|
 |
 |
 |
 |
|
Now reality sinks in. With last week’s long-awaited release of the federal ID Theft Red Flag rules, financial institutions nationwide are starting to figure out “What next?” Many executives are still absorbing the information. Others are actively working on adding the new requirements to their compliance efforts.
The new Identity Theft Red Flag regulations announced last week are intended to make life tougher for criminals, but they are also expected to seriously complicate compliance efforts, according to financial industry experts.
By this time next year, all U.S. financial institutions will be required to have implemented an Identity Theft Prevention Program. This is the mandate from Washington, D.C., where six federal agencies this week issued the Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy. These final rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003.
Six Tips to Keep the Bots at Bay Fighting bots can seem like an unending battle. But there are some actions you can take to lower your risk. Among the steps:
Private Data Vulnerable to Armies of Rogue PCs One hacker armed with one computer isn’t going to make a dent in most financial institutions’ network security perimeters. But imagine a faceless army of thousands of compromised PCs outside the walls of your institution. They are computer robots programmed to obey the commands of their master, and will do whatever their botmaster tells them to do. Think what damage they could do.
Intrusion Detected Early; Accounts Scrutinized for Fraud Commerce Bank N.A., a regional bank operating in five Midwest states last week fended off a criminal hack into one of its customer databases, but only a handful of customer records were taken.
Some common sense pointers to remind your customers and your senior executives in danger of "whaling" include:
New ID Theft Scam Targets the Really Big Fish
While many computer users have sent them in the past, the future of E-cards (or electronic greeting cards) may be dimmed because of the recent use of them in scams targeting consumers. Financial institutions need to educate their employees and customers more about the dangers of opening electronic greeting cards. E-Cards grew to be a popular, easy and cheap, (sometimes free) way to send immediate messages to family, friends, family and co-workers. There are many companies out there offering this service, my Internet Service Provider even offers them in its service. You can add audio, video or animations to a message.
Information about the threats of identity theft seem to be everywhere -- media headlines, websites, billboards, television ads, and your financial institution has probably warned its customers of the problem. The real question is – how bad is the problem? When you compare studies and reports, it can yield confusing results. One study says it’s going up, another study says it’s flat. From the point of Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, identity theft or the threat of it happening to a consumer is more about the consumer’s perception rather than the real numbers of identity theft.
With identity theft topping the Federal Trade Commission's list of US consumers complaints, the release of a new report issued by a leading consumer advocacy group that puts a price tag of more than $7 billion on the cost of cybercrime to the US consumers is not a surprise to many familiar with the identity theft threat. The FTC's numbers show that for the seventh year in a row, identity theft tops the list of complaints that consumers filed with the Federal Trade Commission, accounting for 36 percent of the 674,354 complaints received from Jan. 1 to Dec. 31, 2006. According to the Better Business Bureau identity theft affects an estimated 10 million U.S. victims per year. A recent survey completed by Consumer Reports projects U.S. consumers have lost more than $7 billion during the last two years to viruses, spyware and phishing schemes.
How a person handles their personal information during everyday tasks could heighten (or lower) their chances of being a victim of identity theft. Here are some tips you can share with your customers for them to use and remember to help lower their “identity theft quotient.” Social Security Number Protection Don’t expose your social security number
The Federal Trade Commission’s second summit on Spam in the last four years addressed the growing problem of unsolicited emails that is creating costs for businesses and consumers alike. FTC Chairman Deborah Platt Majoras addressed the summit held July 11-12 in Washington, D.C. “The volume of spam reported by email filtering companies is rising.” She added botnets – networks of hijacked personal computers that spammers use to conceal their identities – have become the preferred method for sending spam.
With the headlines announcing almost on a weekly basis another data breach at businesses, educational institutions and medical facilities, a recent study shows consumers are modifying their purchasing behavior, including online buying, out of concern for the security of their personal information. The "2007 Consumer Survey on Data Security" conducted by the Ponemon Institute, found that 62 percent of the respondents have been notified that their confidential data has been lost.
When it comes to cracking into computers and networks, one of the most indispensable tools is “social engineering” and it has little to do with modern computing technologies. In the popular lexicon that predates today's computing technologies, a social engineer might have been called a flimflam man, grifter, or con artist. They have been around for a long time. The common denominator is that social engineering, grifting, and the con game all require that the perpetrators understand how people work and, more importantly, that they understand human vulnerabilities.
A financial institution’s customers don’t always know what’s available to them. Your job is to help them. Did you know that everyone is entitled to receive one free credit file disclosure every 12 months from each of the nationwide consumer credit reporting companies – Equifax, Experian and TransUnion. This once a year offer was made possible by a federal mandate to help stem identity theft.
The Congressional Research Service recently released a report that provides an overview of state laws on identity theft. It discusses state laws that penalize identity theft, as well as state laws that assist identity theft victims, including those that permit consumers to block unauthorized persons from obtaining their credit information, known as “security freezes.” The report also includes a survey of state “credit freeze” statutes. The report concludes with summaries of federal identity theft legislation pending in the 110th Congress.
In spite of doom-and-gloom predictions following the FFIEC’s guidance announcements, financial institutions are able to balance convenience with security As many U.S. banks and credit unions turn a corner on two-factor authentication deployments precipitated by last year’s Federal Financial Institutions Examination Council (FFIEC) guidance on the matter, they are still finding that they must balance customer satisfaction with customer security. However, online banking consumers are proving to be far more accepting of strong authentication than industry pessimists predicted—in spite of the fact that most of them are unaware of the new regulation.
One of the recommendations from the President’s Identity Theft Task Force: Decrease the unnecessary use of social security numbers in the public sector by developing alternative strategies for identity management.
Deborah Platt Majoras, Chairman of the Federal Trade Commission and co-chair of the Identity Theft Task Force gave this example why this recommendation is at the top of the list of 31 recommendations from the Task Force.
The release of the President’s Identity Theft Task Force report on April 23 with its 31 recommendations has implications for financial institutions. While the report also focuses on increased law enforcement crackdowns on identity theft and the prosecution of the criminals who perpetrate this crime, the need for increasing the education of the consumer about the perils of identity theft near the top of the list of recommended actions.
On the heels of a recently released supervisory letter from the FDIC on Identity Theft comes the strategic plan from the President’s Identity Task Force, released on April 23. Less than 190 pages are contained in the main and supplemental report, but the plans are clearly drawn and tasks for each industry are outlined. Everyone is named in the plan from the public sector and private sector, including financial institutions.
Identity theft can strike anyone. Unfortunately, even BankInfoSecurity.com’s staff have been past victims of identity theft. Luckily, the two stories have been resolved. Read on to hear first-hand, the pain of identity theft, and what lengths victims have to take to resolve the crime and restore their identity. Both of the staffer’s names have been withheld to prevent further harm. These stories are good examples of why financial institutions must increase customer education on identity theft and continue their vigilance in verifying customer information.
When it comes to compliance with the FDIC’s recent Supervisory Letter on Identity Theft, financial institutions need to “beef up” their consumer education programs, along with looking more closely at their existing risk assessment programs to mitigate current and potential areas of vulnerabilities.
When identity theft occurs, 9 times out of 10 the source of where the person’s identity was taken is never fully found. Trust and money are the two things financial institutions have as their products. Once a customer loses trust in your institution’s ability to protect their personal financial information, you’ll lose them as a customer.
The best offense is a good defense, is the adage. For financial institutions part of the defense to protect your customers from becoming victims of identity theft is educating them.
The revelation by TJX Companies, owner of T.J. Maxx and other retail brands, that at least 45.7 million credit and debit cards were compromised over several years highlights anew the risks associated with processing card transactions and the need to protect the information they contain.
As an active job seeker you may post your resume in several job boards providing personal contact information including your social security number and more… speak with innumerable recruiters discussing potential job opportunities revealing more information about yourself. Chances are you don’t give this everyday job hunt process and search a second thought. But someone else may.
For those financial institutions that have been putting off the education of their customers, it’s now time to sit up, take notice, and begin to take action. The FDIC’s issuance of a supervisory policy on identity theft on Wednesday means that all banks and financial institutions will be expected to take a more active role in detecting AND preventing identity theft of its customers. The most recent data breach of TJX is a clear signal that business as usual for banks in regard to how they approach customer’s concerns about their identity is about to change. The FDIC’s expectations are also included in the letter, the active role that institutions need to take is laid out in the words, “detect, prevent and mitigate the effects of identity theft in order to protect consumers…”
A recently released survey from Gartner shows the rate of identity theft is rising -- more than 50 percent over previous years. What is interesting for financial institutions, they are not the first target. “As it showed in the report, the attacks are moving away from banks to fake lotteries and sweepstake contests, and other types of transactions including Internet auctions, nonregulated money transmittal systems, and other types of imaginative scams,” says Avivah Litan, vice president and distinguished analyst at Gartner.
Banking via telephone and wireless mobile devices has become an important delivery channel for financial institutions. As with Internet banking, telephones and wireless devices afford great convenience for bank customers, but unfortunately they too are prone to phishing and other forms of attack. The Federal Financial Institutions Examination Council has made clear that banks need to safeguard all customer channels against fraud. Understanding the risks and the steps to mitigate them can go a long way to securing not only a bank's information, but its reputation as well.
Data breaches were hitting the headlines almost every week in 2006, with an estimated 100 million records compromised due to security breaches over the 100 million mark, according to the Privacy Rights Clearinghouse, which tracks breaches dating to the ChoicePoint incident in 2005. With all the press coverage and consumer awareness of the issue, expect Congress to take up the matter this year in earnest. We will most probably see several legislative bodies arm wrestling to assign top enforcement duties with whatever form the federal law takes. That is aside from the 30 + state laws on the books that relate to data breach notification. Secure your sensitive data now before the waves of regulations begin washing up on the walls of your institution.
Wish List from Financial Institutions to Our Customers As the weather outside gets colder and the year draws to an end, we're thinking of what would be some of the things we'd like to give and receive as gifts during the holidays. While your personal list may be longer than this, here's the 12 things we wish all of our customers and employees would do - loosely based on "The Twelve Days of Christmas". Hum along if you don't sing.
The Interagency Guidelines Establishing Information Security Standards as per Gramm-Leach-Bliley Act (GLBA) of 2001 require each bank to have a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the bank and the nature and scope of its activities. The following publications from the NIST (National Institute of Standards and Technology) outline a model for information security training and awareness programs. While published several years ago, they remain a standard for all programs.
Visa is mounting a full-scale blitz to encourage merchants to use payment software that doesn't compromise consumer passwords. The card company has asked merchants to ensure that the software they use to process card transactions doesn't store the full contents of "track data", which contains passwords and other sensitive information. Last year, a breach at CardSystems, a processor of card transactions, led to the exposure of 40 million payment records, setting off a firestorm that's led to a crackdown on data security vulnerabilities by regulators and lawmakers. Visa's Cardholder Information Security Program prohibits the storing of full track data by merchants. Account numbers, expiration dates, and names are the only elements of track data that may be retained once a transaction has been authorized. In addition, Visa requires compliance with the Payment Card Industry Data Security Standard (PCI DSS) by all merchants and any entity that stores, transmits or processes cardholder data.
The results are in, and BankInfoSecurity.com would like to present the Top 10 financial information security articles on this website from 2006. All articles have been posted since January, and include any articles through the last week in July. Not surprisingly, the number one article referred to actual financial services workers being fooled by a harmless, yet planned CD scam. This can only underly the importance many banks and financial institutions put on educating employees as a starting point to a strong information security program. Rounding off the top 10 are two articles related to phishing, a trend which indicates the problem will continue to be a nuisance to any institution offering online money account access.
Consumers filed more than 255,000 identity theft reports to the Federal Trade Commission in 2005, accounting for more than a third of all complaints. According to the FTC's most recent report, Internet-related complaints accounted for 46% of all fraud complaints in 2005. The most common form of ID theft was credit-card fraud, followed by telephone or utility fraud, bank fraud, and employment fraud. Washington, D.C., had the highest per-capita fraud rate, followed by Tampa, Fla., and Seattle.
The mainstream and IT trade press is replete with references to "organized crime" getting into cybercrime. Is this designation correct? And how significant are the successes of law enforcement in this area?
US prosecutors yanked a major ring of online ID thieves, the Shadowcrew, from the shadiness of the web into an American court spotlight that achieved guilty pleas in November 2005. The round up of the leaders of the Shadowcrew, which trafficked more than 1.7 million credit cards online, is a sign that authorities are cracking Internet fraud. But experts believe that the police are mostly missing the culprits. Graeme Burnett, a security architecture engineer at Enhyper said that the perpetrators are not who you would expect. The description would be "14-30, middle class, good education, predominately white," he said.
Consumers in the U.S. are responding to growing fears of online identity theft by going offline. Enterprises - especially those in the financial services sector - must counter this trend by reinforcing their efforts to deploy secure transaction-based applications. Financial Institutions Especially Vulnerable A new survey (see below) shows the first evidence that fears of identity theft are starting to cut into online usage statistics. Online usage rates are especially critical for banks and other financial services institutions. The sector is marked by intense competition, relatively little differentiation between institutions, and low levels of customer loyalty.
New Trojans Target Bank Accounts
ICSTIS, the body that regulates premium rate phone numbers in the UK, recently received about 50,000 complaints from PC users who claimed that secret Trojan software had changed their internet dial-up settings to connect automatically to premium rate phone numbers. ICSTIS concedes this was only the tip of an iceberg. Anyone who fell victim to that infestation and who banks online could also be vulnerable to Trojans that take control of their machines to conduct rogue banking transactions. "Our view is that Trojans are potentially a much more insidious and damaging threat than phishing," says Sandra Quinn, spokeswoman of the Association for Payment Clearing Services, which leads the industry fight against online fraud. "Absolutely," agrees George Thompson, director of security services at business service providers KPMG. "They could be worse than phishing simply because users are not aware that these things are on their machines."
If 2005 was the year that identity theft became a household word, 2006 will be the year that banking institutions, the principal targets of most frauds, put in the necessary safeguards to ensure they can't happen. The ease with which identity thefts were perpetrated, from stealing credit card or shoulder surfing at ATMs, on up to more elaborate schemes such as phishing and hacking into databases, has pushed the industry into overdrive in coming up with ways to combat the scourge, which sucks billions out of the economy and harms the personal lives of those affected. The Federal Financial Institutions Examination Council, in guidance issued late last year, places most of the blame on the reliance on "single-factor" authentication, by which customers are asked to provide something they know, such as a user ID and password. The FFIEC recommends the adoption of two-factor authentication, in which customers are asked to provide both something they know and something they have, such as a USB token device or a smart card.
Andrew Miller- BankInfoSecurity.com Editor The year 2005 will likely go down in history as the year of the data security breach. It was a year in which CardSystems Solutions Inc. revealed a security breach that exposed data on potentially more than 40 million payment-card accounts. DSW Shoe Warehouse disclosed the theft of credit-card data on 1.4 million customers. Information brokers LexisNexis and ChoicePoint revealed breaches involving millions of sensitive records. It was also the year of lost data, with UPS, Citigroup, Bank of America, Ameritrade, and Time Warner all reporting losses of backup tapes containing sensitive data.
Internet-related crime,
like any other crime, should be reported to appropriate law enforcement investigative
authorities at the local, state, federal, or international levels, depending
on the scope of the crime. Citizens who are aware of federal crimes
should report them to local offices of federal law enforcement.
Caused As Much As $20 Million in Losses to Software Industry WASHINGTON, D.C.—The owner of one of the largest for-profit software piracy websites to operate in the United States has pleaded guilty to operating a software piracy website, Assistant Attorney General Alice S. Fisher for the Justice Department's Criminal Division and U.S. Attorney Paul J. McNulty for the Eastern District of Virginia, announced today. Nathan Peterson, 26, of Antelope Acres, California, pleaded guilty in Alexandria, Virginia before U.S. District Court Judge T.S. Ellis to two counts of criminal copyright infringement for selling pirated software over the Internet and through the mail. Peterson, who is scheduled to be sentenced on April 14, 2006, at 9 a.m., faces a maximum sentence of 10 years in prison and a $500,000 fine.
The United States Attorney for the Northern District of California announced that Suibin Zhang, 37, of San Jose, California, was charged late yesterday by a federal grand jury in San Jose in a nine-count indictment alleging computer fraud; theft and unauthorized downloading of trade secrets; and the unauthorized copying, transmission and possession of trade secrets. In particular, the indictment charges three counts of computer fraud in violation of 18 U.S.C. § 1030(a)(4); three counts of theft, misappropriation and unauthorized downloading of trade secrets in violation of 18 U.S.C. §§ 1832(a)(1), (2) and (4); two counts of unauthorized copying and transmission of trade secrets in violation of 18 U.S.C. §§ 1832(a)(2) and (4); and one count unauthorized possession of stolen trade secrets in violation of 18 U.S.C. §§ 1832(a)(3) and (4).
"Botnet" Investigation Led by U.S. Secret Service’s Electronic Crimes Task Force and the Computer Hacking and Intellectual Property Unit of the U.S. Attorney’s Office SAN JOSE – United States Attorney Kevin V. Ryan announced that Anthony Scott Clark, 21, of Beaverton, Oregon, pleaded guilty yesterday afternoon in federal court in San Jose to launching a computer attack against the Internet auction site eBay in July and August 2003 with an army of infected computers he had amassed by using a computer worm program.
By Anne Saita, News Director 09 Dec 2005 | SearchSecurity.com SAN DIEGO -- So much for trade secrets. Not long ago, a company unwittingly tipped its hand when planning to buy another business. How? Lawyers, investment bankers, consultants, executives and directors suddenly hammered the investor relations section of the targeted firm's Web site. Their IP addresses gave them away. Realizing it was going to be bought, the targeted firm called another company and shared its rival's still-secret plans, thus launching a bidding war. In the end, the first company won the battle, but it paid $15 million more than it should. A more covert search for information may have prevented that. "This seems to be a very common scenario," explained Lance Cottrell, founder, president and chief scientist for San Diego-based Anonymizer Inc., at Thursday's Usenix Large Installation System Administration conference. Though his 11-year-old company is best known for consumer privacy, enterprise interest has surged regarding cloaking online activity used to gather intelligence and prevent information leakage.
In our ten years’ experience in detecting, locating, and prosecuting network intruders (hackers) we have seen that, as with many offline crimes, robust law enforcement alone cannot solve the network intruder problem. To be effective, any overall strategy must include the owners and operators of the nation’s computer networks. They are the first line of defense and have the responsibility to take reasonable measures to ensure that their systems are secure. They are also in the best position to detect intrusions and take the first critical steps to respond. At the most basic level, we rely on network operators to report to us when their systems are hacked. Intrusion victims, however, are often even more reluctant to call law enforcement than other business victims. This reluctance has been reflected in the surveys conducted jointly by the Computer Security Institute and the FBI. In the year 2000 survey, for example, only 25% of the respondents who experienced computer intrusions reported the incidents to law enforcement. To better understand why and to learn how we can promote reporting, the Department of Justice has undertaken a concerted effort to reach out to the operators of our nation’s computer networks.
How likely are you to be wooed into a false sense of security by a friendly face or the promise of a cash prize?
Andrew Miller - BankInfoSecurity.com Editor In October, the Federal Financial Institutions Examination Council (FFIEC) issued guidance for authentication in the Internet banking environment. Financial institutions are expected to achieve compliance by year-end 2006. The guidance states: "The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
Hackers have changed their tactics and are exploiting flaws in popular software applications – including security programs — to break into the computers of consumers, government agencies, and businesses. What’s new about this, you might ask? The key word is “applications.” Until recently, hackers focused almost exclusively on computers’ operating systems – that is, their basic nervous-system software, with Windows being the obvious example. But over the past five years, operating-system companies, especially Microsoft, have grown much more adept at quickly issuing “patches” once a security breach in their products was discovered. Moreover, the ubiquity of Internet access means these patches can be distributed automatically, often without the user even knowing his or her software has been strengthened. Result: More secure operating system software.
Most Internet users know spam when they see it, but the vast majority are unfamiliar with terms like “podcasting,” “phishing,” and “RSS,” according to a recent study. The Pew Internet and American Life Project research, based on random telephone interviews with 1,336 Internet users, was called a sobering reality check by experts. The widespread lack of knowledge of phishing, in particular, alarmed security analysts because the crime has grown so widespread in recent years. Survey Findings Here are some of the interesting results from the Pew study: • 70% of respondents either never heard of phishing or were not sure that it refers to e-mail scams that try to trick users into revealing sensitive information by masquerading as a legitimate bank, credit-card issuer, or other organization.
Since January 1, at least 104 data incidents have been documented in the U.S., potentially affecting more than 56.2 million individuals. And that is probably just the tip of the iceberg.
By Eric B. Parizo, News Editor That's the message from Boulder, Colo.-based Webroot Software Inc. According to the antispyware vendor's quarterly "State of Spyware" report released this week, the spread of secret nefarious and malicious programs has quickly become a "global pandemic." Webroot CEO C. David Moll said spyware is no longer confined to a handful countries or a single continent. In fact, it's everywhere. Moll said his customers have reported spyware problems in 223 countries. What's more, unlike spam, which he said took nearly two years to plague users around the world, spyware has become the scourge of Internet users everywhere in just a matter of months.
Give criminals credit for adapting. It has become clear that stealing personal information is easier, more profitable, and less risky than mugging or burgling them. Unfortunately, the effect of this realization on the criminal community is that phishing and identity theft continue their astonishing growth. A new nationwide survey by First Data Corp. confirms the news. According to First Data, fully 6.8% of all U.S. adults have been victimized by ID theft, and more than 43% have received phishing e-mails.
Although Skype, which provides Voice over Internet Protocol (VoIP) telephony services and PC-to-PC calling, turns two years old on August 29, it remains unclear what kind of business this relative newcomer will turn out to be. Skype could remain a mere fad for techies, become a next-generation communications platform or evolve into the next eBay or Google, say Wharton experts.
What's your estimate of how many of your institution's customers have installed anti-spyware on their computers? If you estimated anything higher than 10-15%, your nickname's probably Pollyanna. In truth, a terrifyingly high percentage of computers are not protected against the spyware threat and as a data cache uncovered last weekend by Sunbelt Software shows, accounts are at risk as a result -- and that could spell losses for your institution unless you take measures to protect against them.
Skimming credit and debit card cardholder information has become an easy way for criminals to steal identities, thanks to new technologies being offered via the Internet.
qqq
That’s a key finding from the 2005 Global Security Survey conducted by Deloitte Touche Tohmatsu. In the annual survey, 35% respondents said that in the past 12 months, they’ve suffered attacks that originated inside the organization. That’s a massive increase over the previous year’s 14%.
Most banks are surprisingly vulnerable to identity theft, according to a hired gun who makes his living by penetrating their security systems.
TO: Chief Executive Officers and Chief Information Technology Officers of National Banks, Federal Branches, Service Providers, Department and Division Heads, and Examining Personnel PURPOSE This alert is intended to raise awareness of an increasingly common Internet fraud called “phishing” and encourages banks to educate their customers, strengthen monitoring systems, and enhance response programs to reduce the potential risk to their organizations and customers. BA
According to recent government estimates, some 10 million people a year are victims of identity theft. Some sources estimate that annual losses related to identity theft total as much as: $50 million for individuals and $48 billion for businesses While these figures represent an average loss of only about $500 per individ-ual, the actual impact is much higher. On average, each individual also spends some 30 hours cleaning up the effects of an identity theft attack. That's a total of ab
What you will learn from this tip: How using five security best practices gets you closer to compliance with the PCI Data Security Standard and helps mitigate common threats to e-business. The media has been abuzz with a series of reports from vendors such as DSW (Designer Shoe Warehouse) and Polo Ralph Lauren regarding disturbing losses of credit card information.
New Viruses Target IM
By SearchSecurity Staff Visa USA Inc. and MasterCard International Inc. don't have to send individual warnings to thousands of people whose personal account information was stolen during a data breach earlier this year, a San Francisco judge has ruled. "I don't see the emergency," San Francisco Superior Court Judge Richard Kramer said when
George CapehartIn a previous column we talked about some of the characteristics of Web services systems that have implications for Information Security and identified some of the kinds of security problems that arise in systems that are implemented in this paradigm. One of the sets of problems that was mentioned was Emergent Risks. In this article, we will talk a little more about them and give examples from two different ki
Internet-related crime, fraud, and damage is going through the roof. Here we take a look at what Consumer Reports has named the four major online threats you need to defend against.
By Bill Brenner, News Writer Most users recognize -- and sometimes disregard -- the warning box that pops up when inputting personal information like bank account codes on a trusted Web site accessed with an ironclad connection. Time to think twice about such blind trust on previously deemed safe sites, especially if it's a fin
New data shows that on average, businesses are spending an eye-popping amount of money every month in IT resources to fight the spyware plague. FaceTime Communications, an IT security provider, surveyed more than 1,000 IT managers and end users. The key finding: spyware and other unsanctioned downloads are resulting in average monthly costs of $130,000. The survey also found that spyware incursions appear to be growing at a rate twice that of computer virus incidents. Much of
A. RISK DISCUSSION Introduction A significant number of financial institutions1 regulated by the financial institution regulatory agencies (Agencies)2 maintain sites on the World Wide Web. Many of these websites contain weblinks to other sites not under direct control of the financial institution. The use of weblinks can create certain risks to the financial institution. Management should be aware of these risks and take appropriate steps to address them. The purp
Omar A. Herrera Reyna – CISA, CISSP Introduction There is a widespread use of credit and debit cards for shopping online. However, there use for e-banking (e.g. payments, money tra
Federal Deposit Insurance Corporation Division of Supervision and Consumer Protection Technology Supervision Branch June 17, 2005 This publication supplements the FDIC’s study Putting an End to Account-Hijacking Identity Theft published on December 14, 2004. Executive Summary and Findings Focus of Supplement
High-tech criminal gangs with access to sophisticated keylogging viruses pose a growing threat to banks and financial institutions. Recently, England’s High Tech Crime Unit foiled an effort to steal over $100 million from a Japanese bank in London. The gang gained access to Sumitomo Corp.’s computer systems, installed keyloggers in order to learn users’ passwords, and were getting set to transfer the money to 10 bank accounts scattered aro
Omar A. Herrera Reyna – CISA, CISSP (If you missed Security solutions for e-banking and e-commerce with credit/debit cards,- Part 1: Analyzing the Security Issues click here) While there are some good solutions available from a security perspective, I believe that we already have the required technology to make financial transactio
By Eric B. Parizo, News Editor
To help verify a user's identity in the case of a lost password, many Web applications use secret questions. By answering a pre-selected question, a user can demonstrate some personal knowledge of the account owner. A classic example is asking to provide a mother's maiden name.
We all know the threats posed by spyware to enterprise networks: user ID and password theft, financial loss, productivity drain, intellectual property theft. Security practitioners have two defenses at their disposal: the human and the technical. While the technology for combating spyware is improving, antivirus vendors have only recently started adding functionality to target it. That means the best defense is the human one – employees and end users. They can help in the battle against spywar
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication