On September 9, 2016 the Federal Financial Institution Examination Council (FFIEC) updated its Information Security Booklet (available here). In addition to certain editorial non-substantive changes, the modifications include revisions to IT risk management and information security processes, and updated examination procedures in Appendix A to help examiners evaluate an institution’s culture, governance, information
Financial Information
New York Raises the Bar – Will Other States Follow?
On September 13, 2016, the New York Department of Financial Services (DFS) proposed new first-in-the-nation cybersecurity regulations (Regulations) that would require banks and other financial institutions to adopt minimum cybersecurity standards. In some ways the regulations are consistent with existing Federal Financial Institutions Examination Council (FFIEC) cybersecurity guidelines and FFEIC’s Information Technology (IT) Examination Handbook…
FFIEC Provides Banks with Guidance Following the SWIFT Hacks
On June 7, 2016, the Federal Financial Institutions Examination Council (FFIEC) reminded banks of the cyber risks associated with interbank messaging and wholesale payment networks. FFIEC made its announcement after hackers allegedly used the Society for Worldwide Interbank Financial Telecommunication (SWIFT) messaging system to steal millions of dollars from banks around the world, including $81…
Dude, Where’s My Bitcoin?
Somewhere in a lavish Mediterranean villa a drug lord wearing an off-white suit had a heart attack. Elsewhere a tech whiz in Silicon Valley refreshed his browser multiple times as his heart sank further with each reloaded page. And a banker in New York put a hold on an equity trade and cursed louder than he ever had before. Like the beginning of a classic joke, the drug lord, the tech whiz and the banker had all been fooled. Through each of their minds, the question raced: “Dude, where’s my bitcoin?”
In early August, hackers stole almost 120,000 bitcoins (worth approximately $72 million at the time) from client accounts of a high-profile Bitcoin exchange, Bitfinex, based out of Hong Kong. This caused Bitcoin prices to briefly plummet and followed a similar attack in 2014 on Mt. Gox, which was then the world’s largest Bitcoin exchange (of note, Mt. Gox subsequently went bankrupt).
This latest heist comes on the heels of Bitfinex CFO Giancarlo Devasini’s very forward-thinking proclamation, “With our BitGo wallet solution it becomes impossible for our users to lose their bitcoins due to us being hacked or stealing them.” With such a bold statement, combined with the impervious view of hindsight, one must carefully ponder the future tenure of the CFO, or the future of Bitfinex, or even that of Bitcoin itself.
The theft is obviously a problem for those customers whose precious cryptocoins were stolen, fans of digital currency generally, operators of Bitcoin exchanges and various Bitcoin “banks” or “wallets.” Bitfinex’s response to the hack is unlikely to resonate with its clients after they indicated that losses would be spread across all customer accounts, amounting to an approximately 36% generalized loss. Despite attempting to assure their clients that they would be made whole at some point in the future, a potential investor might be prone to pause at this juncture in any bitcoin venture.
CFPB Issues Proposed Revisions to GLBA Annual Privacy Notice Requirement
Earlier this month, the Consumer Financial Protection Bureau (CFPB) issued its proposed rule amending the Gramm-Leach-Bliley Act’s annual privacy notice requirement set forth in Regulation P.
The rule is in response to Congress’ December 2015 amendment to the act, which eliminated the need for certain companies to provide annual privacy disclosures to consumers. Under the…
A Storm Brews: Retailers Push Back Against Payment Card Industry Data Security Standards
As businesses and financial institutions grapple with data security in the wake of high profile breaches, tensions between retailers and the credit card industry over the creation and implementation of security standards appear to be growing. The disagreements between these two groups manifested themselves on June 2, when the National Retail Federation (“NRF”), the world’s…
Home Depot Alleges Visa, MasterCard Colluded To Delay Chip-and-PIN Implementation; Exposed Retailers, Consumers to Data Breach Risks
A recent bombshell lawsuit by The Home Depot alleges patterns of antitrust violations, illegal collusion, and anti-competitive conduct by the Visa and MasterCard credit card networks. The suit arises in a climate in which the networks are increasingly under attack by retailers, and in which The Home Depot is embroiled in extensive litigation stemming from a massive 2014 breach of customer data. Finally, for consumers concerned with payment card security, the suit highlights potential weaknesses in some U.S. payment card technologies – particularly when compared to systems widely used overseas.
The Home Depot’s Lawsuit and Allegations
On Monday June 13, 2016, The Home Depot filed a 138-page complaint against Visa and MasterCard alleging the credit card behemoths engaged in collusion and price fixing to delay implementation of effective chip-and-PIN security technology in payment cards in the United States. As alleged in the Complaint, the use of Personal Identification Number (“PIN”) verification along with “EMV” chips (“chip-and-PIN”) has been used widely used in Europe since the mid-1990s “to make credit and debit card transactions safer and less prone to fraud.”
Social Media’s Expanding Distribution of Internet Advertising Impacts Privacy and Security
Last week, social media giant Facebook announced an expansion of its online advertising business to include serving ads to users who are not members of Facebook. Under a press posting titled “Bringing People Better Ads,” Facebook decried ads that are “annoying, distracting or misleading” and talked about its efforts to do better. This move highlights again the sometimes contentious topic of Internet ads and ad-blocking technology. Internet advertising and the technological and social aspects of ad-blocking have important consequences for user privacy and data security, both for individuals and for enterprises.
In the press information posted on its news site, Facebook talked about some of the issues raised by “bad” advertising. Much of the discussion of ads and ad-blocking has focused on user inconvenience and consumer ethics. On the one hand, Internet advertising slows the retrieval of requested content, utilizes megabytes of expensive bandwidth, drains power-thirsty mobile batteries, and annoys users with unexpected sound and video. On the other hand, some ask whether it is right to block ads but still consume ad-supported content when, as Facebook noted, “apps rely on advertising to pay the bills.”
The ad-blocking debate also has an “us” versus “them” element, as Internet companies dependent on advertising revenue are pitted against those that profit from device sales. Indeed, the expansion of ad-blocking to some mobile platforms last year was seen by some as a competitive step by smartphone providers aimed at search and social network companies.
Continue Reading Social Media’s Expanding Distribution of Internet Advertising Impacts Privacy and Security
Financial Industry Associations Agree on Common Cybersecurity Principles
On May 9, 2016, the International Swaps and Derivatives Association, the European Banking Federation, and the Global Financial Markets Association (comprised of three other industry associations, including the Securities Industry and Financial Markets Association) published a set of common principles to promote effective global policymaking on cybersecurity, data and technology (the Principles). These industry groups…
Revenge of the Dorks: Their Time Has Come and They Might be Malicious
*******************************************************
Oxford English Dictionary: ‘dork,’ informal, A dull, slow-witted or socially inept person.
Wikipedia: ‘Google Dorking,’ a computer hacking technique that uses Google Search and other Google applications to find security holes in the configuration and computer code that websites use.
*******************************************************
A nerd. A dork. A geek. You’ve seen them. You…