Cyber Security Institute
Financial
Friday, May 21, 2010
ID Theft Victims Spending Less In Cleanup Aftermath
Nearly one-third of all identity theft victims say they are unable to completely clear up damaged credit or criminal records in the aftermath of their identities being abused. But the good news is they’re spending much less time and money cleaning up the fraud perpetrated against them in their names, according to a newly released report. Most ID thieves (55 percent) used the stolen identities to open new lines of credit, followed by making purchases on stolen credit and debit cards, 34 percent.
Friday, July 27, 2007
Institutions Face Bewildering Web of Breach Notification Statutes: GAO Report
The latest disclosure of a data breach involving financial information points up the need for a comprehensive response program, including complying with federal and state notification laws. As the number of reported breaches and the ensuing media coverage has escalated, state legislative and federal regulatory bodies have enacted a variety of requirements mandating responses to such events, including customer notification.
Friday, July 20, 2007
Compliance ‘Laggards’ Face Most Financial Risk from Data Loss, Report Shows
The latest report by the IT Policy Compliance Group finds that nine of ten companies are exposed to financial risk from data losses and thefts that can be cost-effectively avoided. The report, “Why Compliance Pays—Reputations and Revenues at Risk,” finds the majority of the 475 firms surveyed must contend with six to 17 business disruptions and five to 22 instances of losses or thefts of sensitive information each year.
Friday, July 13, 2007
Financial Institutions Warned New Fast Phishing Kit Found
With the recently discovered “plug and play” phishing kit, a relatively “non-technical” person with the right information could launch a phishing attack against any financial institution. No technical expertise is needed by the phisher, and it is far less risky as the remote host is only accessed once,” said Marc Gaffan, director of marketing with RSA’s consumer solutions group. The new “plug-and-play” phishing kit reduces the time and effort required of the fraudster by automating the site installation process. The “kit” is a single PHP code file, which is run on the compromised server once, and automatically creates the relevant directories and installs all of the files which are associated with the specific phishing site.
Friday, June 22, 2007
Online Attacks Increase at Financial Institutions
The RSA’s Anti-Fraud Command Center issued its monthly online fraud intelligence report for May, and the statistics point to attacks on U.S. nationwide banks account for 33 percent of all attacks on US financial institutions—that’s more than double since April.
Sunday, April 01, 2007
VoIP Offers Cost Savings But Also Presents Security Risks
Banks are attracted to Voice over Internet protocol (VoIP) as an alternative to traditional telephone networks because of the potential cost savings, including elimination of long distance charges and the need for only one network to manage both voice and data. According to the FDIC, VoIP is susceptible to the same risks as data networks that use the Internet, such as exposure to viruses, worms, Trojans and man-in-the-middle attacks.
Wednesday, February 21, 2007
UK Bank Fined $1.9 Million for Losing Laptop
A major financial institution in the United Kingdom was slapped with a nearly $2 million fine for failing to adequately protect customer information. The Financial Services Authority fined the Nationwide Building Society £980,000 for failing to have effective systems and controls to manage its information security risks. The fine is directly connected to last year’s theft of a Nationwide laptop from an employee’s home. During its investigation, the FSA found that the building society didn’t have adequate information security procedures and controls in place, potentially exposing its customers to an increased risk of financial crime, according to a release on its Web site.
Tuesday, February 20, 2007
CheckFree to Purchase Corillian in Bid to Expand Offerings to Banks
CheckFree to Purchase Corillian in Bid to Expand Offerings to Banks CheckFree/Corillian deal is just one more example of consolidation in bank tech space, say experts. Atlanta-based e-commerce services provider CheckFree last week announced plans to acquire online banking solutions company Corillian (Portland, Ore.) in a deal worth about $245 million dollars. The acquisition will bring together Corillian’s online banking platform and complementary suite of financial applications, and CheckFree’s electronic billing and payment, and online transaction services. According to Steve Olsen, CheckFree’s COO, the union will help the company reach further into the online channel as it attempts to expand its client relationships and help those banks it serves do the same.
Thursday, February 01, 2007
Biometric Data Specification for Personal Identity Verification - NIST SP 800-76-1
The Homeland Security Presidential Directive HSPD-12 called for new standards to be adopted governing the interoperable use of identity credentials to allow physical and logical access to Federal government locations and systems. The Personal Identity Verification (PIV) standard for Federal Employees and Contractors, Federal Information Processing Standard (FIPS 201), was developed to establish standards for identity credentials. It describes technical acquisition and formatting specifications for the biometric credentials of the PIV system, including the PIV Card1 itself. It enumerates procedures and formats for fingerprints and facial images by restricting values and practices included generically in published biometric standards.
2007 Bank Technology Forecast: Challenges and Opportunities
The rapid progression of fraud schemes, regulatory initiatives, margin and cost pressures, customers’ demands, and the overall pace of change in technology inundated business and technology management in the global banking industry over the year. The good news (for some) is that these challenges are setting up a clear playing field upon which the winners will be separated from the losers more so than at any time in the past decade. Some of the more critical and far-reaching priorities bank technology and business leaders will need to address in 2007 are outlined below.
Fraud-Detection and Security Technologies
Analytics for Marketing, Risk & Business Performance
Service-Oriented Architecture
Monday, January 22, 2007
Hackers to target mobile banking, study says
This year could see a sharp rise in hacker attacks on Internet-enabled smartphones as a number of new banking and payment initiatives enter the mobile channel, a research group warned Monday. The Tower Group, a research and advisory company focused on the financial services industry, believes that many mobile commerce offerings now emerging from the financial services sector “lack a reasonable and justifiable focus” on mobile security.
Monday, January 01, 2007
Banks Starting to Embrace Concept of Financial Supply Chain Management
It was the talk of the town at the October 2006 Sibos conference in Sydney. Yet beyond payments circles, few in the financial services industry may actually know what financial supply chain management is. But all that is about to change, according to insiders, as the concept rapidly becomes the norm among banks that wish to maintain a foothold in an increasingly globalized world where their clients’ business dealings expand across borders and time zones. Financial supply chain management is an outgrowth of the long-established concept of the physical supply chain in the trade business. Rather than dealing solely with the actual physical/logistical aspects of trade, however, financial supply chain management, as the name implies, covers the payments side of trade, from the moment a purchase order is cut, to the time of settlement and everything in between.
Friday, December 22, 2006
Financial Institutions Face Tight Compliance Requirements in 2007
In December, the Public Company Accounting Oversight Board (PCAOB), which establishes rules for compliance with Sarbanes-Oxley, proposed a new standard for Sarbox section 404, which governs internal controls over financial reporting, including IT controls. Separately, the Payment Card Industry data security standard will require merchants and payment processors to implement stringent IT security procedures, such as additional firewalls and access controls. These laws include both proactive components (having an information security policy, implementing access control technology) and reactive components (disclosure of security breaches).
Friday, December 08, 2006
Information Security Trends, Issues Continue to Evolve - FINSEC 2006 Conference, New York
The arms race against phishers, strengthening firewalls, FFIEC authentication deadline issues and the constantly evolving risk management model were among the many topics covered by the FINSEC 2006 conference speakers last week in New York. With 10 vendor sponsors at the conference, attendees were availed to information security solutions during the conference breaks ranging from CD and DVD encryption to anti-virus software and authentication solutions. The security strategies and tools and techniques presentations covered in the two-day conference were led by eleven information security experts from national banks and financial firms. It was standing room only within five minutes of the start, showing many of the FINSEC 2006 attendees wanted to know how the authentication guidelines will apply to their institutions.
Monday, November 27, 2006
Federal Rules May Not Fully Secure Online Banking Sites
Financial institutions that truly want to bolster their online security need to look beyond the federal guidelines on end-user authentication that go into effect Jan. 1, IT managers and analysts said last week. The guidelines, issued last year by the Federal Financial Institutions Examination Council (FFIEC), call on banks and credit unions to adopt so-called strong authentication measures for protecting online customers against identity theft and other types of fraud. Strong authentication certainly isnt a silver bullet, said Melissa Auchter, CIO at Parda Federal Credit Union in Rochester, Mich. It just protects one doorway. Its one more measure in a comprehensive approach to protecting the assets of our members.
Friday, November 03, 2006
Review of The 6th Annual InfoSecurity New York Conference and Exhibition
The 6th Annual InfoSecurity New York Conference and Exhibition was a major draw for financial institutions seeking the best and the latest products and services available in the information security industry. This conference offered cutting-edge solutions for financial institutions looking to secure their IT infrastructure and maintain the overall integrity of their information security programs. Due to the evolving nature of cyber threats, effective security measures are not resolved with a single quick-fix; rather, it is an ongoing process that requires continual awareness of the newest threats and their countermeasures. For the average bank employee, such issues are easily written off as the responsibility of more technical personnel—perhaps, the sole problem of the head of the IT department—often acting as the CISO and/or other roles. However, as one comes to realize from attending this conference, there are a plethora of vendors and solutions which can have an impact on numerous people within an organization, and therefore, the security solutions by which a company may ascribe to.
Thursday, November 02, 2006
MasterCard tackles PIN-based debit card fraud
MasterCard Worldwide will introduce in the first quarter of 2007 a new service to help banks and other card issuers detect and stop PIN-based debit card fraud in real time. “From our perspective, a PIN transaction is probably the most secure transaction” a cardholder can make, said Jerry Sargent, MasterCard’s vice president of debit strategy and alliance development. The new service will add to that security while at the same time alleviating growing consumer concerns about online fraud, he said.
Wednesday, October 25, 2006
Brokerages lose $22M to hackers in three months
High-tech crooks using spyware are costing U.S. discount brokerages millions of dollars to repay clients who have been victimized by fraud, the brokerages said in recent days. The U.S. Securities and Exchange Commission warned earlier this month that scammers were hijacking online brokerage accounts using spyware and operating from remote locations. TD Ameritrade has said that it cost $4M in their third quarter from customers whose accounts had been hacked. Harder hit was rival E*Trade Financial Corp., which last week said its fraud losses ballooned by $18 million in the third quarter from swindlers who stole clients’ identities and manipulated their accounts.
Wednesday, September 13, 2006
Two-thirds of phishing scams target single US bank
Customers of the Fifth Third Bank in America were the most at risk from phishing attacks in August, according to figures from antivirus firm McAfee. Bank of America, Western Union, PayPal, Nationwide, Halifax and the Internal Revenue Service made up the top 10. The most prevalent internet threat for August was the JS/Wonka Trojan, which downloads other pieces of malicious software onto the victim’s PC.
Putting Security in the Bank
Financial services companies are not only finding innovative ways to implement new security initiatives, they’re also finding innovative ways to fund them. ABN AMRO Bank N.A. now requires all the bank’s application projects to allocate one percent of their funding to their security. “If you have to mitigate security risk after the fact, it’s a costly exercise,” Bernik told attendees of the Cyber Security Executive Summit. CISOs and risk management officials at major financial institutions speaking here say they are struggling to keep up with emerging threats and the ever-changing regulatory landscape. They face not only phishing exploits, but emerging application-level security issues, client laptop security, and compliance with regulations like strong authentication for online banking, which banks must deploy by the end of the year, according to FFIEC regulations.
Friday, August 11, 2006
Implementing Information Safeguards Under Gramm-Leach-Bliley
Friday, August 04, 2006
Visa Takes Aim at Data Compromises
The card company has asked merchants to ensure that the software they use to process card transactions doesn’t store the full contents of “track data”, which contains passwords and other sensitive information. Last year, a breach at CardSystems, a processor of card transactions, led to the exposure of 40 million payment records, setting off a firestorm that’s led to a crackdown on data security vulnerabilities by regulators and lawmakers. Account numbers, expiration dates, and names are the only elements of track data that may be retained once a transaction has been authorized. In addition, Visa requires compliance with the Payment Card Industry Data Security Standard (PCI DSS) by all merchants and any entity that stores, transmits or processes cardholder data. Visa has a set of Payment Application Best Practices (PABP), which assists software vendors in creating secure payment applications, thereby helping to protect their customers from being exposed to a security breach.
Friday, July 28, 2006
Banks face Web security deadline
For some bank IT managers, last fall’s release of federal guidelines for validating the identities of online users helped catalyze ongoing efforts to adopt so-called strong authentication measures. But a majority of U.S. banks appear unprepared to meet the Dec. 31 deadline by which they’re supposed to comply with the guidelines, several analysts said this week. “Most banks haven’t done much with [the guidelines] because there is still some confusion as to what needs to be done,” said George Tubin, an analyst at TowerGroup in Needham, Mass. Preston Woods, the company’s chief information security officer, said the release of the guidelines last October by the Federal Financial Institutions Examination Council gave a push to a strong authentication initiative that Zions had already started.
Sunday, June 25, 2006
Security in the balance
Until recently, banks have considered information security as a cost of doing business. Nowadays, new market trends are driving the financial sector’s IT security investments. For one, the constant barrage of security attacks banks have suffered has resulted in declining customer confidence. That imposes a huge challenge on financial organisations that are looking to add more customers, especially in the area of online banking where most Middle East banks have increased their focus. As the consumers’ level of awareness of data security and data confidentially increases, banks are starting to look at security from the perspective of their clients. For instance, in the US, several major banks, such as Citigroup, have launched advertising campaigns heralding their recent investments in security, and makes these banks not only the better choice, but also the safer choice.
Tuesday, June 13, 2006
Disaster Recovery at the Macro Level
Disaster Recovery is about three things: planning, testing, and procedures. Banks have to satisfy compliance initiatives and answer to the FFIEC and OCC. Satisfying compliance initiatives may get you off the hook with the regulators and make you look good on paper, but what you are really interested in is staying in business for the long haul. Eighty-five percent of companies without a disaster recovery plan go out of business within a year after a disaster. After the World Trade Center disaster, statistics showed that companies with complete plans were operational within 30 days. While IT people are key partners in the disaster recovery efforts, their plates are usually full and overflowing.
Monday, June 12, 2006
Banks should check risk controls, Bies says
Managers of U.S. banks should evaluate their policies at least once a year for controlling risk of financial losses or illegal activities, Federal Reserve Gov. In remarks prepared for delivery to a financial group, Bies also said banks should guard against information-security breaches by controlling access to fund-transfer systems. By law, banks must file reports about suspicious activity, to combat money laundering and other terrorist tools. “Effective management of information security risk, even when focused on a specific function, requires an enterprise-wide approach to yield a true and complete evaluation of the associated risks,” she said in a speech before the Financial Women’s Association.
Sunday, May 28, 2006
Bank buying its customers antivirus software
Scared by the recent report of 56% of online banking users not running any antivirus protection, Barclays has decided to buy not only the antivirus software, but to pay for two years of virus database updates for almost 1.6 million of its customers.
Monday, May 15, 2006
Credit card security rules to get update
The update to the Payment Card Industry (PCI) Data Security Standard, due this summer, responds to evolving attacks as well as to challenges some businesses have with the encryption of consumer data, Tom Maxwell, director of e-Business and Emerging Technologies at MasterCard International, said. The proposed update includes a requirement to, by mid-2008, scan payment software for vulnerabilities, Maxwell said in a presentation at a security conference hosted by vulnerability management specialist Qualys. The new version of PCI will offer merchants more alternatives to encryption as a way to secure consumer data.
Social engineering replaces guns in bank heists
Australia’s banking industry is under threat due to a heavy reliance on Single Socket Layer (SSL) encryption that hackers increasingly find their way around. There are no ‘stick-em-up’ dramatics in today’s million-dollar bank heists, it simply involves the use of SSL-evading Trojans and refined phishing techniques. While banks are reluctant to quantify financial losses, Australia’s Computer Emergency Response Team (AusCert) admits its own research proves attacks are on the rise. AusCert general manager Graham Ingram said a false sense of security surrounds SSL encryption, a technology in use right across the financial services industry. This reliance on Internet browser encryption means banking sessions can be hijacked by Trojans and key-logging programs especially if users engage in lax security protocols and don’t use current anti-virus signatures. The bottom line is that social engineering tricks are circumventing Internet banking encryption.
Tuesday, May 09, 2006
Credit Unions Attacked by Hackers More Than Banks
In a recent study spanning from February 2005 to March 2006, SecureWorks saw 67% more Internet attacks attempted against its credit union clients than its banking clients. SecureWorks’ credit union clients range from large ($500 million to billions in assets) to smaller organizations (under $500 million in assets). SecureWorks CTO Jon Ramsey theorizes that their credit union clients are experiencing more Internet attacks than their banking clients because hackers assume that credit unions’ networks are less protected than banks.