-mail Sender
Authentication Deployment – is designed to help all organizations
concerned with e-mail spoofing by outlining best practices for
standard-based, e-mail authentication protocols, said BITS Security
Steering Committee Chairman Ken Schaeffler, who also is senior vice
president and information security director at Comerica Bank. The paper
is available on the Internet and discusses critical success factors for
sender authentication deployment, offers project planning and execution
resources, and addresses adoption issues. More information
May 29, 2009 President Obama Focuses on Cyber
Security
President Barack Obama announced plans to create a post of
cyber security coordinator to oversee "a new comprehensive approach to
securing America's digital infrastructure." The economic crisis cannot
be tackled without ensuring the safety of the nation's online
activities, Obama said. "America's economic prosperity in the 21st
century will depend on cyber security," he said. The President's
announcement followed a 60-day review of the government's cyber security
efforts, conducted by the National Security Council and Homeland
Security Council. The results of the review are posted at www.whitehouse.gov along with
links to more than 100 documents that helped inform the review. More information
May 27, 2009 SEC Hosts Seminar on
Interactive Data Reporting The Securities and Exchange
Commission will hold a public seminar on June 10 to help companies
comply with new rules that require financial reports to be filed using
interactive data, known as XBRL. The seminar will cover the technology
requirements for complying with the rules and an overview of the tools
and information provided by the Commission to assist with compliance.
The seminar also will cover frequently asked questions about the rules
and technology requirements. In adopting the final rule, SEC noted that
interactive data has the potential to increase the speed, accuracy, and
usability of financial disclosure and eventually reduce costs. The
seminar also will be made available through a Web cast on SEC’s
Web site.
More information
May 26, 2009 Phishing Attack Spreads Through Facebook
A very simplistic phishing attack is spreading through the
popular social network Facebook. It arrives as a Facebook message titled
"Hello" If you click on the hyperlink, it will take you to a fake
Facebook login page, where you will be prompted to type your username
and password. If you're gullible enough to click to the fake page and
type in your credentials, your password will be changed, and you'll be
locked out of your account, The pfishers will then use your account to
replicate the attack to everyone on your friends list, he says. More information
May 21, 2009 Fed Bank IT Staffer Arrested for Insider
Data Theft
According to news reports, a former New York Federal Reserve
Bank employee and his brother have been charged with identity theft and
fraud. Curtis Wiltshire, who worked as an information and technical
analyst at the bank's lower Manhattan branch, and his brother were
arrested April 24 for allegedly obtaining bank loans using co-workers'
personal information. The case was uncovered in February by a bank
investigator who found loan applications in the names of other people on
a thumb drive attached to Wiltshire's computer. The suspect's brother,
Kenneth Wiltshire, was also arrested for attempting to obtain a boat
loan in someone else's name. More information
April 23, 2009 Panel Says National Consumer Privacy and
Security Law Needed
The United States needs a national consumer data privacy and security
law, a panel at this week's RSA Conference concluded. "The country is
operating amid a fundamental paradox -- it has too many privacy and
security laws and at the same time, too few," said panelist James
Dempsey, policy director at the Center for Democracy and Technology, a
nonprofit advocacy group according to an article in SC Magazine. He
described the array of federal laws dealing with data security as being
like a “patchwork quilt.” Nearly every state has its
own data security law and that makes for a compliance nightmare,
panelist Adam Rak, senior director of government relations at Symantec,
said. Having a national law will help, he added. The panel also agreed
that for consumers who have been impacted by data-loss incidents, free
credit monitoring is not enough. Panelists also discussed how a national
data privacy and security law might work in a global
environment. More information
April 15, 2009 Survey Finds Internet Banks Make Gains in
Market Share
Internet-based financial institutions are beginning to make gains in
market share, according to a study released by Synergistics Research
Corp. The study found that Internet-based financial institutions have
nearly doubled their penetration during the past two years. The 2009
survey found 39 percent of Internet households with checking accounts
currently have a relationship with an Internet-based financial
institution. This is a significant increase from an earlier 2007 study
where 21 percent of Internet households with checking accounts were
using an Internet-based financial institution. The study found that most
of the Internet-based financial institutions were aiming to be niche
players seeking a piece of the banking customers’ business. The
companies sought to “capture a portion of customers’ core
deposits that would be going into savings, money market accounts, or CDs
at a traditional branch-based institution,” said Synergistics
Chief Operating Officer Genie M. Driskill. The research was based
on a national online survey of 1,000 checking account holders age 18 or
older. More information
April 14, 2009 Crime Center Reports Rising Internet Crimes,
Record Losses
Dollar losses from online fraud reported to the U.S. Internet
Crime Complaint Center rose to a record $265 million in 2008, up from
$239.1 million in 2007, the center said, which is known as iC3. The
number of fraud complaints increased by 33.1 percent to 275,284. The
average individual loss was $931. The center said the cost of reported
online crime complaints have climbed steadily since 2004. In 2004, iC3
reported industry losses of $68.14 million and 207,449 crime complaints.
In 2008, credit and debit card fraud accounted for 9 percent of the
complaints, nondelivery of purchased goods and services accounted for
32.9 percent and fraudulent auctions accounted for 25.5 percent. Hot
spots for criminal activity were California, New York, Florida, Texas,
the District of Columbia and Washington. “This report illustrates
that sophisticated computer fraud schemes continue to flourish as
financial data migrates to the Internet. It also underscores the need
for continued vigilance on the part of law enforcement, businesses, and
the home computer user to be aware of these schemes and employ sound
security procedures,” said FBI Cyber Division Assistant Director
Shawn Henry. The complaint center is a partnership of the Federal Bureau
of Investigation and the National White Collar Crime Center. More information
April 10, 2009 Conficker Worm Variant
Surfaces
A new variant of the Conficker Worm has been detected. This variant
updates earlier infections via its peer to peer (P2P) network as well as
resuming scan-and-infect activity against unpatched systems. Public
reporting indicates that this variant attempts to download additional
malicious code onto victim systems, possibly including copies of the
Waledac Trojan, a spam-oriented malicious application which has
previously propagated only via bogus email messages containing malicious
links. US-CERT is aware of public reports indicating a widespread
infection of the Conficker/Downadup worm, which can infect a Microsoft
Windows system from a thumb drive, a network share, or directly across a
corporate network, if the network servers are not patched with the
MS08-067 patch from Microsoft. Users can apply a simple test for the
presence of a Conficker/Downadup infection on their home computers. The
presence of a Conficker/Downadup infection may be detected if a user is
unable to surf to their security solution website or if they are unable
to connect to the websites, by downloading detection/removal tools
available free from Symantec, Microsoft and McAfee. The most
recent variant of Conficker/Downadup interferes with queries for these
sites, preventing a user from visiting them. If a Conficker/Downadup
infection is suspected, the system or computer should be removed from
the network or unplugged from the Internet - in the case for home users.
Somewhere between 1 million and 2 million computers are believed to be
actively infected with the malware, down from almost 9 million in
January. According to IBM (NYSE: IBM) ISS Managed Security Services, the
highest number of infections are in Asia (45%), followed by Europe
(31%), South America (13.6%), and North America (5.8%), with the rest in
the Middle East, Africa, and elsewhere.More information
April 10, 2009 Use of Automated Payments Continue to
Climb
The number of automated clearing house payments in 2008 climbed
to 18.2 billion, up from 1.2 billion in 2007, according to statistics
released by the National Automated Clearing House Association. NACHA
said the number of Internet-initiated ACH debits increased by 19.7
percent to almost 2.1 billion payments. When combined with
consumer-initiated credit payments, the dollar value of consumer ACH
payments made via the Internet was $939 billion in 2008. There also was
a 14.6 percent increase in business-to-business payments in 2008 to more
than 1 billion transactions. In the first year of back office
conversion, more than 78.4 million e-check payments were made. On the
security front, the rate of ACH debits returned as unauthorized declined
slightly to .040 percent from .041 percent in 2007. More information
April 10, 2009 Federal Reserve:The Federal Reserve
Banks launched a new automated clearing house service on April 6 aimed
at the cross-border market. The FedGlobal ACH Services will provide
cross-border, electronic payments to more than 30 countries in Europe
and Latin America. While the Federal Reserve has provided outbound ACH
payments to Canada, Mexico and several European countries, the new
offering will increase the number of countries and the payment options.
The Reserve Banks will first expand the service to 22 European countries
and Panama. The plan calls for future growth into Latin America and
Asia. In addition to payments between deposit accounts, the Reserve
Banks will allow transfers of funds from accounts at U.S. depository
institutions to people without a banking relationship at bank locations
or at trusted, third-party providers. “Banks and credit unions
have been requesting this service for several years now,” said
Elizabeth McQuerry, assistant vice president at the Federal Reserve
Banks’ Retail Payments Office. More information
February 24, 2009 Automated Payment Volume Continues to
Rise
Automated clearing house payments continued to grow rising by
4.5 percent to more than 3.8 billion payments between the fourth quarter
of 2008 and a year earlier, according to statistics released by the
National Automated Clearing House Association. Internet-initiated ACH
payments rose by 16.5 percent between the fourth quarters of 2008 and
2007 to a total of 552 million payments worth $220 billion. During the
same time period, the number of business-to-business payments grew by 15
percent to 14.4 million payments worth $691 billion. These transactions
involved more than 195 million electronic remittance records that moved
with the business payments. Back office check conversions rose to more
than 39 million payments at the end of 2008, up from 3 million payments
at the end of 2007. More information
February 18, 2009 Microsoft Forms Partnership to Target
Computer Worm
Microsoft on Feb. 12 announced a partnership with technology
industry leaders and academia to adopt a coordinated, global response to
the Conficker (aka Downadup) worm. Microsoft also announced a $250,000
reward for information that results in the arrest and conviction of
those responsible for illegally launching the Conficker malicious code
on the Internet. Microsoft released a security update to combat the worm
on Oct. 23, 2008. Two variations of the worm, which allows the attacker
to anonymously take control of a vulnerable system, were identified on
Nov. 21 and Dec. 29. Along with Microsoft, organizations involved in
this collaborative effort include: the Internet Corporation for Assigned
Names and Numbers, NeuStar, VeriSign, CNNIC, Afilias, Public
Internet Registry, Global Domains International Inc., M1D Global, AOL,
Symantec, F-Secure, ISC, researchers from Georgia Tech, the Shadowserver
Foundation, Arbor Networks and Support Intelligence. More information
February 13, 2009 Industry Group Works on Check Image
Recommendations
A banker-driven check image working group will release best practices
and recommendations to eliminate some the lingering barriers to check
image exchange. The Image Industry Interoperability Group, known as i3G,
will make the recommendations available in detail in March on a
collaborative Web site www.checkimagecentral.org.
The recommendations include: best practices for resolving large scale
file presentment incidents, including a new industry event notification
system; guidelines for proper use of bank of first deposit endorsement
records; clarification on the standard approach for “TIFF”
tag use; and guidelines for MICR line requirements for imaged items. The
recommendations are designed to clear up costly operational hiccups,
said Brian Egan, vice president with the Federal Reserve Bank of Atlanta
and a member of i3G. Other members include Bank of America, the
Independent Community Banking Association and Southwest Corporate
Federal Credit Union. More information
February 4, 2009 Data Breach Study Finds Costs Continue to
Climb
Data breach costs continued to climb in 2008 with an average
total per-incident costs of $6.65 million, up from $6.3 million in 2007,
according to a report issued on Feb. 2 by PGP Corp. and Ponemon
Institute. The study said data breach incidents cost U.S. companies $202
per compromised customer record in 2008, compared to $197 in 2007. The
study was based on 43 organizations across 17 different industry
sectors. The study tracks a wide range of cost factors, including
expenses for detection, administration, customer defections, reputation
management, and customer support. Other key findings from the study
included: more than 88 percent of the cases in the study involved
insider negligence; 44 percent of the cases involved third-party
organizations; and the health care and financial services industries
experienced the highest loss of customers due to breaches at 6.5 percent
and 5.5 percent respectively, reflecting the sensitivity of the data
collected and customers’ expectations that information will be
protected. More information
January 21, 2009 Heartland Payment Systems Uncovers
Malicious Software In Processing System
A new data breach disclosed by Heartland Payment Systems could become
the largest ever recorded, with potentially over 100 million cards being
compromised.
Heartland, a N.J.-based provider of credit and debit card processing
services, said that unknown intruders had broken into its systems
sometime last year and planted malicious software to steal card data
carried on the company's networks. The company, which is among the
largest payment processors in the country, claimed to have discovered
the intrusion only last week after being alerted by Visa and MasterCard
of suspicious activity. The company said the intrusion may have been the
result of a "widespread global cyberfraud operation". Heartland said
that no merchant data, cardholder's Social Security numbers, or
unencrypted personal identification numbers (PIN), addresses or
telephone numbers were compromised. The incident suggests that
cybercrooks are increasingly beginning to target payment processors,
Avivah Litan, an analyst with Gartner, Inc. said. Heartland has created
a website - www.2008breach.com
- to provide information about this incident and advises cardholders to
examine their monthly statements closely and report any suspicious
activity to their card issuers. Cardholders are not responsible for
unauthorized fraudulent charges made by third parties. More Information
January 15, 2009 FFIEC Issues Risk Management Guidance for
Remote Capture Systems
The Federal Financial Institutions Examination Council issued guidance
on Jan. 14 outlining appropriate risk management practices for remote
deposit capture systems. The systems allow customers to make deposits
from their homes or businesses instead of taking the deposits to their
financial institutions. The guidance – “Risk Management of
Remote Deposit Capture” -- addresses the essential elements of
risk management: identifying, assessing, and mitigating risk, as well as
measuring and monitoring residual risk exposure. The guidance also
discusses the responsibilities of senior managers in overseeing the
development, implementation, and operation of RDC in their financial
institutions. The document calls for ensuring adequate risk management
at customer locations including, but not limited to, controls over
retained nonpublic personal information. When the Internet is used as
the communications channel, FFIEC said effective methods to authenticate
the identity of customers must be used, and noted that single-factor
authentication methods may not provide sufficient protection for
Internet-based financial services. The guidance is designed for
use by examiners, financial institutions, and technology service
providers. More information
January 6, 2009 Data Breaches Up 47% in
2008
A report issued today by the Identity Theft Resource Center found that
data breaches were up 47 percent from last year, affecting some 35.7
million Americans. The Center, a nonprofit group that works to prevent
identity fraud, According to the Center, some 656 breaches were reported
in 2008, compared to 446 in 2007. The report indicated that the
percentage of breaches attributed to data theft from current and former
employees more than doubled to nearly 16 percent in 2008. The largest
single cause of data breaches stemmed from human error. Over 35 percent
were caused by lost or stolen laptops and other removable electronic
devices or inadvertent posting of personal data online. The
Center’s co-founder Linda Foley said that annual statistics mask
the extent of the problem, as many businesses fail to report data
breaches. Forty-five states currently require that consumers be notified
of any loss or theft of private records. More information
December 10, 2008 FBI Issues Warning on New Vishing
Attacks
The FBI identified a new technique used by criminals to conduct
vishing attacks. The scheme involves exploiting a security vulnerability
in early versions of the Asterisk software. Asterisk is free software
used widely to integrate Private Branch Exchange systems with Voice over
Internet calling services. Cyber criminals may exploit the vulnerability
in Asterisk to use the system as an auto dialer, generating thousands of
vishing telephone calls to consumers within one hour. A system security
patch for Asterisk has been available since March 2008. The FBI said it
is imperative that businesses using Asterisk upgrade their software to a
version that has had the vulnerability fixed. More information
December 9, 2008 FTC Hosts Meeting on Personal Data
Security
The Federal Trade Commission, in conjunction with two international
organizations, will host a two-day international conference on securing
personal data on March 16-17 in Washington, D.C. The conference
will address how companies may manage personal data-security issues in a
global information environment where data may be stored and accessed
from multiple jurisdictions. Working with the Asia-Pacific Economic
Cooperation forum and the Organization for Economic Cooperation and
Development, FTC will bring together regulators, policymakers, consumer
advocates, industry representatives, technology experts and academics
from around the world. The conference will address best practices and
legal requirements for business in data security, data breach responses,
and conflicts-of-law issues. One goal of the conference is to help
stakeholders understand how and where data flows, so they can identify
ways to keep it secure as it moves around the world. Participants also
will consider the current legal environment and next steps. The
conference will be made available via the Internet. More
information
November 4, 2008 FinCEN Reminds Bankers Magnetic BSA
Reporting Ends Soon
The Financial Crimes Enforcement Network reminded financial
institutions that they must switch to electronic filing of Bank Secrecy
Act reports by Dec. 31, 2008. The electronic system will replace filing
via tapes and diskettes. FinCEN said the Web-based BSA E-Filing system
is more secure, cost-efficient and user-friendly. The system can be used
for single and multiple BSA reports and uses the same file format as the
Magnetic Media program. The system should speed reporting and
acknowledgement of files. Financial institutions currently using the
Magnetic Media program may register to use BSA E-Filing at any
time. More informaiton
November 3, 2008 FinCEN Tightens Validations for BSA
Electronic Filings
The Financial Crimes Enforcement Network announced on Oct. 31 that it is
changing its validation process for batched submissions to the Bank
Secrecy Act Electronic Filing System starting on Nov. 15. The goal of
the changes is to improve BSA data quality by providing detailed error
notifications to filers. FinCEN will adopt the new validation
approach in two stages. In the first stage, which will last a minimum of
six months, all submissions that do not correspond to formatting
requirements will be accepted with warnings. After the first three
months, FinCEN will assess the process to determine if the initial
six-month period should be extended. Once FinCEN initiates the second
stage of the process, the BSA E-Filing system will either accept
submissions with warnings or completely reject the submission, depending
on the severity of the errors. FinCEN is making a user test system
available on its Web site -- http://sdtmut.fincen.treas.gov/. More information
October 29, 2008 Report: Cyberthreats, Spam On The
Rise
The Secure Computing Group this week released its third-quarter
Internet Threats Report, finding that cyberthreats are on the rise. The
volume of spam hit record levels last summer, with more of it than ever
coming from sources in the United States. The findings from the
company’s study of worldwide Internet traffic continue
long-established trends, with online threats becoming more common and
more criminal, said Sven Krasser, director of data-mining research at
Secure Computing. The most disturbing aspect is the growing use of spam,
malicious code and botnets by organized criminals who are in it to take
your money, he added. E-mail volume already tops 200 billion messages a
day, and most of it is spam or other malicious material. The company
predicts that the volume could grow to 250 billion messages a day during
the coming holiday season. Phishing e-mail messages that attempt to
capitalize on fears about the economic crisis are also emerging. Banking
messages made their way into the top 10 types of spam encountered in the
past three months. The report says the top five types of malware
detected in the third quarter, ranked by prevalence, were:
(1) Infection of legitimate Web sites through SQL injection
attacks; (2) Trojan.Hijacker.Gen, a generic name for new malware that
creates backdoor access to computers; (3) The Netsky worm, which
keeps compromised computers generating e-mail traffic for years despite
most anti-malware products’ ability to detect it; (4) The FSG
runtime packer, which continues to create new variants of malware and
hide malicious intent; and (5) A new entry, HIDDENEXT.Worm.Gen,
that spreads through removable devices such as USB thumb drives. More information
October 28, 2008 GAO Reports on Check 21 Image Processing
A report by the General Accountability Office found few
consumers complaints about the Check 21 image processing procedures. GAO
said its interviews with customers found that majority “accepted
not receiving their cancelled checks and being able to access
information about their checking account activity online.” The
consumers were comfortable about using substitute checks or check images
rather than a cancelled check to prove payments. GAO noted that only 11
percent of the 108 consumers preferred to receive canceled checks.
Consumers also benefited from faster processing and access to account
information, the report said. Since 2004, fees for canceled checks
appear to have increased, GAO said, while fees for images appear to have
remained relatively flat. From the bankers’ perspective, GAO found
that check truncation has not resulted in overall gains in economic
efficiency for the Federal Reserve or a sample of banks. Part of the
problem for banks and Federal Reserve is the expense of maintaining both
the paper and image-based check processing systems. More
information
October 28, 2008 Federal Reserve, Clearing House Adopt New
Payment Format
The Federal Reserve Banks and The Clearing House recently completed and
distributed specifications for banks to maintain a message format for
cover payments that will make the originator and ultimate beneficiary
more transparent when messages are sent through the Fedwire and CHIPS
message systems. The message format is compatible with the SWIFT
enhanced message format. Cover payments frequently pass through a chain
of correspondent banks and the changes will help prevent intermediary
banks from unknowingly facilitating illicit activities. The changes will
take effect in November 2009, but banks should start adapting their
internal systems now, said Lauren Hargraves, senior vice president of
the Federal Reserve Banks’ Wholesale Product Office. After the
adoption of new format for cover payments, the Fed and The Clearing
House will focus on enabling their systems to carry remittance
information with wire payments by the fourth quarter of 2010. More information
October 22, 2008 FBI Reports Rise in Cyber Attacks
Crooks and spies using the Internet to commit crimes against
U.S. businesses and to attack government networks are getting more
sophisticated, and the increasing number of such crimes not only impacts
the economy, but threatens national security, said Shawn Henry, the new
head of the FBI’s Cyber Division. At a press briefing, Henry said
as many as two dozen nations have aggressively sought to penetrate U.S.
networks and malicious activity has become much more prevalent. He said
virtual gangs are banding together to pool their expertise and carry out
coordinated cyber attacks. The increased activity is reflected in the
number of complaints reported to the Internet Crime Complaint Center,
known as IC3. Recently, IC3 has been receiving complaints at the rate of
about 20,000 per month, he said. One of the FBI’s strategies to
address the increase is to build stronger partnerships with law
enforcement agencies worldwide. Henry said the FBI sent agents to
Romania that lead to nearly 100 arrests in cyber crime cases
representing tens of millions of dollars in losses. More information
October 20, 2008 Some Slowdown In Adoption of Remote Deposit
Capture
A new report by the financial services research and advisory
firm Celent LLC finds midsize banks, community banks and credit unions
continue to adapt remote deposit capture (RDC). The report projects by
the end of 2008, two-thirds of all US banks and 40% of all US financial
institutions will have adopted RDC although the pace of adoption has
slowed somewhat. Celent expects some 3,000 new implementations in
2008 for a total of 7,200 RDC-deploying financial institutions by
the end of the year. “Celent finds the RDC market still relatively
untapped, with no indication of overstatement in earlier estimates of
market opportunity, as many as 5 million capture points by 2014,”
says Bob Meara, author of the report and senior analyst with
Celent’s Banking Group. “What is now clear, however, is that
realization of the market opportunity will take longer than originally
thought, particularly considering the tumultuous conditions of the US
financial services industry.” More information
October 6, 2008 FedScoop IT Site Goes Live
Goldy Kamali announced the launch on October 1 of a new Web site,
FedScoop.com. The site bills itself as "a comprehensive online news
source for the Government IT community." FedScoop streamlines news
and top stories from the most trusted and popular web sites and blogs on
the net. FedScoop’s Founder and President, Kamali, said, “I
guess everyone was as tired as I was of going to 15 different places to
search topics like Telework or cloud computing.” A prominent high
tech sales and marketing executive, Kamali most recently served as
Executive Director of AeA’s Government and Commercial Markets
Group where she ran all of AeA’s Federal Business Development
programs and initiatives. More information
September 3, 2008 FDIC Provides Hurricane Information Via
Web
FDIC announced on Sept. 1 that it is working cooperatively with
state and federal banking agencies and other organizations to determine
the status of the financial institutions located in the areas affected
by Hurricane Gustav. Through a Web page, the agency is providing the
best available consumer contact and branch information for all
institutions headquartered in the affected areas. The information will
be updated as it becomes available to FDIC and other state and federal
regulators. FDIC also is making available a housing recover guide it
developed with NeighborWorks for victims of Hurricanes Katrina, Wilma
and Rita and other resources. More
information
August 21, 2008 FTC Hosts Free Workshop on Radio Frequency
Technology
The Federal Trade Commission will host a free “Transatlantic RFID
Workshop on Consumer Privacy and Data Security” on Sept. 23 in
Washington, D.C., to explore emerging applications of radio frequency
identification technology and their implications for consumer protection
policy. The workshop will bring together industry representatives,
government officials and consumer advocates from Europe and the United
States to discuss security and privacy concerns associated with RFID
technology. The workshop will explore the increasing prevalence of
contactless payment devices in everyday consumer transactions, including
credit card purchases and public transit, as well as the growing use of
item-level tagging in the retail sector. The workshop will examine
consumer awareness and education initiatives regarding these
developments; security and privacy threats and proposed solutions; and
emerging technologies and practices that may shape the marketplace in
the coming years. FTC will provide a live Web cast of the workshop on
its Web site. More information
July 30, 2008 Mavent Awarded Patent For Mortgage
Compliance Software
Mavent Inc. today announced that it has been awarded a U.S. patent for
technology used for compliance with consumer credit regulation. The
patent covers systems, software programs and methods of use for
businesses that originate and close loans secured by real estate in
order to audit such loans for compliance with state and federal laws and
regulations. This is the first time an automated regulatory compliance
vendor to the mortgage industry has received such a patent. Licenses to
utilize the patent are currently available to Mavent clients as a
component of its integrated services. Mavent analyzes electronic loan
data to determine whether a loan complies with more than 300 federal and
state consumer protection laws related to mortgage lending.
Mavent’s compliance rules are maintained by its in-house attorneys
in coordination with, and subject to ultimate approval by, its network
of nationally recognized law firms. More information
July 25, 2008 GENESYS Corrections for the March 2008 Call
Report Changes
Certain changes to the Call Report were implemented effective March 31,
2008. Details of these revisions can be found at the link noted at
the end of this message. The eXamination Download System (XDS) and
the General Examination System (GENESYS) have not yet been updated to
reflect these changes. Consequently, some of the figures and
ratios generated in these systems using March 31, 2008 Call Report
information may be inaccurate. Until XDS and GENESYS can be updated,
examiners will need to correct inaccurate data manually.
Instructions for manually correcting figures and ratios in GENESYS are
outlined below. Click here to see more information
July 22, 2008 FinCEN to Replace BSA Magnetic Filing With
E-Filing
The Financial Crimes Enforcement Network announced on July 21 that it
will discontinue the Bank Secrecy Act Magnetic Media Filing program by
the end of year. Current Magnetic Media filers must transition to BSA
electronic filing system by no later than Dec. 31, 2008. FinCEN said the
change will provide a filing system that is more secure, efficient and
effective. The BSA E-Filing is a Web-based system that uses an
identification name and password and does not require storage media. The
system supports the filing of both single and multiple BSA reports and
uses the same file format as the Magnetic Media program. The new system
should reduce reporting costs and speed the filing time for a wide range
of BSA forms. Financial institutions currently using the Magnetic Media
program may register to use the BSA E-Filing system at any time, FinCEN
said. More information
July 18, 2008 Study Finds Encrypted Hard Drives
Vulnerable
Researchers at the University of Washington and BT report that
encryption software intended to keep part of a computer's hard drive
private, may not be totally secure. Tadayoshi Kohno, an assistant
professor at the University of Washington in Seattle found that popular
programs like Word and Google Desktop store data on unencrypted sections
of a computer's hard drive - even when the programs are working with
encrypted files. "Information is spilling out from the encrypted region
into the unencrypted region," Kohno said. He believes that there are
probably many other applications and operating system components that
leak out information in a similar way. The study found that people who
are using full-disk encryption, where every piece of data on their hard
drive is encrypted, do not have to worry. However the issue pops up when
users create an encrypted partition or virtual disk on their hard
drives, leaving part of the drives unencrypted, or even when they store
data on encrypted USB devices, Kohno said. With Google Desktop, the
researchers were able to read snapshots of encrypted files when the
program's Enhanced Search option was enabled.More information
July 10, 2008 BITS White Paper Offers Subcontractor
Guidance
BITS, the technology subsidiary of the Financial Services
Roundtable, recently published a white paper on how to manage vendor
subcontractor relationships. The white paper – Key Considerations
for Managing Subcontractors -- examines the risks for financial
institutions as their primary vendors increasingly distribute services
to subcontractors. As outsourcing practices mature and develop
throughout the industry, the use of subcontractors has increased.
“Financial institutions must increasingly manage risks associated
with vendors with whom they have no direct relationship,” said
BITS President Leigh Williams. The paper provides guidelines to help
financial institutions evaluate the processes associated with the use of
subcontractors. It discusses regulatory requirements, policy
considerations, due diligence, contracting considerations, subcontractor
approval, and ongoing monitoring. The paper was developed under the
direction and guidance of the BITS Vendor Management Steering Committee
and other BITS member companies. More information
July 9, 2008 Massive Patch To Address DNS
Flaw
Vendors of Domain Name System (DNS) servers plan to make an
unprecedented coordinated release of patches for a fundamental flaw in
DNS, a core component of the Internet. Most vendors are releasing
patches today, and others are expected to follow soon, said Dan
Kaminsky, director of penetration testing at IOActive Inc., who
discovered the vulnerability about six months ago. Automatic updates
will handle patching on most servers, but it is critical for all
organizations to identify DNS servers in their networks and make sure
that the proper patches are applied, Kaminsky said. According to a
bulletin from the U.S. Computer Emergency Readiness Team (US-CERT), the
vulnerability (VU#800113) could allow cache poisoning and misdirection
of Web requests, sending users to unknown Web sites. DNS is a
hierarchical system that translates written names, such as URLs and
e-mail addresses, into IP addresses. That function makes DNS essential
to almost all uses of the Internet. Because the vulnerability is in the
basic design of the protocol, it is found in nearly all its
implementations. Kaminsky is scheduled to release details of the
vulnerability next month at the Black Hat Briefings security conference
in Las Vegas. More information
July 8, 2008 Security Firm Outlines Common ATM
Vulnerabilities
Financial institutions need to do a better job of protecting their
automated teller machines from hackers, according to the TraceSecurity
security compliance company. During the past five years, TraceSecurity
said its personnel have uncovered thousands of unpatched ATM processing
servers while performing routine security compliance inspections.
The company said the ATMs are often not patched because third-party
vendors have not approved the patches to be applied to systems running
their ATM software. “As a result, hackers could easily exploit
known security holes in operating systems such as Microsoft, which are
used by many ATM solutions available today,” said Jim Stickley,
chief technology officer at TraceSecurity. Another problem is the
failure of a financial institution to place their ATM servers into
secured private segments on the financial institution’s network.
“Unfortunately many organizations make the assumption that as long
as the servers are behind a firewall they are safe. That is simply not
the case," Stickley said. More information
June 30, 2008 Fed Changes Liability Rules for Certain
Internet Transactions
The Federal Reserve System’s Retail Payments Office announced a
policy change to its operating rules to hold sending banks liable for
remotely created payment orders that bypass the rules and monitoring of
the National Automated Clearing House Association. The change to
Operating Circular 3 will go into effect on July 15. The rule change
takes aim at a product offered by certain vendors that purports to take
Internet payment instructions for goods or services purchased from an
Internet firm, convert them to an electronic template and then further
convert the electronic template to an imaged check for clearing through
the Fed or other check clearing networks. The Fed said it was concerned
because of some instances of fraud associated with these activities and
because it removes the transactions from monitoring. The Fed said banks
using these services “will be providing warranties and assuming
liability for the legitimacy of the item.” The Fed added,
“in essence, we will look to the sending bank to make us whole if
we suffer any loss because the sending bank sent us an electronic item
that did not actually originate from a paper check.” More information
June 27, 2008 ALERT Modernization
The FDIC hosted an interagency Stakeholders meeting this week in
Virginia. This group is tasked with evaluating the current ALERT
functionality needs and ensuring that it remains a viable and effective
tool for the Agencies. The group continued to work through
“use cases” and discuss business processes. The
following states participated in this meeting: GA, IA and IL.
System development is planned through the end of this year. User
Acceptance Testing and implementation is scheduled for
2009. More information
June 20, 2008 Study Analyzes Source, Cause of Data
Breaches
Nearly nine in 10 corporate data breaches could have been
prevented had reasonable security measures been in place, according to a
comprehensive report issued in June by Verizon Business. The “2008
Data Breach Investigations Report” spanned four years and more
than 500 forensic investigations involving 230 million records, and
analyzes hundreds of corporate breaches including three of the five
largest ones ever reported. The study found that 73 percent of breaches
resulted from external sources versus 18 percent from insider threats,
and most breaches resulted from a combination of events rather than a
single hack or intrusion. Financial institutions accounted for 14
percent of the breaches studied, while retail and food beverage
industries accounted for more than half of the cases. Some of the key
findings included: 39 percent of breaches were attributed to business
partners, a number that rose five-fold during the course of the period
studied; 59 percent of the deliberate breaches were the result of
hacking and intrusion; 75 percent of breaches were discovered by a third
party rather than the victimized organization and went undetected for a
lengthy period of time. More information
June 19, 2008 GAO Reports On FDIC Information Security
Systems
FDIC is making progress, but still needs to improve the management of
key financial systems, according to a report released by the General
Accountability Office. The report found that FDIC had corrected or
mitigated 16 of the 21 weaknesses that GAO had previously reported as
unresolved at the completion of its 2006 audit. For example, FDIC has
improved physical security controls over access to its Virginia Square
computer processing facility, instructed personnel to use more secure
e-mail methods to protect the integrity of certain accounting data
transferred over an internal communication network, and updated the
security plan and contingency plan of a key financial system. However,
GAO said old and new weaknesses could limit the corporation's ability to
effectively protect the confidentiality, integrity and availability of
its financial systems and information. Some of the problems identified
in the report included failing to: maintain a full and complete baseline
for system requirements; assign unique identifiers to configuration
items; authorize, document and report all configuration changes; and
perform configuration audits. GAO said a key reason for these weaknesses
is that “FDIC did not always fully implement key information
security program activities.” Read
more
June 19, 2008 IER User Acceptance Testing
The FDIC is in the process of improving the Interagency
Examination Repository (IER) Project over the past several months.
A group of FDIC and State examiners will test the IER during the week of
July 7, 2008. For more information on this project and
development details click here.
May 14, 2008 Federal Reserve Working on Electronic Record
Requirement
The Federal Reserve is working on rules for banks to supply
information for subpoenas in electronic form, according to the May issue
of the SAR Activity Trends, Tips and Issues published by the Financial
Crimes Enforcement Network. FinCEN said the Justice Department, Federal
Bureau of Investigation and Internal Revenue Service have developed a
standardized attachment for grand jury subpoenas that requires the
production of bank records in their original electronic form. FinCEN
said the scope of the records to be produced has not changed, but the
form of production will be specified to be electronic data. “The
Federal Reserve is in the process of revising Regulation S, including
reimbursement terms for production of electronic records,” the
report said. The instructions will call for the use of encryption when
transmitting data and for data verification, such as hash coding. FinCEN
said the agencies are committed to working with financial institutions
during the transition period. Other issues covered in the publication
included trends in mortgage and real estate fraud, and case studies
highlighting how SARs were used by law enforcements. More information
May 13, 2008 FBI Warns of Direct Deposit Ploy on Tax Rebate
Checks
The Federal Bureau of Investigation recently issued a warning about
e-mails claiming to be from the Internal Revenue Service that attempts
to steal consumers’ information by suggesting the use of direct
deposit to obtain their economic stimulus tax rebates. The message
contains a hyperlink to a fraudulent form that requests the recipient's
personal data, including bank account information. To convince consumers
to reply, the e-mails warn the recipients that failure to complete the
form in a timely manner will delay the issuance of their rebate checks.
One example of the message is: “Our records indicate that you are
qualified to receive the 2008 Economic Stimulus Refund. The fastest and
easiest way to receive your refund is by direct deposit to your
checking/savings account. Please follow the link and fill out the form
and submit before May 10th, 2008 to ensure that your refund will be
processed as soon as possible. Submitting your form on May 10th, 2008 or
later means that your refund will be delayed due to the volume of
requests we anticipate for the Economic Stimulus Refund.” The FBI
warned consumers not to click on the links. Read more
May 7, 2008 Data Encryption Paper Outlines Best Practices for
Key Management
BITS, the technology arm of the Financial Services Roundtable, published
a paper on May 6 to provide a framework for financial services companies
to consider when developing their key management programs. The paper
provides an opportunity for all financial institutions to
“leverage the best practices around encryption and associated key
management,” said Tom Doughty, who chairs the BITS Security
Steering Committee and is vice president and chief information security
officer at Prudential Financial. The paper discusses critical success
factors for an enterprise-wide program, offers examples of key
management programs, and addresses practical adoption issues for
encryption and key management. The report calls for encryption keys to
be managed with the same care given to the confidential data they
protect for the duration of their use to ensure that they are not easily
guessed, disclosed or lost. More information
May 2, 2008 Federal Reserve to Start Electronic Filing
System
The Federal Reserve issued a proposal on April 29 to allow banks, bank
holding companies, foreign bank organizations and others to file
applications, notices and other requests through an electronic system by
the end of the year. The Fed said the electronic system would be
voluntary and would begin in the second quarter as a pilot program with
20 participants. The system would be finalized during the fourth quarter
and could begin operation next year. "The Federal Reserve anticipates
that the electronic submission of filings through E-Apps would reduce
the burden filers experience with current requirements for paper-based
submissions," the agency said. Banks that voluntarily choose to submit
filings through E-Apps would save the time and expense associated with
photocopying and mailing or otherwise filing copies. More information
April 24, 2008 Technology Company Announces Check Processing
Settlement
DataTreasury Corp. announced on April 21 it has settled a
patent infringement lawsuit against The PNC Financial Services Group,
Inc. and PNC Bank for check-processing patents. The patents cover image
capture, centralized processing and electronic storage of documents and
check information, and a central check clearing system. The company said
it is actively pursuing lawsuits against 53 other defendants. In the
settlement, DataTreasury granted PNC a worldwide license for its
patents. Other terms of the agreement are confidential. The U.S. Patent
& Trademark Office recently re-examined DataTreasury’s patents
and confirmed the validity of the company’s claims. “We are
now preparing to take the remaining defendants to trial,” said
DataTreasury’s lead trial counsel, Nelson Roach of Nix, Patterson
& Roach, LLP. More information
April 23, 2008 GENESYS 5.3
This update is now available on the CSBS website for state
banking departments to download. Click here for installation instructions and the
install file.
April 17, 2008 SanDisk Warns on USB Drive
Threat
SanDisk has warned that IT managers are unaware of the extent
to which unsecured flash drives are being brought into their
organisations, backing this with a new study of corporate end-users and
IT executives.
The study found that 77 percent corporate end-users surveyed have
admitted to using personal flash drives for work-related purposes.
However, when asked to estimate what percentage of the workforce uses
personal flash drives, corporate IT respondents said only 35
percent.
Users meanwhile admitted that data files most likely to be copied to a
personal flash drives includes customer records (25 percent), financial
information (17 percent), business plans (15 percent), employee records
(13 percent), marketing plans (13 percent), intellectual property (6
percent), and source code (6 percent).
The survey highlights that due to the highly portable nature of USB
flash drives, they represent a significant risk of data loss for
enterprises. Approximately one in ten (12 percent) of corporate end
users reported finding a flash drive in a public place. Additionally,
when asked to pick the three most likely actions they would take if they
found a flash drive in a public place, 55 percent indicated they would
view the data.
SanDisk meanwhile hopes to give IT managers a fighting chance of
controlling the usage of flash drives in organisations, and earlier this
week unveiled a new version of its CMC (Central Management &
Control) software used to manage its Cruzer Enterprise USB flash
drives.
The SanDisk Cruzer Enterprise flash drive comes in 1GB, 2GB, 4GB, and
8GB storage capacities.
Version 3.0 of the CMC software is designed to give IT managers an
easier way to manage the lifecycle of Cruzer Enterprise USB flash
drives, including deployment throughout the organisation, password
recovery and renewal through the network, central back-up and restore,
central usage tracking, and remote termination of lost drives.
"CMC is at the centre of SanDisk’s mission to make flash memory
the preferred solution for authentication, workspace virtualisation and
endpoint security," said Etti Berger, product marketing manager for CMC
in SanDisk's Enterprise Division.
Specifically, CMC 3.0 allows IT managers to rapidly introduce new
applications through the network, without users having to initiate an
installation process or having to bring their drives to the IT
department. It also keeps track of application and seat licences on
Cruzer Enterprise drives.
In addition, CMC 3.0 allows for Cruzer Enterprise drives to be remotely
configured from any corporate PC without requiring pre-installation of a
software agent. SanDisk says this reduces the time and effort needed to
add new drives, especially in large organisations with multiple
locations and many remote workers.
IT managers can also create pre-defined reports on user activity, giving
the IT department new tools for uncovering violations of the
organisation’s data security policies, and for providing
confirmation of regulatory compliance through an enhanced audit
trail.
Finally, CMC 3.0 features improved password policy control, and
passwords ca
|
