|
 |
 |
 |
 |
|
Now reality sinks in. With last week’s long-awaited release of the federal ID Theft Red Flag rules, financial institutions nationwide are starting to figure out “What next?” Many executives are still absorbing the information. Others are actively working on adding the new requirements to their compliance efforts.
The new Identity Theft Red Flag regulations announced last week are intended to make life tougher for criminals, but they are also expected to seriously complicate compliance efforts, according to financial industry experts.
By this time next year, all U.S. financial institutions will be required to have implemented an Identity Theft Prevention Program. This is the mandate from Washington, D.C., where six federal agencies this week issued the Final Rules on Identity Theft Red Flags and Notices of Address Discrepancy. These final rules implement sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) of 2003.
Six Tips to Keep the Bots at Bay Fighting bots can seem like an unending battle. But there are some actions you can take to lower your risk. Among the steps:
Private Data Vulnerable to Armies of Rogue PCs One hacker armed with one computer isn’t going to make a dent in most financial institutions’ network security perimeters. But imagine a faceless army of thousands of compromised PCs outside the walls of your institution. They are computer robots programmed to obey the commands of their master, and will do whatever their botmaster tells them to do. Think what damage they could do.
Intrusion Detected Early; Accounts Scrutinized for Fraud Commerce Bank N.A., a regional bank operating in five Midwest states last week fended off a criminal hack into one of its customer databases, but only a handful of customer records were taken.
Some common sense pointers to remind your customers and your senior executives in danger of "whaling" include:
New ID Theft Scam Targets the Really Big Fish
While many computer users have sent them in the past, the future of E-cards (or electronic greeting cards) may be dimmed because of the recent use of them in scams targeting consumers. Financial institutions need to educate their employees and customers more about the dangers of opening electronic greeting cards. E-Cards grew to be a popular, easy and cheap, (sometimes free) way to send immediate messages to family, friends, family and co-workers. There are many companies out there offering this service, my Internet Service Provider even offers them in its service. You can add audio, video or animations to a message.
Information about the threats of identity theft seem to be everywhere -- media headlines, websites, billboards, television ads, and your financial institution has probably warned its customers of the problem. The real question is – how bad is the problem? When you compare studies and reports, it can yield confusing results. One study says it’s going up, another study says it’s flat. From the point of Dr. Larry Ponemon, chairman and founder of the Ponemon Institute, identity theft or the threat of it happening to a consumer is more about the consumer’s perception rather than the real numbers of identity theft.
With identity theft topping the Federal Trade Commission's list of US consumers complaints, the release of a new report issued by a leading consumer advocacy group that puts a price tag of more than $7 billion on the cost of cybercrime to the US consumers is not a surprise to many familiar with the identity theft threat. The FTC's numbers show that for the seventh year in a row, identity theft tops the list of complaints that consumers filed with the Federal Trade Commission, accounting for 36 percent of the 674,354 complaints received from Jan. 1 to Dec. 31, 2006. According to the Better Business Bureau identity theft affects an estimated 10 million U.S. victims per year. A recent survey completed by Consumer Reports projects U.S. consumers have lost more than $7 billion during the last two years to viruses, spyware and phishing schemes.
How a person handles their personal information during everyday tasks could heighten (or lower) their chances of being a victim of identity theft. Here are some tips you can share with your customers for them to use and remember to help lower their “identity theft quotient.” Social Security Number Protection Don’t expose your social security number
The Federal Trade Commission’s second summit on Spam in the last four years addressed the growing problem of unsolicited emails that is creating costs for businesses and consumers alike. FTC Chairman Deborah Platt Majoras addressed the summit held July 11-12 in Washington, D.C. “The volume of spam reported by email filtering companies is rising.” She added botnets – networks of hijacked personal computers that spammers use to conceal their identities – have become the preferred method for sending spam.
With the headlines announcing almost on a weekly basis another data breach at businesses, educational institutions and medical facilities, a recent study shows consumers are modifying their purchasing behavior, including online buying, out of concern for the security of their personal information. The "2007 Consumer Survey on Data Security" conducted by the Ponemon Institute, found that 62 percent of the respondents have been notified that their confidential data has been lost.
When it comes to cracking into computers and networks, one of the most indispensable tools is “social engineering” and it has little to do with modern computing technologies. In the popular lexicon that predates today's computing technologies, a social engineer might have been called a flimflam man, grifter, or con artist. They have been around for a long time. The common denominator is that social engineering, grifting, and the con game all require that the perpetrators understand how people work and, more importantly, that they understand human vulnerabilities.
A financial institution’s customers don’t always know what’s available to them. Your job is to help them. Did you know that everyone is entitled to receive one free credit file disclosure every 12 months from each of the nationwide consumer credit reporting companies – Equifax, Experian and TransUnion. This once a year offer was made possible by a federal mandate to help stem identity theft.
The Congressional Research Service recently released a report that provides an overview of state laws on identity theft. It discusses state laws that penalize identity theft, as well as state laws that assist identity theft victims, including those that permit consumers to block unauthorized persons from obtaining their credit information, known as “security freezes.” The report also includes a survey of state “credit freeze” statutes. The report concludes with summaries of federal identity theft legislation pending in the 110th Congress.
One of the recommendations from the President’s Identity Theft Task Force: Decrease the unnecessary use of social security numbers in the public sector by developing alternative strategies for identity management. Deborah Platt Majoras, Chairman of the Federal Trade Commission and co-chair of the Identity Theft Task Force gave this example why this recommendation is at the top of the list of 31 recommendations from the Task Force. “We [at the FTC] recently received an identity theft complaint from a young consumer who recounted his experience of going with his mother to open his first checking account before he headed off to college. At the bank, he learned that a woman using his social security number had already opened a checking account which has been subsequently closed for default. When he contacted us, this young man was still working to clear his record. It is hard to regain trust in a system that allows that kind of a breach. So if you multiplied this consumer’s story by the thousands of consumers we’re hearing from each week you would have an instant calculation on the scope of the problem.”
The release of the President’s Identity Theft Task Force report on April 23 with its 31 recommendations has implications for financial institutions. While the report also focuses on increased law enforcement crackdowns on identity theft and the prosecution of the criminals who perpetrate this crime, the need for increasing the education of the consumer about the perils of identity theft near the top of the list of recommended actions. Financial institutions have been educating their customers about identity theft for many years, but now this comprehensive plan will push even higher on the list of must-do’s for all institutions. The leading federal agencies in the President’s Identity Theft Task Force are the Department of Justice and the Federal Trade Commission. “The strategic plan recommends 31 measures containing scores of more specific recommendations some are already in place. Others we will implement within the next year,” said Deborah Platt Majoras, Chairman of the Federal Trade Commission and co-chair of the Identity Task Force with Alberto Gonzalez, US Attorney General. The recommendations in the task force report spans all sectors of the economy and they target the entire life cycle of identity theft, from access to sensitive consumer data, to its acquisition, to its misuse to the investigation and prosecution of the criminals and to the victim’s recovery. She noted that 15,000 to 20,000 consumer complaints filed with the FTC every week are about identity theft.
Identity theft can strike anyone. Unfortunately, even CUInfoSecurity.com’s staff have been past victims of identity theft. Luckily, the two stories have been resolved. Read on to hear first-hand, the pain of identity theft, and what lengths victims have to take to resolve the crime and restore their identity. Both of the staffer’s names have been withheld to prevent further harm. These stories are good examples of why financial institutions must increase customer education on identity theft and continue their vigilance in verifying customer information. He Was Only Part of Widespread Scam “Some time after I placed an order with an online printing company (VistaPrint), I began receiving the fraudulent charges to my debit card from a company I had never heard of. I did a Google search on the name of the company as it appeared on my statement, which immediately returned many results pointing to the fact that it was part of a widespread scam. As I did more research I was able to verify that many people all across the country were affected by this scam.
When identity theft occurs, 9 times out of 10 the source of where the person’s identity was taken is never fully found. Trust and money are the two things financial institutions have as their products. Once a member loses trust in your institution’s ability to protect their personal financial information, you’ll lose them as a customer. Part of the building confidence in your institution is communication with your members. Tell them what you’re doing to protect their information. While you can’t meet with every single member individually, take the lead and reach out to them with your marketing vehicles. Use your statement stuffers, fliers, posters, and your website, and put the message out there. Market your efforts on protecting them like you would a banking product. Financial institutions can use this draft memo as a place to begin the education of members about identity theft.
The best offense is a good defense, is the adage. For financial institutions part of the defense to protect your customers from becoming victims of identity theft is educating them. Here, CUInfoSecurity.com has compiled a list of some of the better known and newest Identity Theft web pages that contain easy to distribute information and links you can add to your institution’s website to further the education of your customers.
The ongoing fight against identity theft criminals has a new set of battle plans with the release of the President’s Identity Theft Task Force Report, released on April 23. The entire report with its supplement report is less than 190 pages, but the plans are clearly drawn and tasks for each industry are outlined. Everyone in the public and private sectors are mentioned, including financial institutions.
The revelation by TJX Companies, owner of T.J. Maxx and other retail brands, that at least 45.7 million credit and debit cards were compromised over several years highlights anew the risks associated with processing card transactions and the need to protect the information they contain.The breach eclipses the previous disclosure of 40 million compromised payment card records by CardSystems in 2005. Intruders gained access to TJX’s computer systems beginning in 2005 and continuing until January 2007. Although debit card PINs weren’t compromised, unencrypted magnetic stripe data, also known as “track 2 data,” was stolen on transactions that occurred before September 2003, the company said.
LINDA MCGLASSON: Are we in information security becoming too complacent? I mean, we have a lot of zero-day threats, hundred thousand node botnet sending us virus threats and all things like that, and those of us in information security, you know, look at the situation and think that this is normal operation procedure, are we too complacent? WYATT STARNES: I think we are too complacent, and I actually think we’ve been overly, sort of, complacent and self-secure, self-assured for actually quite some time. When you kind of zoom back and look at some of the physical threats in our world, specifically, the tragic events of September 11th, 2001, where we found we were dramatically exposed to physical harm within our own boundaries, I think in the cyber-security world, we haven’t really seen our September 11th, 2001 yet. We are exposed. We continue to be exposed, and information technology is prospectively an important new attack vector for us in our industry and in our economy, and frankly, in our political system as well.
A recently released survey from Gartner shows the rate of identity theft is rising -- more than 50 percent over previous years. What is interesting for financial institutions, they are not the first target. “As it showed in the report, the attacks are moving away from banks to fake lotteries and sweepstake contests, and other types of transactions including Internet auctions, nonregulated money transmittal systems, and other types of imaginative scams,” says Avivah Litan, vice president and distinguished analyst at Gartner.
Financial transactions via telephone and wireless mobile devices has become an important delivery channel for financial institutions. As with Internet banking, telephones and wireless devices afford great convenience for a financial institution's customers, but unfortunately they too are prone to phishing and other forms of attack. The Federal Financial Institutions Examination Council has made clear that institutions need to safeguard all customer channels against fraud. Understanding the risks and the steps to mitigate them can go a long way to securing not only an institution's information, but its reputation as well.
Data breaches were hitting the headlines almost every week in 2006, with an estimated 100 million records compromised due to security breaches over the 100 million mark, according to the Privacy Rights Clearinghouse, which tracks breaches dating to the ChoicePoint incident in 2005. With all the press coverage and consumer awareness of the issue, expect Congress to take up the matter this year in earnest. We will most probably see several legislative bodies arm wrestling to assign top enforcement duties with whatever form the federal law takes. That is aside from the 30 + state laws on the books that relate to data breach notification. Secure your sensitive data now before the waves of regulations begin washing up on the walls of your institution.
Wish List from Financial Institutions to Our Customers As the weather outside gets colder and the year draws to an end, we're thinking of what would be some of the things we'd like to give and receive as gifts during the holidays. While your personal list may be longer than this, here's the 12 things we wish all of our customers and employees would do - loosely based on "The Twelve Days of Christmas". Hum along if you don't sing.
The Interagency Guidelines Establishing Information Security Standards as per Gramm-Leach-Bliley Act (GLBA) of 2001 require each financial institution to have a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the institution and the nature and scope of its activities. The following publications from the NIST (National Institute of Standards and Technology) outline a model for information security training and awareness programs. While published several years ago, they remain a standard for all programs.
Visa is mounting a full-scale blitz to encourage merchants to use payment software that doesn't compromise consumer passwords. The card company has asked merchants to ensure that the software they use to process card transactions doesn't store the full contents of "track data", which contains passwords and other sensitive information. Last year, a breach at CardSystems, a processor of card transactions, led to the exposure of 40 million payment records, setting off a firestorm that's led to a crackdown on data security vulnerabilities by regulators and lawmakers. Visa's Cardholder Information Security Program prohibits the storing of full track data by merchants. Account numbers, expiration dates, and names are the only elements of track data that may be retained once a transaction has been authorized. In addition, Visa requires compliance with the Payment Card Industry Data Security Standard (PCI DSS) by all merchants and any entity that stores, transmits or processes cardholder data.
Consumers filed more than 255,000 identity theft reports to the Federal Trade Commission in 2005, accounting for more than a third of all complaints. According to the FTC's most recent report, Internet-related complaints accounted for 46% of all fraud complaints in 2005. The most common form of ID theft was credit-card fraud, followed by telephone or utility fraud, bank fraud, and employment fraud. Washington, D.C., had the highest per-capita fraud rate, followed by Tampa, Fla., and Seattle.
New Trojans Target Financial Institution Accounts
If 2005 was the year that identity theft became a household word, 2006 will be the year that financial institutions, the principal targets of most frauds, put in the necessary safeguards to ensure they can't happen. The ease with which identity thefts were perpetrated, from stealing credit card or shoulder surfing at ATMs, on up to more elaborate schemes such as phishing and hacking into databases, has pushed the industry into overdrive in coming up with ways to combat the scourge, which sucks billions out of the economy and harms the personal lives of those affected. The Federal Financial Institutions Examination Council, in guidance issued late last year, places most of the blame on the reliance on "single-factor" authentication, by which customers are asked to provide something they know, such as a user ID and password. The FFIEC recommends the adoption of two-factor authentication, in which customers are asked to provide both something they know and something they have, such as a USB token device or a smart card.
Andrew Miller- CUInfoSecurity.com Editor The year 2005 will likely go down in history as the year of the data security breach. It was a year in which CardSystems Solutions Inc. revealed a security breach that exposed data on potentially more than 40 million payment-card accounts. DSW Shoe Warehouse disclosed the theft of credit-card data on 1.4 million customers. Information brokers LexisNexis and ChoicePoint revealed breaches involving millions of sensitive records. It was also the year of lost data, with UPS, Citigroup, Bank of America, Ameritrade, and Time Warner all reporting losses of backup tapes containing sensitive data.
Internet-related crime,
like any other crime, should be reported to appropriate law enforcement investigative
authorities at the local, state, federal, or international levels, depending
on the scope of the crime. Citizens who are aware of federal crimes
should report them to local offices of federal law enforcement.
In our ten years’ experience in detecting, locating, and prosecuting network intruders (hackers) we have seen that, as with many offline crimes, robust law enforcement alone cannot solve the network intruder problem. To be effective, any overall strategy must include the owners and operators of the nation’s computer networks. They are the first line of defense and have the responsibility to take reasonable measures to ensure that their systems are secure. They are also in the best position to detect intrusions and take the first critical steps to respond. At the most basic level, we rely on network operators to report to us when their systems are hacked. Intrusion victims, however, are often even more reluctant to call law enforcement than other business victims. This reluctance has been reflected in the surveys conducted jointly by the Computer Security Institute and the FBI. In the year 2000 survey, for example, only 25% of the respondents who experienced computer intrusions reported the incidents to law enforcement. To better understand why and to learn how we can promote reporting, the Department of Justice has undertaken a concerted effort to reach out to the operators of our nation’s computer networks.
How likely are you to be wooed into a false sense of security by a friendly face or the promise of a cash prize?
Andrew Miller - CUInfoSecurity.com Editor In October, the Federal Financial Institutions Examination Council (FFIEC) issued guidance for authentication in the Internet banking environment. Financial institutions are expected to achieve compliance by year-end 2006. The guidance states: "The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties.
Hackers have changed their tactics and are exploiting flaws in popular software applications – including security programs — to break into the computers of consumers, government agencies, and businesses. What’s new about this, you might ask? The key word is “applications.” Until recently, hackers focused almost exclusively on computers’ operating systems – that is, their basic nervous-system software, with Windows being the obvious example. But over the past five years, operating-system companies, especially Microsoft, have grown much more adept at quickly issuing “patches” once a security breach in their products was discovered. Moreover, the ubiquity of Internet access means these patches can be distributed automatically, often without the user even knowing his or her software has been strengthened. Result: More secure operating system software.
Most Internet users know spam when they see it, but the vast majority are unfamiliar with terms like “podcasting,” “phishing,” and “RSS,” according to a recent study. The Pew Internet and American Life Project research, based on random telephone interviews with 1,336 Internet users, was called a sobering reality check by experts. The widespread lack of knowledge of phishing, in particular, alarmed security analysts because the crime has grown so widespread in recent years. Survey Findings Here are some of the interesting results from the Pew study: • 70% of respondents either never heard of phishing or were not sure that it refers to e-mail scams that try to trick users into revealing sensitive information by masquerading as a legitimate financial institution, credit-card issuer, or other organization.
Since January 1, at least 104 data incidents have been documented in the U.S., potentially affecting more than 56.2 million individuals. And that is probably just the tip of the iceberg.
Give criminals credit for adapting. It has become clear that stealing personal information is easier, more profitable, and less risky than mugging or burgling them. Unfortunately, the effect of this realization on the criminal community is that phishing and identity theft continue their astonishing growth. A new nationwide survey by First Data Corp. confirms the news. According to First Data, fully 6.8% of all U.S. adults have been victimized by ID theft, and more than 43% have received phishing e-mails.
Although Skype, which provides Voice over Internet Protocol (VoIP) telephony services and PC-to-PC calling, turns two years old on August 29, it remains unclear what kind of business this relative newcomer will turn out to be. Skype could remain a mere fad for techies, become a next-generation communications platform or evolve into the next eBay or Google, say Wharton experts.
That’s a key finding from the 2005 Global Security Survey conducted by Deloitte Touche Tohmatsu. In the annual survey, 35% respondents said that in the past 12 months, they’ve suffered attacks that originated inside the organization. That’s a massive increase over the previous year’s 14%.
Most financial institutions are surprisingly vulnerable to identity theft, according to a hired gun who makes his living by penetrating their security systems.
TO: Chief Executive Officers and Chief Information Technology Officers of National Financial Institutions, Federal Branches, Service Providers, Department and Division Heads, and Examining Personnel PURPOSE This alert is intended to raise awareness of an increasingly common Internet fraud called “phishing” and encourages institutions to educate their customers, strengthen monitoring systems, and enhance response programs to reduce the potential risk to their organizations and customers. BA
According to recent government estimates, some 10 million people a year are victims of identity theft. Some sources estimate that annual losses related to identity theft total as much as: $50 million for individuals and $48 billion for businesses While these figures represent an average loss of only about $500 per individual, the actual impact is much higher. On average, each individual also spends some 30 hours cleaning up the effects of an identity theft attack. That's a total of ab
What you will learn from this tip: How using five security best practices gets you closer to compliance with the PCI Data Security Standard and helps mitigate common threats to e-business. The media has been abuzz with a series of reports from vendors such as DSW (Designer Shoe Warehouse) and Polo Ralph Lauren regarding disturbing losses of credit card information.
New Viruses Target IM
By SearchSecurity Staff Visa USA Inc. and MasterCard International Inc. don't have to send individual warnings to thousands of people whose personal account information was stolen during a data breach earlier this year, a San Francisco judge has ruled. "I don't see the emergency," San Francisco Superior Court Judge Richard Kramer said when
Internet-related crime, fraud, and damage is going through the roof. Here we take a look at what Consumer Reports has named the four major online threats you need to defend against.
By Bill Brenner, News Writer Most users recognize -- and sometimes disregard -- the warning box that pops up when inputting personal information like credit union account codes on a trusted Web site accessed with an ironclad connection. Time to think twice about such blind trust on previously deemed safe sites, especially if it's a fin
Omar A. Herrera Reyna – CISA, CISSP Introduction There is a widespread use of credit and debit cards for shopping online. However, there use for e-banking (e.g. payments, money tra
High-tech criminal gangs with access to sophisticated keylogging viruses pose a growing threat to financial institutions. Recently, England’s High Tech Crime Unit foiled an effort to steal over $100 million from a Japanese bank in London. The gang gained access to Sumitomo Corp.’s computer systems, installed keyloggers in order to learn users’ passwords, and were getting set to transfer the money to 10 bank accounts scattered aro
Omar A. Herrera Reyna – CISA, CISSP (If you missed Security solutions for e-banking and e-commerce with credit/debit cards,- Part 1: Analyzing the Security Issues click here) While there are some good solutions available from a security perspective, I believe that we already have the required technology to make financial transactio
To help verify a user's identity in the case of a lost password, many Web applications use secret questions. By answering a pre-selected question, a user can demonstrate some personal knowledge of the account owner. A classic example is asking to provide a mother's maiden name.
We all know the threats posed by spyware to enterprise networks: user ID and password theft, financial loss, productivity drain, intellectual property theft. Security practitioners have two defenses at their disposal: the human and the technical. While the technology for combating spyware is improving, antivirus vendors have only recently started adding functionality to target it. That means the best defense is the human one – employees and end users. They can help in the battle against spywar
As an active job seeker you may post your resume in several job boards providing personal contact information including your social security number and more… speak with innumerable recruiters discussing potential job opportunities revealing more information about yourself. Chances are you don’t give this everyday job hunt process and search a second thought. But someone else may.
|
||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
RSS Syndication