|
 
Contact: Mary Beth Quist
June 30, 2008 Fed Changes Liability Rules for Certain
Internet Transactions
The Federal Reserve System’s Retail Payments Office announced a
policy change to its operating rules to hold sending banks liable for
remotely created payment orders that bypass the rules and monitoring of
the National Automated Clearing House Association. The change to
Operating Circular 3 will go into effect on July 15. The rule change
takes aim at a product offered by certain vendors that purports to take
Internet payment instructions for goods or services purchased from an
Internet firm, convert them to an electronic template and then further
convert the electronic template to an imaged check for clearing through
the Fed or other check clearing networks. The Fed said it was concerned
because of some instances of fraud associated with these activities and
because it removes the transactions from monitoring. The Fed said banks
using these services “will be providing warranties and assuming
liability for the legitimacy of the item.” The Fed added,
“in essence, we will look to the sending bank to make us whole if
we suffer any loss because the sending bank sent us an electronic item
that did not actually originate from a paper check.” More information
June 27, 2008 ALERT Modernization
The FDIC hosted an interagency Stakeholders meeting this week in
Virginia. This group is tasked with evaluating the current ALERT
functionality needs and ensuring that it remains a viable and effective
tool for the Agencies. The group continued to work through
“use cases” and discuss business processes. The
following states participated in this meeting: GA, IA and IL.
System development is planned through the end of this year. User
Acceptance Testing and implementation is scheduled for
2009. More information
June 20, 2008 Study Analyzes Source, Cause of Data
Breaches
Nearly nine in 10 corporate data breaches could have been
prevented had reasonable security measures been in place, according to a
comprehensive report issued in June by Verizon Business. The “2008
Data Breach Investigations Report” spanned four years and more
than 500 forensic investigations involving 230 million records, and
analyzes hundreds of corporate breaches including three of the five
largest ones ever reported. The study found that 73 percent of breaches
resulted from external sources versus 18 percent from insider threats,
and most breaches resulted from a combination of events rather than a
single hack or intrusion. Financial institutions accounted for 14
percent of the breaches studied, while retail and food beverage
industries accounted for more than half of the cases. Some of the key
findings included: 39 percent of breaches were attributed to business
partners, a number that rose five-fold during the course of the period
studied; 59 percent of the deliberate breaches were the result of
hacking and intrusion; 75 percent of breaches were discovered by a third
party rather than the victimized organization and went undetected for a
lengthy period of time. More information
June 19, 2008 GAO Reports On FDIC Information Security
Systems
FDIC is making progress, but still needs to improve the management of
key financial systems, according to a report released by the General
Accountability Office. The report found that FDIC had corrected or
mitigated 16 of the 21 weaknesses that GAO had previously reported as
unresolved at the completion of its 2006 audit. For example, FDIC has
improved physical security controls over access to its Virginia Square
computer processing facility, instructed personnel to use more secure
e-mail methods to protect the integrity of certain accounting data
transferred over an internal communication network, and updated the
security plan and contingency plan of a key financial system. However,
GAO said old and new weaknesses could limit the corporation's ability to
effectively protect the confidentiality, integrity and availability of
its financial systems and information. Some of the problems identified
in the report included failing to: maintain a full and complete baseline
for system requirements; assign unique identifiers to configuration
items; authorize, document and report all configuration changes; and
perform configuration audits. GAO said a key reason for these weaknesses
is that “FDIC did not always fully implement key information
security program activities.” Read
more
June 19, 2008 IER User Acceptance Testing
The FDIC is in the process of improving the Interagency
Examination Repository (IER) Project over the past several months.
A group of FDIC and State examiners will test the IER during the week of
July 7, 2008. For more information on this project and
development details click here.
May 14, 2008 Federal Reserve Working on Electronic Record
Requirement
The Federal Reserve is working on rules for banks to supply
information for subpoenas in electronic form, according to the May issue
of the SAR Activity Trends, Tips and Issues published by the Financial
Crimes Enforcement Network. FinCEN said the Justice Department, Federal
Bureau of Investigation and Internal Revenue Service have developed a
standardized attachment for grand jury subpoenas that requires the
production of bank records in their original electronic form. FinCEN
said the scope of the records to be produced has not changed, but the
form of production will be specified to be electronic data. “The
Federal Reserve is in the process of revising Regulation S, including
reimbursement terms for production of electronic records,” the
report said. The instructions will call for the use of encryption when
transmitting data and for data verification, such as hash coding. FinCEN
said the agencies are committed to working with financial institutions
during the transition period. Other issues covered in the publication
included trends in mortgage and real estate fraud, and case studies
highlighting how SARs were used by law enforcements. More information
May 13, 2008 FBI Warns of Direct Deposit Ploy on Tax Rebate
Checks
The Federal Bureau of Investigation recently issued a warning about
e-mails claiming to be from the Internal Revenue Service that attempts
to steal consumers’ information by suggesting the use of direct
deposit to obtain their economic stimulus tax rebates. The message
contains a hyperlink to a fraudulent form that requests the recipient's
personal data, including bank account information. To convince consumers
to reply, the e-mails warn the recipients that failure to complete the
form in a timely manner will delay the issuance of their rebate checks.
One example of the message is: “Our records indicate that you are
qualified to receive the 2008 Economic Stimulus Refund. The fastest and
easiest way to receive your refund is by direct deposit to your
checking/savings account. Please follow the link and fill out the form
and submit before May 10th, 2008 to ensure that your refund will be
processed as soon as possible. Submitting your form on May 10th, 2008 or
later means that your refund will be delayed due to the volume of
requests we anticipate for the Economic Stimulus Refund.” The FBI
warned consumers not to click on the links. Read more
May 7, 2008 Data Encryption Paper Outlines Best Practices for
Key Management
BITS, the technology arm of the Financial Services Roundtable, published
a paper on May 6 to provide a framework for financial services companies
to consider when developing their key management programs. The paper
provides an opportunity for all financial institutions to
“leverage the best practices around encryption and associated key
management,” said Tom Doughty, who chairs the BITS Security
Steering Committee and is vice president and chief information security
officer at Prudential Financial. The paper discusses critical success
factors for an enterprise-wide program, offers examples of key
management programs, and addresses practical adoption issues for
encryption and key management. The report calls for encryption keys to
be managed with the same care given to the confidential data they
protect for the duration of their use to ensure that they are not easily
guessed, disclosed or lost. More information
May 2, 2008 Federal Reserve to Start Electronic Filing
System
The Federal Reserve issued a proposal on April 29 to allow banks, bank
holding companies, foreign bank organizations and others to file
applications, notices and other requests through an electronic system by
the end of the year. The Fed said the electronic system would be
voluntary and would begin in the second quarter as a pilot program with
20 participants. The system would be finalized during the fourth quarter
and could begin operation next year. "The Federal Reserve anticipates
that the electronic submission of filings through E-Apps would reduce
the burden filers experience with current requirements for paper-based
submissions," the agency said. Banks that voluntarily choose to submit
filings through E-Apps would save the time and expense associated with
photocopying and mailing or otherwise filing copies. More information
April 24, 2008 Technology Company Announces Check Processing
Settlement
DataTreasury Corp. announced on April 21 it has settled a
patent infringement lawsuit against The PNC Financial Services Group,
Inc. and PNC Bank for check-processing patents. The patents cover image
capture, centralized processing and electronic storage of documents and
check information, and a central check clearing system. The company said
it is actively pursuing lawsuits against 53 other defendants. In the
settlement, DataTreasury granted PNC a worldwide license for its
patents. Other terms of the agreement are confidential. The U.S. Patent
& Trademark Office recently re-examined DataTreasury’s patents
and confirmed the validity of the company’s claims. “We are
now preparing to take the remaining defendants to trial,” said
DataTreasury’s lead trial counsel, Nelson Roach of Nix, Patterson
& Roach, LLP. More information
April 23, 2008 GENESYS 5.3
This update is now available on the CSBS website for state
banking departments to download. Click here for installation instructions and the
install file.
April 17, 2008 SanDisk Warns on USB Drive
Threat
SanDisk has warned that IT managers are unaware of the extent
to which unsecured flash drives are being brought into their
organisations, backing this with a new study of corporate end-users and
IT executives.
The study found that 77 percent corporate end-users surveyed have
admitted to using personal flash drives for work-related purposes.
However, when asked to estimate what percentage of the workforce uses
personal flash drives, corporate IT respondents said only 35
percent.
Users meanwhile admitted that data files most likely to be copied to a
personal flash drives includes customer records (25 percent), financial
information (17 percent), business plans (15 percent), employee records
(13 percent), marketing plans (13 percent), intellectual property (6
percent), and source code (6 percent).
The survey highlights that due to the highly portable nature of USB
flash drives, they represent a significant risk of data loss for
enterprises. Approximately one in ten (12 percent) of corporate end
users reported finding a flash drive in a public place. Additionally,
when asked to pick the three most likely actions they would take if they
found a flash drive in a public place, 55 percent indicated they would
view the data.
SanDisk meanwhile hopes to give IT managers a fighting chance of
controlling the usage of flash drives in organisations, and earlier this
week unveiled a new version of its CMC (Central Management &
Control) software used to manage its Cruzer Enterprise USB flash
drives.
The SanDisk Cruzer Enterprise flash drive comes in 1GB, 2GB, 4GB, and
8GB storage capacities.
Version 3.0 of the CMC software is designed to give IT managers an
easier way to manage the lifecycle of Cruzer Enterprise USB flash
drives, including deployment throughout the organisation, password
recovery and renewal through the network, central back-up and restore,
central usage tracking, and remote termination of lost drives.
"CMC is at the centre of SanDisk’s mission to make flash memory
the preferred solution for authentication, workspace virtualisation and
endpoint security," said Etti Berger, product marketing manager for CMC
in SanDisk's Enterprise Division.
Specifically, CMC 3.0 allows IT managers to rapidly introduce new
applications through the network, without users having to initiate an
installation process or having to bring their drives to the IT
department. It also keeps track of application and seat licences on
Cruzer Enterprise drives.
In addition, CMC 3.0 allows for Cruzer Enterprise drives to be remotely
configured from any corporate PC without requiring pre-installation of a
software agent. SanDisk says this reduces the time and effort needed to
add new drives, especially in large organisations with multiple
locations and many remote workers.
IT managers can also create pre-defined reports on user activity, giving
the IT department new tools for uncovering violations of the
organisation’s data security policies, and for providing
confirmation of regulatory compliance through an enhanced audit
trail.
Finally, CMC 3.0 features improved password policy control, and
passwords can now be set to expire after a number of days selected by
the IT department. It can also synchronise with Active Directory
password policies.
SanDisk said that CMC 3.0 is expected to be available in the third
quarter, with pricing provided on request to enterprise clients.
SanDisk also revealed that Cruzer Enterprise drives also now have the
ability to deploy, store and use RSA SecurID software tokens from RSA.
This gives end-users a single device for secure data storage and
two-factor authentication, an alternative to carrying both a flash drive
and a separate hardware authenticator.
April 16, 2008 NACHA Launches E-Bill Service
With Verizon Transaction
The National Automated Clearing House Association announced the
launch of an Electronic Billing Information Delivery Service on April 14
to speed the ability of consumers to receive electronic bills at the
online provider of their choice. The first transaction presented and
paid using the system was from Verizon. NACHA said the system expands
the capabilities of the ACH network to include the distribution of
consumer bills to financial institutions. NACHA said some of the
benefits of the system are: increased revenue for banks; reduced cost
and extended reach for businesses; privacy for consumers; and the
advantages of paperless transactions. More information
April 7, 2008 FinCEN Stops New Applications
for Filing Via Magnetic Media
The Financial Crimes Enforcement Network announced on April 4
that it is no longer accepting new applications to batch file Bank
Secrecy Act forms using tapes and/or diskettes. FinCEN plans to retire
the magnetic media program and in the future will announce the deadline
for transitioning from magnetic media to the BSA E-filing system.
New users who wish to batch file their BSA forms will have to submit
these files using the BSA E-filing system. More
information
April 3, 2008 SBA Seeks Information on
E-Portal for Small Business Lending
The Small Business Administration is seeking innovative ideas
from lenders and the business community on ways to establish a new
e-commerce portal to help expand credit availability for businesses and
give lenders access to new potential small-business customers. The
agency put out a request for information from potential vendors on
setting up an online lending portal to connect small-business loan
applicants and commercial lenders. The request is not an official
solicitation for a contract, but instead will be used by the agency to
gather information in such areas as specifications, pricing strategies
and project management. SBA envisions a system where business users
would enter relevant information on financial needs and key financial
performance information that is critical to the underwriting decision.
The portal then would facilitate matching interested lenders with these
prospective borrowers. SBA is looking for input in such areas a user
friendliness and transparency, market coverage, privacy policies,
revenue sharing, timeline and risks. The deadline for submitting
information is April 28. More
information
March 24, 2008 Washington State Agency Stops Use of
External Thumb Drives
Employees of the Washington State Division of Child Support will now be
required to use state-owned USB flash drives as part of an effort to
eliminate the use of privately-owned thumb drives. External flash drives
used by field workers hold the names, dates of birth and Social Security
numbers of children served by the agency. They may also hold client tax
documents, employer records, criminal histories and passport data. The
state began rolling out 200 SanDisk Cruzer drives late last year after
recalling suspect devices used by workers in the agency's 10 field
offices. Most of those had been purchased independently by employees,
causing myriad problems for the agency, said Brian Main, the division's
data security officer. The Cruzer Enterprise drives provide 256-bit AES
encryption and are password-protected. Main noted that the state does
periodic risk analysis of its systems, identifying a problem with the
proliferation of privately-owned thumb drives. More information
March 19, 2008 Firm Hacks Encrypted Data
LuciData Inc., a Minneapolis-based computer forensic and internal threat
management company, reports that it successfully cracked an encrypted
laptop on behalf of a corporate client. The laptop reportedly was using
Pointsec Full Disk Encryption. LuciData noted that the default
configuration for many companies use leaves them vulnerable to a very
simple attack that effectively gives complete administrative control of
the machine to anyone with physical access. This simple
attack takes advantage of the FireWire protocol and its ability to
directly access and modify the RAM of a target machine with a FireWire
port installed. Using a simple and readily available forensics software
tool, it is possible to connect a FireWire cable to a computer, and
within seconds bypass the Windows authentication and log in as a local
administrator. While the long term implications
of this attack have not yet been fully investigated, the most immediate
recommendation is for companies using Pointsec to redeploy its whole
disk encryption solution so that preboot authentication is
enabled. More information
March 19, 2008 Update to FFIEC Business Continuity Planning
Booklet
The Federal Financial Institutions Examination Council (FFIEC) today
issued updated guidance for examiners, financial institutions, and
technology service providers to identify business continuity risks and
evaluate controls and risk management practices for effective business
continuity planning. The guidance is an update to the “Business
Continuity Planning Booklet,” which was issued in March
2003. More Information
March 18, 2008 FTC Fines
ValueClick Over Advertising, Security Issues
Online advertiser ValueClick, Inc., will pay a record $2.9
million to settle Federal Trade Commission charges that its advertising
claims and e-mails were deceptive and violated federal law. The agency
also charged that ValueClick and its subsidiaries, Hi-Speed Media and
E-Babylon, failed to secure consumers’ sensitive financial
information despite their claims to do so. The settlement requires
ValueClick to clearly and conspicuously disclose the costs and
obligations consumers must incur to receive the products it claimed were
free. FTC said ValueClick’s subsidiary Hi-Speed Media used
deceptive e-mails, banner ads and pop-ups to drive consumers to its Web
sites. The e-mails and online ads claimed that consumers were eligible
for free gifts, such as laptops, iPods and high-value gift cards. FTC
alleged that consumers lured to ValueClick’s Web sites by these
promises were led through a maze of expensive and burdensome third-party
offers – including car loans and satellite television
subscriptions – which they were required to participate in at
their own expense to receive the promised free merchandise. On the
security issue, FTC alleged the companies published online privacy
policies claiming they encrypted customer information, but either failed
to encrypt the information at all or used a non-standard and insecure
form of encryption. The agency also charged that several of the
companies’ e-commerce Web sites were vulnerable to hacker
attacks. More information
March 18,
2008 Survey Reports on Mobile Banking Interest, Concerns
A Harris Interactive study found that mobile phone users are
becoming more comfortable about making banking and purchase
transactions, but security remains a major concern. The survey found 16
percent of mobile phone subscribers used mobile banking services.
Thirty-five percent were open to checking bank account balances and
transferring funds via their mobile devices. A third of those surveyed
also said they would like to receive text message alerts from their
financial institutions. The survey also found that mobile purchases were
on the rise. About 25 percent of mobile phone users with mobile access
to the Internet used their phones to buy goods and services online via
credit cards. One in five said they would like to someday use their
phones like a mobile wallet, where charges would be billed directly to
their mobile accounts. However, the biggest barrier affecting consumer
acceptance of mobile banking and commerce was security concerns over
personal data. Two-thirds of those interviewed expressed apprehension
about using their mobile phone to transmit sensitive financial
information. Sixty-three percent reported fears about this medium
exposing them to potential fraud and financial scams. Sixty-one percent
also worried about losing a mobile phone containing personal financial
information. The online survey was conducted in December 2007 with 1,072
U.S. adults aged 18 and older. More information
March 4, 2008 Reserve Banks
Plans Change for ACH Postings
The Federal Reserve issued a proposal recently to change its
daylight overdraft posting rules to align the posting times for
automated clearing house credit and debit transfers. Under the current
posting rules, commercial and government ACH credit transfers processed
by the Federal Reserve Banks are posted at 8:30 a.m. ET, while
commercial and government ACH debit transfers are posted at 11 a.m. ET.
Under the Fed proposal, Reserve Banks would change the posting time for
commercial and government ACH debit transfers to 8:30 a.m. ET. The Fed
also said it would consult with the Treasury Department to move the
posting time for Treasury tax and loan investments to 8:30 a.m. ET. The
deadline for comments is June 4. More information
February 27, 2008
Princeton Research Group Finds Security Threat In File Encryption
A new breed of identity thieves may be able to gain access to
encrypted files including those containing bank account information and
credit card numbers, according to a recent study by a Princeton
University research team. The group, led by Princeton Public Affairs
Professor Ed Felten, published a 22-page white paper and additional
information about their findings on the University Center for
Information Technology Policy (CITP) website. The research team
discovered that the encryption key, which is a long series of bits (0s
or 1s), could easily be retrieved from the memory chips of computers.
The research team found that information remains in computer memory
chips for five to 45 seconds after shutting down. Information stored on
the computer can be read directly off the memory chips. Cooling the
chips with liquid nitrogen or compressed air can increase the retention
of information from seconds up to several hours. “The secret key
that can decrypt everything is sitting in the computer’s memory
chip, and because information can be captured from the memory chips,
that means these encrypted files are not nearly as safe as people
thought,” Felten explained. The biggest impact of the lingering
data will be on the data- encryption methods used to protect the files
on laptop computer hard drives, he said. Researcher John Halderman GS
said he was particularly concerned about the vulnerability of the
financial data stored on bank and credit card company computers.
“A laptop with bank account numbers or credit card numbers for
thousands of people is an enormous risk,” he said. “To
better protect this kind of information, companies should store it
exclusively on desktop machines, which are harder to lose or steal than
laptops," Halderman said, adding, "If the information needs to be kept
on laptops, others should be careful to always shut them off when not in
use.” More information
February 19, 2008 Reserve Banks
Publish Survey on Fedwire Message Changes
The Federal Reserve Banks are considering changes to the
Fedwire message format to enhance the transparency of cover payments and
to include structured business remittance information. Before making
these changes, the Reserve Banks are seeking feedback from Fedwire
participants and other interested parties through a survey. Cover
payments are used in correspondent banking, usually to facilitate
international transactions. They are payments made through a chain of
correspondent banks to settle a credit transfer message that travels a
more direct route to the ultimate beneficiary’s bank. The deadline
for responding to the survey is March 14. More information
February 14, 2008 Everify
Employers Using E-Verify More than 52,000 employers have
voluntarily signed up to use the nation’s employment status
verification system known as E-Verify, said the U.S. Citizen and
Immigration Service on Feb. 12. The service started with a pilot group
of employers in five states and is now adding about 1,000 new employers
each week. E-verify is a free, Web-based system that allows
participating employers to electronically verify the employment
eligibility of newly hired employees. The E-verify system compares
employee information against more than 425 million records in the
database of the Social Security Administration and more than 60 million
records stored in the Department of Homeland Security database. A
recently added feature allows employers to compare photos of a new
hire’s employment authorization document or permanent resident
card against nearly 15 million images stored in DHS immigration
databases. Read more
February 13, 2008 Fed Alters
Check Processing for Dallas, Kansas City
The Federal Reserve Board on Feb. 12 amended Regulation CC to
reflect the check processing changes in the operations of its 10th and
11th Federal Reserve Districts. Starting on April 19, 2008, the head
office of the Federal Reserve Bank of Kansas City no longer will process
checks, and banks currently served by that office will be reassigned to
the head office of the Federal Reserve Bank of Dallas. As a result of
these changes, some checks deposited in the affected regions that
currently are nonlocal checks will become local checks that are subject
to shorter permissible hold periods. More information
February 7, 2008 Reserve Banks
See Acceleration of E-Payments
The Federal Reserve predicted an all-electronic payment system in the
not too distant future. In an article in its FedFocus publication, the
Federal Reserve Banks said this past September more than 50 percent of
the forward items they processed were deposited in a FedForward image
cash letter rather than as a traditional paper deposits. "It has taken
us three years to move half of the forward volume to electronics, but we
expect the remaining half to move much more quickly. We’re pasting
the tipping point," said Fred Herr, senior vice president in the Federal
Reserve Banks’ Retail Payments Office. Between the 2003 and 2006,
the number of checks paid decreased by 6.4 percent per year, while the
use of debit card payments grew from 19 percent to 27 percent and
automated clearing house payments grew from 11 percent to 16
percent. More information
February
1, 2008 FTC Offers Malware Advice
The Federal Trade Commission on Thursday announced a new
publication to help consumers protect their computers against malware
and reclaim their computers and electronic information if malware is
already on their computers. The publication, “Minimizing the
Effects of Malware,” provides tips on spotting malware and urges
consumers to act immediately if they suspect their computers are
affected by malware. The agency noted that criminals use appealing Web
sites, desirable downloads and compelling stories to lure consumers to
links that will download malware. Installed malware is then used to
steal personal information, send spam and commit fraud. The publication
is available on FTC’s Web site. Read
more
January
22, 2008 Internet Crime Center Issues Alert on New Bank Scams
The Internet Crime Complaint center on Jan. 17 reported an
alarming rate of increase in “vishing” attacks against U.S.
financial institutions and their customers. The IC3 center is a joint
partnership of the FBI and the National White Collar Crime Center. In
vishing attacks, consumers receive an e-mail, text message or telephone
call supposedly from their credit/debit card companies directing them to
contact a telephone number to re-activate their cards due to a security
issue. In the schemes, people are persuaded to divulge their personally
identifiable information because they are told their accounts were
suspended, deactivated or terminated. Recipients are directed to contact
their banks via a telephone number. Upon calling the telephone number,
the recipients are greeted with "Welcome to the bank of ……"
and then requested to enter their card numbers to resolve a pending
security issue, I3C said. To promote authenticity, some of the
fraudulent e-mails claim that the bank would never contact customers to
obtain their personal information by any means, including e-mail, mail
or instant messenger. Another version of the scam involves text messages
to customers’ cell phones claiming the recipients’ online
bank accounts have expired. To avoid the scam, IC3 said customers should
always call their banks using telephone numbers obtained
independently. More information
January
9, 2008 Security Firm Identifies Top 10 Internet Security Threats
Mass mailer worms accounted for many of the top 10 Internet
security threats in December, according to Fortinet's FortiGuard Global
Security Research Team. The “Netsky!similar” threat
accounted for the highest volume of activity detected by the security
company in December, representing 11.05 percent of the overall reported
activity. Other mass mailer threats on the top 10 list were: MyTob.FR at
3.4 percent, Lovgate.X2 at 2.9 percent and Zafi.D at 2.2 percent. TCent
and Bdsearch adware, which also appeared in the November report,
maintained their positions in the top 10 list. The company also said the
ANI07.A exploit remained very active, claiming a strong position in the
top 10 for the ninth consecutive month. The Istbar.PK trojan, which
installs a search toolbar on the user's Web browser and can download
various adware and trojans, reached the eighth position on the top 10
list -- up from the 25th position in November. More information
January
8, 2008 Identity Theft Challenges
Identity theft will continue to be a persistent and increasing
complex crime, according to the Identity Theft Assistance Center. On the
positive side, the center noted the growing cooperation between the
public and private sector, the growth of state and regional task forces
devoted to identity theft and more successful persecutions. Some of the
challenges identified by the center were: the use of new technologies by
criminals to commit identity theft; the increase in importance of
identity theft as a business issue; and the difficulty in profiling
identity thieves. The center is a nonprofit coalition of financial
services companies committed to protecting their customers from identity
theft. Read more
January
7, 2008 Treasury to Deliver Federal Benefits Through Debit Cards
The Treasury Department announced a new initiative to provide
Social Security and other federal benefits to recipients without banking
relationships through prepaid debit cards. Treasury’s Financial
Management Service will introduce the Direct Express Card in the spring
of 2008 through Comerica Bank and plans to provide national distribution
by the end of the summer. Federal benefit recipients who chose the
Direct Express option will have payments automatically deposited on
their Direct Express Card accounts on the federal beneficiary's
designated payment day. Cardholders will be able to access their money
at automated teller machines and financial institutions nationwide. They
also will be able to use their cards to get cash back and make purchases
at retail locations, as well as pay bills and make purchases online.
Treasury estimates that 4 million Social Security and Supplemental
Security Income check recipients do not have bank accounts. "The
explosive growth in the prepaid card industry offers an important
opportunity for Treasury to give unbanked payment recipients secure,
easy access to their funds, at low or no cost to the cardholder. We
ultimately would like to see an all-electronic Treasury -- with all the
security, efficiency and cost savings that would entail," said FMS
Commissioner Judy Tillman.More information
January
3, 2008 Federal Reserve Continues Check Processing Adjustments
The Federal Reserve announced on Jan. 2 changes to Regulation
CC to reflect the restructuring of its check processing operations.
Effective Feb. 23, banks with routing numbers 0220, 2220, 0223 and 2223
will be reassigned to the head office of the Federal Reserve Bank of
Cleveland. Effective March 29, banks with routing numbers 0213 and 2213
will be reassigned to the head office of the Federal Reserve Bank of
Philadelphia. As a result of these changes, some checks deposited in the
affected regions that currently are nonlocal checks will become local
checks that are subject to shorter permissible hold periods, the Fed
said. Between 2008 and early 2011, the Fed will reduce its check
processing operations to four Federal Reserve Banks – Cleveland,
Philadelphia, Atlanta and Dallas. The Fed has set tentative plans to
transfer the processing for Memphis, Tenn., to Atlanta during the third
quarter of 2008 and the check processing for Cincinnati to Cleveland in
the fourth quarter of 2008. Other fourth quarter 2008 transfers expected
are Seattle to Dallas and Windors Lock, Conn., to Philadelphia. More information
January
2, 2008 FTC Reports on Use of Spam for Financial Crimes
Internet spam has increasingly become a significant global
avenue for the dissemination of malware and financial crime schemes,
according to a Federal Trade Commission staff report on a spam summit
held in July 2007. Panelists at the summit concluded that, in most
instances, the acts of malicious spammers are inherently criminal, and
criminal law enforcement agencies are best suited to shut down their
criminal operations. The report noted that there has been a dramatic
increase in the number of Web sites that either knowingly or unwittingly
host “crimeware code” that collects information about
end-users for the purposes of stealing the user’s personal
information, including their financial data. Summit speakers also
identified collaborative efforts throughout the public and private
sectors that have played, and will continue to play, a significant role
in the fight against malicious spam and phishing. Some of these
solutions include e-mail authentication and e-mail reputation services.
The report noted that BITS, the technology division of the Financial
Services Roundtable, has strongly recommended that it member financial
institutions adopt authentication by the end of 2008. More information
December
14, 2007 FinCEN Reports on E-mail Service
More than 18,000 people have subscribed to the free e-mail
subscription management service offered by the Financial Crimes
Enforcement Network’ during the past year. FinCEN said of the 25
topics to which users may subscribe, the most popular are Bank Secrecy
Act guidance (12,538 subscriptions), Suspicious Activity Report
information (12,236 subscriptions) and advisories/bulletins/rulings/fact
sheets (12,223 subscriptions). Subscribers may opt to have FinCEN
updates sent immediately, daily, weekly or monthly to their e-mail
accounts or directly to a wireless device. In the past year, FinCEN has
sent 709,577 e-mails alerting users to these various announcements, such
as guidance to financial institutions on the increasing money laundering
threat involving illicit Iranian activity. Read
more
December
14, 2007 FBI Fights Botnets
The FBI recently reported success in its program to find and
stop botnets, which are armies of personal computers used by cyber
criminals to commit crimes. Botnets are used for such crimes as identity
theft, denial of service attacks and massive spam campaigns. In the
first phase of its operation in June, the FBI was able to pinpoint more
than a million victimized computers and charged a number of individuals
around the country with various cyber-related crimes. In the second
phase, three more indictments were issued and the agency has uncovered
more than $20 million in economic losses. A pair of men also were
recently sentenced who were involved in a major phishing scheme
targeting a Midwest bank that led to millions of dollars in
losses. Read more
December
11, 2007 Federal Reserve Study Finds Growing E-Payments Replacing
Checks
Electronic payments are growing, while the number of check
payments continues to decline, according to a study published on Dec. 10
by the Federal Reserve. Of the 93 billion noncash payments in 2006,
about 63 billion were electronic and around 30 billion were checks, the
Fed said. Among the three main types of electronic payments, the annual
use of debit cards increased between 2003 and 2006 by about 10 billion
payments to 25.3 billion payments in 2006. Debit cards now surpass
credit cards as the most frequently used electronic payment type.
Over the same period, automated clearinghouse payments grew to 14.6
billion, an increase of almost 6 billion payments. Credit cards grew by
almost 3 billion payments to 21.7 billion in 2006. The highest rate of
growth from 2003 to 2006 was in ACH payments, which grew about 19
percent per year, followed closely by debit card payments at almost 18
percent. Meanwhile, checks declined by an average of 6.4 percent per
year since 2003. Another significant finding in the study was the
increasing proportion of checks processed electronically. During 2006,
almost 3 billion consumer checks, including checks sent to billers or
used as source documents to initiate electronic payments at the point of
sale, were converted and cleared as ACH payments rather than as check
payments. This was an eight-fold increase since 2003. More information
December
5, 2007 FDIC Revises Technology Examination Questionnaire
FDIC on Dec. 4 announced an update to its risk-focused
information technology examination procedures. As part of the revision,
the IT officer's questionnaire was enhanced to provide greater coverage
of vendor management and outsourcing topics, credit card and automated
clearing house payment system risks, and an institution's overall
information security program. The update includes a new a vendor
management and service provider oversight section to reflect potential
reliance on outside firms for technology-related products and services.
New questions were added for payment system risks, including questions
relating to the originating financial institution, wire transfers,
credit card merchant processing, and remote deposit capture. The IT
officer's questionnaire must be completed and signed by an executive
officer of the financial institution and returned to the FDIC
examiner-in-charge prior to the on-site portion of the examination. FDIC
said its reference document should assist banks in conducting
self-assessments of their information security programs. More information
November
26, 2007 Senate Passes ID Theft Bill
The Senate on Nov. 15 unanimously passed legislation to give
federal prosecutors new tools to fight identity theft and cyber
crime. The Identity Theft Enforcement and Restitution Act (S.
2168) would give victims of identity theft the ability to seek
restitution for the loss of time and money spent restoring credit and
remedying the harm of identity theft. Another provision would ensure
that identity thieves who impersonate businesses to steal sensitive
personal data could be prosecuted under federal identity theft laws.
Currently, the law only provides for prosecution of identity theft
against an individual. Other features of the bill would enable
prosecution of those who steal personal information from a computer even
when the victim’s computer is located in the same state as the
thief’s computer; would eliminate the requirement that damage to a
victim’s computer exceed $5,000 before charges can be brought for
unauthorized access to a computer; would make it a felony to employ
spyware or keyloggers to damage 10 or more computers regardless of the
aggregate amount of damage caused; and would make it a crime to threaten
to steal or release information from a computer. Read more
October
31, 2007 FTC Warns of Fraudulent E-mail
The Federal Trade Commission issued a warning on Tuesday about
a bogus e-mail that refers to a “complaint” filed with
FTC against the e-mail’s recipient. FTC said the e-mail includes
links and an attachment that would download a virus if opened. The
e-mail has a phony sender’s address, making it appear that it is
from frauddep@ftc.gov . It also
spoofs the return-path and reply-to fields to hide the e-mail’s
true origin. While the e-mail includes the FTC seal, it has grammatical
errors, misspellings and incorrect syntax. Recipients should forward the
e-mail to spam@uce.gov and then
delete it, the agency said. While simply opening the e-mail does not
appear to cause harm. People who opened the attachment or clicked on the
links should run an anti-virus program. The virus appears to install a
“key logger” that could potentially grab passwords and
account numbers. Read
more
October
30, 2007 Hackers Exploit PDF Vulnerability To Steal Data
SecureWorks reports that Russian hackers have been exploiting a
vulnerability in Adobe Acrobat and Reader on Windows to download a
variant of the Gozi Trojan via a PDF file which can capture data on
secure Web sites to glean personal and account data in financial and
other transactions. The latest version of it, Gozi.F, was detected by
only 26 percent of the 32 largest anti-malware vendors as of Oct. 23,
SecureWorks said. Adobe rated this vulnerability, which affects users on
Windows XP or Windows 2003 with Internet Explorer 7 installed, as
critical. Exploitation requires downloading the malicious file. The
company on Oct. 22 recommended that affected users upgrade to Adobe
Reader 8.1.1 or Acrobat 8.1.1. The PDF is labeled as a bill or invoice.
When opened, it downloads a first-stage downloader EXE file from the
hacker site (Russian Business Network) by anonymous FTP and executes it.
The downloader then installs the Trojan, which is used to capture and
send personal data. In addition to updating antivirus signatures,
SecureWorks advises administrators to block traffic to the Russian
Business Network by blocking FTP traffic to 81.95.146.130 and HTTP
traffic to 81.95.147.107. More information
October
25, 2007 Mobile Banking Raises Security Issues
According to the Aite Group, security will be a major issue for
mobile banking and providers will need to focus on the methods that are
being deployed to mitigate risk over this emerging channel. According to
Aite Group’s report, "Mobile Banking Security: The Black Cloud
Attached to the Silver Lining" the same types of attacks that have
plagued the online world will inevitably migrate to mobile. The lack of
end-user education regarding potential threats across mobile devices,
combined with millions of transaction-enabled handsets and the global
reach of the mobile Internet, ensure that wide-scale criminal attacks
over the mobile network are a certainty. Wireless networks are now able
to deliver broadband speeds over handsets, which now have computing
power equivalent to personal computers of less than a decade ago. The
key is for banks to get started sooner rather than later, in order to
accelerate the learning curve and lessen exposure to mobile fraud when
it does occur, said Nick Holland, senior analyst at Aite Group and
author of the report. More information
October
24, 2007 Western Union Plans Money Transfers by Phone Service
Consumers would be able to send and receive low-denomination,
high-frequency money transfers using their mobile phones under a program
announced on Oct. 18 by GSM Association and the Western Union Co. GSMA,
which is a trade association for mobile phone operators, and Western
Union are working on the commercial and technical framework to support
the service and anticipate rolling out a product in the second quarter
of 2008. "Mobile networks now cover more than 80 percent of the world's
population and 3 billion people have a mobile phone, creating an
unprecedented opportunity to extend the benefits of financial services
to the majority of the world's families for the first time," said GSMA
CEO Rob Conway. The Mobile Money Transfer service would allow consumers
to transfer money to or from mobile wallets and would use the global
network of Western Union Agent locations for cash-to-mobile and
mobile-to-cash transactions. Thirty-five GSMA operators with more than
800 million customers in more than 100 countries will participate in the
program. Currently, Western Union and its affiliates provide money
transfer services across 200 countries through a network of more than
312,000 agent locations. More information
October
15, 2007 Citrix Finds Security Holes in Military, Federal Web
Sites
Security researcher Petko D. Petkov said in an Oct. 4 posting
that his recent testing of Citrix gateways led him to a number of
"wide-open" Citrix instances, including 10 on government domains and
four on military domains. The Internet is full of wide open CITRIX
gateways, he said. Petkov noted when searching on Google or Yahoo for
files with Citrix's proprietary ICA (Independent Computing Architecture)
extension, the returned files hand over hints about which server is
running, the underlying transport mechanism and the remote application
that Citrix will open. The ICA protocol in question specifies a method
of passing data between server and clients. It's not bound to any
particular platform, but products that use the protocol—including
Citrix's WinFrame and Citrix Presentation Server—are used to allow
Windows applications to be run on a Windows server and for supported
clients to access the applications. ICA is also supported on multiple
Unix server platforms and can be used for access to applications running
on those platforms. "And the problem is that CITRIX is pretty useful,"
Petkov wrote in the posting. More information
October
12, 2007 Adobe Offers Workaround for Vulnerability in Versions Up
To 8.1
For computers running Windows XP with Internet Explorer 7
installed, Adobe has become aware of a recently published report of a
critical security vulnerability in Versions 8.1 and earlier in Adobe
Reader and Acrobat. Adobe has not yet issued a patch to correct the
problem. To protect Windows XP systems with Internet Explorer 7
installed from this vulnerability, administrators can disable the
mailto: option in Acrobat, Acrobat 3D 8 and Adobe Reader by modifying
the application options in the Windows registry. Additionally, these
changes can be added to network deployments to Windows systems. More information
October
2, 2007 Treasury, Federal Reserve Propose Internet Gambling Rules
The Treasury Department and Federal Reserve issued a joint
proposal on Oct. 1 to prohibit the use of certain payment systems by
illegal Internet gambling businesses. The proposal to put the Unlawful
Internet Gambling Enforcement Act into effect would involve payments
made through such means as credit cards, electronic funds transfers,
checks, money transmissions and wire transfers. In the case of the
automated clearing house system, check collection systems and the wire
transfer system, the proposal would generally apply the rules only to
the institutions that have customer relationships with the Internet
gambling businesses. The proposal calls for covered financial firms to
have policies and procedures that are reasonably designed to prevent
payments being made to the illegal gambling businesses. The proposal
offers examples of such policies and procedures. Unlawful Internet
gambling generally would cover the making of a bet or wager that
involves use of the Internet and that is unlawful under any applicable
federal or state law in the jurisdiction where the bet or wager is made.
The deadline for comments is Dec. 12. More information
September
26, 2007 Glitch Found in Microsoft Office Excel 2007
Microsoft has issued a statement confirming that Microsoft
Office Excel 2007 has a flaw in the spreadsheet "that affects some
calculations where the product should equal 65,535. The bug was
first reported in the Microsoft.public.excel newsgroup. The company is
currently in the process of developing and testing a fix for the
flaw. More information
September
18, 2007 Internet Report Finds Growing Sophistication in Cyber
Crimes
Cyber criminals are becoming more professional and using more
sophisticated methods, tools and strategies, according to an Internet
Security Threat Report released on Sept. 17 by Symantec Corp. The report
covered the six months between Jan. 1 and June 30, 2007, and detected an
increase in cyber criminals’ use of sophisticated toolkits to
carry out malicious attacks for financial gain. Symantec observed an
increase in the number of multi-staged attacks that consist of an
initial attack that is not intended to perform malicious activities
immediately, but that is used to deploy subsequent attacks. Other
findings in the report included: credit cards were the most commonly
advertised commodity on underground economy servers, making up 22
percent of all advertisements followed by bank accounts at 21 percent;
Symantec documented 237 vulnerabilities in Web browser plug-ins, up from
74 in the second half of 2006, and 34 in the first half of 2006; and
theft or loss of computer or other data-storage medium made up 46
percent of all data breaches that could lead to identity theft. More information
September
17, 2007 Security Issues Need Consideration In VOIP Decisions
Shawn P .McCarthy, a senior analyst and program manager at IDC
Government Insights,
recommends government offices should address security issues as a part
of the decision-making process on whether to adopt Voice Over IP (VOIP)
telecommunications technology. New VOIP users should be aware that many
solutions do not yet support encryption. Open-source systems are
available to help identify and intercept VOIP conversations, so it is
now a fairly straightforward process to eavesdrop on, or even alter,
VOIP calls if a hacker wants to make the effort. Inline Network
Encryptors can provide a partial encryption solution for limited
IP-to-IP calls. Such devices sometimes are in place on networks, to help
secure network data traffic. But this only enables secure calls to other
IP-enabled phones. It cannot support nonsecure calls, nor can it access
non-IP networks. This effectively isolates the phone system from users
of traditional systems, making it a limited solution at best. All
government offices, but particularly defense and national intelligence
agencies, need secure communications. Older telephone systems can use a
pair of secure systems for classified communications: the Secure
Telephone Unit and Secure Telephone Equipment systems. However, neither
was designed to operate on VOIP networks. They rely on 10- to
20-year-old technology originally designed to operate
|
