Category: Financial

According to a report issued in June by the U.S. Government Accountability Office, GAO Report 07-737 a number of challenges exist related to complying with the breach notification requirements in state laws or federal banking guidance, such as interpreting ambiguous statutory language, identifying and locating affected consumers, and developing effective notification letters. Similarly, financial intitutions must determine whether misuse of breached information is “reasonably possible,” such as when little information exists about the location of the data, the intent of a criminal who stole data, or the effectiveness of security features designed to render data inaccessible.

Institutions that issue credit and debit cards compromised by a merchant that’s not the institution’s service provider are generally not required by the banking regulators’ guidance to notify their customers, but nevertheless in some cases, they feel obliged to do so. Breaches of credit card information by third parties can adversely affect an institution’s reputation and result in costs related to notifying customers and reissuing cards.

It can also be difficult to identify which consumers may have been affected by a breach and obtain their contact information. This can be a particular problem for entities, such as merchants, that have breached credit card numbers but don’t themselves possess the mailing addresses associated with those numbers. Institutions whose customers’ account information is breached also may incur costs for remedial steps such as canceling existing accounts or replacing affected customers’ credit or debit cards—although such steps may not be required by the applicable breach notification requirements.

http://www.bankinfosecurity.com/articles.php?art_id=512

Financial risk for losing data is absolutely huge, compared to the amount of money being spent on compliance and data protection,” said Jim Hurley, a senior research manager for Symantec and senior director of the IT Policy Compliance Group.

“The second key finding is, and we stumbled onto this by accident, is the relationship between compliance and data loss. How well (or poorly) a company does compliance, and how well (or poorly) they’re doing on data loss, we found a relationship between the two,” Hurley noted. “I expected a different distribution, but across the entire universe of companies, this distribution rings true,” Hurley said.

“The banking industry matches the entire population, they don’t do any better or any worse than the rest of the industries in the survey,” he explained.

Key Findings Most organizations are exposed to financial risk from data loss and theft Nine out of ten firms are not leveraging compliance and IT governance procedures that could help mitigate financial risk from lost or stolen data. Compliance leaders have the fewest business disruptions Firms with the best IT compliance results have the least business downtime from IT security events. Compliance laggards experience 17 or more disruptions a year from IT security events.

Such practices include: Implementing more of the appropriate IT controls Reducing control objectives, making it easier to communicate, measure, and report Establishing higher standards for performance objectives Encouraging a culture of operational excellence in IT Monitoring, measuring, and reporting controls against objectives at least once every two weeks Allocating more funds to control automation Even if not disclosed publicly, the likelihood that a data breach generates negative publicity is proportionally higher for companies with poor IT policy compliance programs.

All too often companies are implementing controls more from a compliance standpoint than from a due diligence standpoint.

http://www.bankinfosecurity.com/articles.php?art_id=507

Gaffan noted when the RSA Anti Fraud Command Center (AFCC) found the new type of phishing kit they found it is actually a single file which creates an entire phishing site on a compromised server when “double-clicked” on, similar to “.exe” installation files.

This is a change from traditional phishing sites that usually include various files which are installed on a compromised server where the attack is hosted. The convenience of creating phishing attacks with the “plug-and-play” phishing kit has no impact on how these attacks are detected and mitigated. “The others who were attacked, were payment oriented sites, or have access to customer credentials,” he noted.

The trends RSA sees in the type of bank or credit union being attacked, Gaffan noted is the further penetration to smaller, regional banks and credit unions. They are now targeting small credit unions, with smaller pools of members and getting a small percentage of bites, Gaffan explained. One reason for the phishers moving down the scale is that the larger institutions are better prepared for takedown and countermeasures. Another type of phishing hitting regional banks and credit unions is “spear phishing,” Gaffan said. The phisher’s chance of getting a high hit rate is based on people feel more secure banking at a smaller institution, Gaffan explained.

http://www.bankinfosecurity.com/articles.php?art_id=499

For the last year RSA’s Anti Fraud Command Center has seen attacks moving progressively downward, particular targets are the federal credit unions, and smaller, regional institutions. The fraudsters, said Hinrichsen, are accomplishing their collection of information through spear phishing. He noted that the Internal Revenue Service was one of the first government agencies to be attacked. “At the end of the day, where ever there is a valuable credential, the fraudsters will go after it.”

Hinrichsen noted that the use of crimeware, like the Man-in-The-Middle phishing kit that RSA researchers first discovered in January continues to be used, “there is greater use of multi redirectors in phishing attempts. “It depends on what research you’re reading, consumers aren’t always know to look for the locks, but for the percent of internet users who do look for the lock, the attack is given that much more credibility,” he explained. “This is basically the same type of phishing attack of old, but now instead of using static attack pages, the phishers are replacing those with the real website pages from the institution.”

http://www.bankinfosecurity.com/articles.php?art_id=475

Configuration weaknesses in VoIP devices and underlying operating systems can enable denial of service attacks, eavesdropping, voice alteration (hijacking) and toll fraud (theft of service), all of which can result in the loss of privacy and integrity. To perform well in VoIP environments, security appliances must both protect the VoIP infrastructure and maintain the voice quality, availability and reliability of the connection.

Establishing a secure VoIP and data network is a complex process that requires greater effort than that required for data-only networks.

VoIP systems can be expected to be more vulnerable than conventional telephone systems, in part because they are tied into the data network, resulting in additional security weaknesses and avenues of attack. Confidentiality and privacy may be at greater risk in VoIP systems unless strong controls are implemented and maintained.

Use strong authentication and access controls on the voice gateway system. Since some VoIP telephones are not powerful enough to perform encryption, placing this burden at a central point ensures all VoIP traffic emanating from the enterprise network will be encrypted. Financial institutions should enable, use and routinely test the security features included in VoIP systems.

http://www.bankinfosecurity.com/articles.php?art_id=207

Security Considerations for Voice Over IP Systems – NIST Special Publication 800-58

Firms’ internal controls are fundamental in ensuring customers’ details remain as secure as they can be and, as technology evolves, firms must keep their systems and controls up-to-date to prevent lapses in security.”

By agreeing to settle at an early stage of the FSA’s investigation, Nationwide qualified for a 30% discount under the FSA’s executive settlement procedures; without the discount, the fine would have been £1.4 million.

http://www.darkreading.com/document.asp?doc_id=117881&WT.svl=cmpnews1_1