Category: Financial

Bernik says his company is “trying” to routinely perform risk assessments on projects before they go live. “I’ve had challenges in my business getting business owners to listen and take heart” in implementing security controls.”

Banks are weighing the cost of strong authentication: Token-based authentication may make sense internally, but not for consumers, they say. “You’re not going to pay $30 to $40 for each of your millions of customers,” Axelrod said. Getting funding for security is not just a matter of folding it into projects from the get-go, but also making it a selling point for your customers, financial execs say.

http://www.darkreading.com/document.asp?doc_id=103706&WT.svl=news2_3

The Gramm-Leach-Bliley Act (GLBA) contains a rule, known as the Safeguard Rule, under which the Federal Trade Commission and other federal agencies have established standards for financial institutions relating to administrative, technical, and physical safeguards for customer information. The objectives are to ensure the security and confidentiality of customer records and information, protect against threats or hazards to the security or integrity of such records, and protect against unauthorized access to or use of such records that could result in substantial harm or inconvenience to any customer.

The rule requires financial institutions to develop, implement, and maintain a comprehensive information security program that contains administrative, technical, and physical safeguards. As part of its program, each financial institution must designate an employee or employees to coordinate its information security program.

The FTC has published a complete list of safeguards at http://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm When implementing the Safeguards Rule, a company must consider all areas of its operation, especially employee management and training; information systems; and managing system failures. Companies may also want to check the references of any potential employees who would have access to customer information, and ask each new employee to sign an agreement to follow the confidentiality and security standards for handling that information. The Safeguards Rule also requires financial institutions to maintain security within their information systems – which include network and software design as well as information processing, storage, transmission, retrieval, and disposal.

Similarly, in order to prevent and manage system failures, the new publication suggests that companies should respond to any security breach in a timely manner; regularly update firewalls and antivirus software; and install patches to repair software vulnerabilities. The FTC provides additional guidance at http://www.ftc.gov/infosecurity.

Guidance is also available from leading security professionals who’ve assembled consensus lists of vulnerabilities and defenses so that every organization, regardless of its resources or expertise in information security, can take basic steps to reduce its risks.

http://www.bankinfosecurity.com/articles.php?art_id=160&PHPSESSID=dcbc1ff3dbe449eb074c7951e447cda1

As part of its campaign, Visa has alerted small to midsize restaurants of a security vulnerability die to improperly installed credit card transaction systems, known as point of sale or POS systems.

Visa says that misconfigured POS systems can contribute to the compromise of cardholder account information and other sensitive data.

http://www.bankinfosecurity.com/articles.php?art_id=159&PHPSESSID=35679f19e27232b37ad1a5e56e89def0

Earlier this month, the company’s Zions Bank unit added a multifactor authentication feature called SecurEntry for users of its online banking services. Woods said SecurEntry is based on technology from RSA Security Inc. and allows Zions to better authenticate users to its Web site and ensure that they know they’re connected to a legitimate site. The technology works by profiling the devices that customers typically use to log into the bank’s online systems.

Desert Schools Federal Credit Union in Phoenix is using a similar authentication approach based on technology from Santa Clara, Calif.-based Bharosa Inc. to meet the FFIEC’s guidelines. “It kind of moved things up for us,” CIO Ron Amstutz said, adding that he thought the FFIEC was quite clear on what it wanted banks to do.

The FFIEC is an interagency body set up to develop standards for the auditing of financial institutions. Although the council isn’t mandating compliance with the authentication guidelines, it has said that banks will be audited against them starting next year.

http://cwflyris.computerworld.com/t/722392/6725445/27842/0/

“There is a growing concern about the damage to brand reputation and brand equity when a phishing attack is successful and gets media attention,” says Justin Doo, managing director of Trend Micro Middle East and North Africa. “One of the biggest risks banks face here is negative customer perception of the banking operations,” agrees Maria Medvedeva, regional director for security management business unit, CA EMEA Eastern markets. “In Dubai, we have read about different banks that have been subjected to fraud, such as phishing e-mails or physical damage to their ATMs. People see it as lack of security control and this causes absolutely negative perception and customer dissatisfaction.”

For a customer, a security fraud means that the bank has failed to implement systems or some type of security control to protect its customers. Such concerns have led to the slow uptake of online banking, according to Doo. “Most banks are spending more money gearing up for growth in online banking than they are spending gearing up for growth in physical location expansion,” he says. Research has shown that the cost of a transaction where somebody visits a branch and does an over-the-counter transaction is nearly ten times the cost of the same transaction that is carried out online,” Doo continues. “However, there is a global slowdown, at the moment, when it comes to internet banking uptake.

To encourage people to adopt online banking, Ayman Majzoub, general manager of Pointsec Mobile Technologies Middle East and Africa, insists banks should put more emphasis on better security tools. For instance, we go and secure one server or secure one desktop. “Banks in the US are already on stage three and four because they are trying already to improve on alignment of business by introducing more and more reporting mechanisms.” Majzoub believes that the lack of regulatory policies is the main reason why banks in the Middle East are not actively doing more to improve security.

http://www.itp.net/features/details.php?id=4568&category=