Category: Financial

IP-based spoofing, on the other hand, directs certain IP addresses to fake Web sites containing false or misleading information. Another, similar technique is IP-based cloaking, which configures a legitimate Web site to display inaccurate or incomplete information only when it is accessed from certain IP addresses. Redirect spoofing sends specific traffic to an alternate page within the site.

For instance, if one airline knows a competitor checks its site for fares daily, it can jack up the price only when a rival’s IP address tries to access the site.

Major retailers sometimes employ this technique by displaying only expensive merchandise based on customers’ past buying habits.

http://www.bankinfosecurity.com/articles.php?art_id=102&PHPSESSID=8af89b3eb8240a0e33ca65c806a8ac16

While the SANS list makes End Users responsible for keeping things like anti-virus up to date and operating systems patched, these functions can be and should be automated by IT staff.

Executive staff, according to the SANS article, have a much bigger responsibility. Many of the breaches that are known to have occurred in 2005 were the result of dishonest insiders, hackers, or poor security procedures (i.e., losing a backup tape). Encryption is a big deal in the world of networking and may require revamping the network in terms of encryption capable hardware and bandwidth needs. It is management’s responsibility to develop and mandate security policies, so that secure processes and procedures must be in place before systems “go live”, as well as make sure that IT is properly staffed.

A comprehensive Security Awareness program would go a long way towards educating banking employees at every level.

The breakdown of End User, Executive Staff, and Information Technology people is a good way to start. IT people need to understand that every time they rush to meet a deadline and put an unsecured system into production, they are jeopardizing the security and safety of the bank.

http://www.bankinfosecurity.com/articles.php?art_id=103&PHPSESSID=8af89b3eb8240a0e33ca65c806a8ac16

In two-factor authentication, customers must confirm their identities not only through something they know, like a PIN or password, but also with something they physically have, like a hardware token with numeric access codes that change every minute. Other types of two-factor authentication include costlier hardware involving biometrics or “smart” cards that would be inserted into designated readers on a user’s computer.

Banks might also issue one-time passwords on scratch-off cards or require “secret questions” about a customer’s account, such as the amount of the last deposit or mortgage payment.

The council also suggested that banks explore technology that can estimate a web user’s physical location and compare it to the address on file.

The most common way of stealing consumers’ personal identity data and financial account credentials online, known as phishing, typically involves sending e-mails that direct unwitting users to phony websites. Data harvested at such sites is then used fraudulently. The Anti-Phishing Working group, an industry association, reported 13,776 unique types of phishing attacks in August.

While some financial institutions have given their customers electronic password tokens, those have tended to be optional. Other banks have instituted password entry through mouse clicks instead of typing, a protection against keystroke-snooping programs.

FDIC spokesman David Barr said the rules will serve as standards that will be checked when banks’ practices are audited. Although the requirements apply just to financial services companies, the policy could stimulate wider use of two-factor authentication by other merchants that are willing to “federate” their websites with banks, said Michael Aisenberg, director of government relations for internet service provider VeriSign.

http://www.wired.com/news/business/0,1367,69243,00.html

Highlights:
– Financial institutions offering Internet-based products and services should use effective methods to authenticate the identity of customers using those products and services.
– Single-factor authentication methodologies may not provide sufficient protection for Internet-based financial services.
– The FFIEC agencies consider single-factor authentication, when used as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
– Risk assessments should provide the basis for determining an effective authentication strategy according to the risks associated with the various products and services available to on-line customers.
– Customer awareness and education should continue to be emphasized because they are effective deterrents to the on-line theft of assets and sensitive information.
http://www.fdic.gov/news/news/financial/2005/fil10305.html

The agencies previously announced on April 29, 2005 that they were delaying issuance of a notice of proposed rulemaking (NPR), pending additional analysis of the quantitative impact study (QIS4) submissions. The agencies intend to move forward with an NPR for domestic implementation of Basel II, but plan to introduce additional prudential safeguards in the NPR to address concerns identified in the analysis of the results of the QIS4 conducted with the industry.

The agencies expect that the U.S. Basel II proposal will be available in the first quarter of 2006. The agencies expect to propose a revised implementation timeline for Basel II. Under this revised timeline, the first opportunity for a U.S. banking institution to conduct a parallel run would be January 2008.

In addition, U.S. institutions adopting the Basel II-based capital rules would be subject to a minimum three-year transition period during which the agencies would apply limits on the amount by which each institution’s risk-based capital could decline with the application of Basel II. These limits would be implemented through floors that are intended to be simpler in design and more conservative in effect than those set forth in Basel II.

The agencies anticipate that there will be further revisions to the U.S. Basel II-based capital rules prior to the termination of the floors.

http://bankinfosecurity.com/node/2606

Avivah Litan, research director at Gartner, explained that because US banks are so keen to recruit new customers they will open up accounts on the basis of identification from only a pay-as-you-go mobile phone bill (a type of account that is even easier to open) without checks on the validity of supplied social security numbers.

Once a bank account is open crooks will pay bills religiously, eventually earning enough trust to obtain credit cards with higher and higher limits. After around 18 months fraudsters will obtain cash advances on these cards and disappear, a process know as busting out. Losses of around $50K are typical, according to Litan. Banks will pursue these funds and call in collection agencies but in the end the majority will write-off the debt without understanding the root cause of the fraudulent loss.

Litan said that banks in Britain were far better at sharing information and working with each other to minimise exposure to this kind of fraud. The incentive to sign up new customers is great in Europe but in the US it’s even more pronounced because banks send out 1,937 pieces of marketing information for every new sign-up.

“The goal is getting new customers and banks are not that hungry about eating into fraud,” she said.

Litan made his comments during a presentation at the Gartner IT Security Summit in London.

http://www.securityfocus.com/news/11320