An archive of all the news items between Mid October and end November 2006 on Compliance and Privacy
To avoid long load times news is archived periodically. If you can't find what you are looking for on this page please refer to our archives. Please use the search engine for ease of retrieval.
Main News page |
MiFID will squeeze exchanges over high cost of trading
Smart order routing will help traders overcome fragmented liquidity
The markets in financial instruments directive, the European Union trading rules scheduled to become law in just over 11 months, will change the face of equities trading in Europe for good.
Investment banks, brokers and stock exchanges are reluctant to predict the exact shape of the European trading landscape after Mifid is implemented but they agree the large quasi-monopolistic exchanges will be subject to greater competition from other trading venues and liquidity will likely fragment.
Europe's big three exchanges may have hit the headlines this month with their merger and acquisition activity – Deutsche Börse abandoned its bid for Euronext , leaving the Paris-based exchange free to tie up with the New York Stock Exchange , while US rival Nasdaq moved on the London Stock Exchange – but competition from Mifid is arguably their biggest challenge over the medium term.
The new trading rule book will outlaw concentration regulations that force investment banks and brokers to trade and report through exchanges, thereby enabling any company to become a multi-lateral trading facility, a trading platform similar to US electronic crossing networks.
Read the article in Financial News
Only 36% of financial firms think MiFID will be good for economy
The second MiFID readiness survey by technology firm SunGard and researchers TradeTech has found that 31% of financial services firms think that the Markets in Financial Instruments Directive will not be in the European economy's interests over the next five to ten years, 33% are unsure about its effect, and only 36% think that it will be good for the economy.
The survey also found that only 35% have identified budgets related to MiFID with under a year to go until its planned implementation in November 2007. Of those respondents who had indicated making MiFID budget provisions, 50% have allocated less than €1 million, whilst 18% have budgeted between €10 and €40 million.
Sheena Kelman, director, head of dealing at Martin Currie Investment Management, said: “The timing for an automated solution is getting very tight. Companies are unlikely to waste huge amounts of resource on final processes and systems, until the requirements are clear. The industry generally needs about an 18-month lead time to make really major changes to their processes. Unless the MiFID deadline changes, or the proposals are relatively straightforward, then the nearer we get to November 2007 the less likely it is that, however willing it is, the industry will be able to comply.”
FTC Permanently Halts Unlawful Spyware Operations
Defendants involved with operations that secretly downloaded spyware that changed settings on consumers' computers, have agreed to settle Federal Trade Commission charges that their practices violated federal law. The settlements bar secret software downloads in the future, bar the operators from exploiting security vulnerabilities to download software, and bar misrepresentations. In addition, the operators will give up a total of $50,000 in ill-gotten gains.
In October 2005, the FTC charged that Odysseus Marketing, Inc. and its principal, Walter Rines, lured consumers to their Web sites by advertising bogus free software, including a program called Kazanon that purportedly allowed consumers to engage in anonymous peer-to-peer file sharing. According to the FTC, the bogus software was bundled with spyware and other unwanted software. The agency alleged that the defendants also distributed their spyware by exploiting security vulnerabilities in the Internet Explorer Web browser. The FTC charged that the defendants' spyware intercepted and replaced search results provided to users who queried popular Internet search engines, and barraged consumers with pop-up and other Internet ads. The FTC also charged that the defendants' software captured consumers' personal information such as their first and last names, addresses, e-mail addresses, telephone numbers, and Internet browsing and shopping histories, and transmitted that information to the defendants' Internet servers. Consumers were unable to locate or uninstall the defendants' spyware through reasonable means, according to the FTC.
The court ordered a preliminary halt to the practices pending trail. The settlement announced today ends that litigation.
Read the Article
NHS National Programme for IT - Major Security Concerns
This week the "UK NHS Database" has been hitting the news. General Practitioners (GPs) are stating in statistically significant droves that there is something very poor about security on it. Some sources speak of hackers, others of staff with nefarious intent. others speak of the ease of ID Theft.
So how secure will this be? Will Margaret and Michael swap logins and passwords? Will Peter be blackmailed into leaking information? Will the NHS Database become a popular place for criminal gangs to infiltrate as they do in financial call centres?
Read the Article
EU panel: SWIFT broke data privacy laws
A report drafted by an EU panel of data protection officers concluded the bank data transfer agency SWIFT broke European privacy laws by handing over personal data to U.S. authorities for use in anti-terror investigations, EU officials said Thursday.
The Belgian-based company, the Society for Worldwide Interbank Financial Telecommunication, "committed violations of data protection laws" by secretly transferring data to the United States, without properly informing Belgian authorities, the independent panel's report said, according to the officials.
The panel's report calls on SWIFT, financial institutions and EU authorities to "take the necessary measures" to end the transfer, which it said contradicts Belgian and EU data protection rules.
Read what Business Week has to say, then comment on the story
Plastic Card Fraud
Cards are always safer than cash. The chances of you becoming a victim of card fraud are still low (fraudulent transactions make up 0.141% of all transactions). If you are unlucky enough to be a victim you will not suffer any financial loss as a consequence providing you have not acted fraudulently or without reasonable care.
Criminals are always looking for ways to get hold of your cards, but the banking industry is committed to fighting the fraudster on all fronts. Chip and PIN is a vital tool to help us further protect cards and we continue to work on a raft of other initiatives.
Read the Article
The Internet offers the opportunity to bank and to shop in safety whenever and wherever you want to.
Nearly 15 million people in the UK now use the Internet to access their bank accounts, and millions more regularly shop online.
The Internet is an extremely safe way of shopping and banking. However, security relies on vigilance and you should not relax your guard when you are online.
The majority of UK Internet users who bank and shop online are playing their part in making sure that they avoid becoming a victim of online fraud. But research commissioned by APACS shows that millions of Britons are not even aware of some of the basic online pitfalls from which they can easily protect themselves:
Read the Article
Yes, they ARE watching you
Even the Government's Information Tsar thinks things have gone too far – computer records on all children and fingerprint checks for motorists.
The Western world is in the year 2006 AD, for Muslims it's 1427 AH and in China they're celebrating the Year of the Fire Dog. But if you're a British citizen, you would be forgiven for thinking that we have finally entered George Orwell's 1984. Never before, it seems, has Big Brother's unblinking eye focused so keenly on our every waking move.
It's not just the paranoid who are nervous. The sanguine figure of Parliament's Information Commissioner, Richard Thomas, yesterday attacked the Government's planned £224 million children's register, which will contain the details of every child in Britain, saying it will not only devalue parents but "shatter" family privacy. The volume of personal information held on children has already reached unprecedented levels and is "set to increase dramatically".
Meanwhile, motorists now face the threat of being fingerprinted at the roadside. Yesterday 10 police forces across England and Wales started using handheld gadgets to check speeding motorists against a fingerprint database of 6.5 million crime suspects.
Read the full article in the Telegraph and then tell us what YOU think
Online Banking Becomes Main Settlement Tool
The amount of money transferred using electronic banking surpassed the amount through checks and company bills for the first time ever in the third quarter, the Bank of Korea (BOK) said Wednesday.
Daily banking transactions through the Internet, online phone banking and other means of online banking amounted to 13.3 trillion won for the three months ending with September. The number is up 23 percent from a year ago.
In contrast, the number of transactions completed using checks and company bills contracted. Daily transactions dropped 5.9 percent from a year earlier to 13.1 trillion won, the bank said.
It is the first time electronic banking transactions have surpassed transactions made using checks and bills since the bank began compiling data on electronic banking in 2001.
Read the article in the Korean Times
Crediting the Online Customer Experience
Banks must focus on listening to their customers and tweaking their services to help improve retention and cross-sell initiatives; Wachovia leads in online banking satisfaction, according to a Jupiter Research study.
A superb online experience can have a significant impact on a bank's ability to retain its customers and attract new ones: 52 percent of the 1,349 online users very satisfied with online banking surveyed for a Jupiter Research report would recommend the bank, 32 percent wouldn't change banks, and another 32 percent would consider the bank for additional products. "U.S. Online Banking Consumer Survey, 2006," which leverages the responses of random online consumers from Ipsos-Insight's U.S. online consumer panel, examines the correlation between online satisfaction levels and propensity to stay and buy additional offerings, while also highlighting online banking best practices.
About half--53 percent--of the 1,045 online users who are very satisfied with bill view/pay would recommend the bank, 33 percent wouldn't switch, and 34 percent would consider it for additional products. Of the 704 online users who are very satisfied with alerts, 61 percent would recommend the bank, 40 percent wouldn't switch banks, and 42 percent would consider the bank for additional products. However, of the 3,663 overall online users, 32 percent would recommend their bank, while 28 percent would not switch banks, and 19 percent would consider the bank for additional products.
Read the article in Destination CRM
Online Banking Fraud in UK on the Rise
A surge in 'phishing' in the first half of 2006 has produced a sharp rise in the amount of money being lost to online banking fraud. UK banks reported a 55 per cent increase in losses from fraudulent online transactions for the first half of the year.
Phishing involves using fake web sites to lure people into revealing their bank account numbers. The number of recorded incidents rose 16-fold to 5,059, said the Association of Payment Clearing Services (APACS).
Losses totalled USD 42.8 million, up from USD 27.6 million from the first six months of 2005, according to APACS.
Read the article in SDA India
Survey Reveals Acute UK e-Phobia in Run-up to Christmas Spending Spree
An NOP survey of 999 adults* commissioned by Enterasys Networks, has revealed the deep distrust of the British public in using the Internet to shop online. Just half (50%) of the UK population have ever shopped online and 43% of us are put off shopping or banking on-line because of security concerns.
The survey revealed that e-commerce still has a long way to go to earn the trust of the public. It showed that more men than women have bought something over the Internet (54% versus 47%) and that the younger we are the more confident that our information will remain confidential. The 16-24 year age group are most confident, with 84% professing to be happy with security compared to just 54% of the 65+ age group. The profile of the active e-shopper is typically a married ‘thirty-something', working full-time and living in London or the South of England.
Our confidence levels in government agencies such as the local council is also worryingly low, with just 27% of the population scoring their security measures at one or two on a scale of five. Banks, on the other hand, can be a little more confident with 57% of us awarding them a four or five out of five for security
Read the article .
UK is 'Europe's card fraud capital'
More than seven millions British adults have fallen victim to card fraud, according to a new report.
Research from the European Security Transport Association (Esta) found that nearly 20% of the adult population in Great Britain has been targeted as part of a credit or debit card scam.
It makes the UK the card fraud capital of Europe, with citizens almost twice at risk of becoming a victim compared to adults in seven other European countries polled as part of the survey.
In all, 11% of Europeans taking part in the research said they had been hit by card fraud, translating to around 22 million people.
As a result of card fraud, a third of victims across Europe said they favoured cash as a payment method.
Read the Guardian Online article
Microsoft puts security as top priority for IE7 and Vista
Despite antitrust pressures and complaints from partners (turned competitors), Microsoft announced that EU regulators have given it the go-signal to release its new operating system, Vista, without dropping any key security features.
A high-ranking Microsoft executive claimed that the enhanced security features in Vista will render third-party antivirus software useless. Irked, pure-play security vendors like McAfee and Symantec, claimed they were at a disadvantage since they were denied access to key parts of the new operating system, which thus impeded their development efforts. Microsoft announced that Vista , the first major upgrade since XP in 2001, will be released to major business clients by November 30 2006 and available to the public by January 30 next year.
In line with this, Microsoft rolled out Internet Explorer 7 for Windows XP months before the big release of Vista. Available for download now, the IE7 Web browser upgrade offers users fortified security which will combat malware and phishing. In cooperation with VeriSign and other Certificate Authorities (CA), Microsoft's new IE7 will feature extended validation (EV) SSL, which features increased scrutiny of organizations and more prominent display of certificate details.
Read the article
Mainstream blogs slow down as corporate blogs take off
Technorati's latest "State of the Blogosphere" report showed that of the total 57 million blogs that it is tracking, nearly 3 million blogs were launched from July through September. The daily average of 100,000 new sites created per day is slightly lower than the 160,000 peak in June. In response, Technorati rationalized that the decrease is not a manifestation of the maturity of the blogosphere but instead reflects the blog tracking system's increasing accuracy in detecting and weeding out splogs (spam blogs or fake blogs). On the global blog scene, English and Japanese remain the two most popular languages in use, with Chinese postings dipping by 10%. (Also interesting to note how much blogging goes on during work hours in the US – and after office hours in China and Japan .)
Although traditional media sites (i.e. New York Times, CNN, etc.) continue to dominate the top 100 sites, blogs have essentially taken over once you go down to the top 500 list. This had led corporations to realize that blogging offers a viable, focused and cost-efficient means of corporate messaging. According to a research, 40 (or 8%) of the Fortune 500 companies (i.e. Cisco, HP, Microsoft, Intel) are blogging as of October 2006, double the number (18) in January 2006. VeriSign is among one of the frontrunners to have created its own blog, featuring thought leaders in the field of IT and engineering. Microsoft, which also joined the blogging bandwagon, claimed the improved company image that the corporate blog has brought in could easily be translated to millions of dollars worth of PR savings.
Read the article
'Data breaches need policing,' warns consumer body
The theft of a laptop containing details of an unknown number of Nationwide building society customers has sparked calls from a consumer watchdog for a new law to force companies to notify customers of data breaches.
The National Consumer Council made the call as it emerged that Nationwide is writing to its 11 million customers with security advice following the theft of the company laptop from an employee's house in August.
The NCC is concerned that the building society waited three months before notifying customers of the data breach. A spokesperson said, “If this had been announced at the time, customers would have been in a better position to take action and change passwords and Pins.”
Read the article in Computer Weekly and also refer to the article on the Privacy Rights Rights Clearing House and loss of data records.
Wi-fi users at risk of data and identity theft
New survey finds users send personal and work information through the air without encryption. 37% confess to using unknown open connections
A new survey commissioned by Steganos, European leader in providing security and privacy software for consumers and SMEs,
has found that UK wi-fi users are needlessly exposed to the risk of data and identity theft. Although 86% of those wi-fi users surveyed said they knew there was a risk that their data could be intercepted when connecting via a wi-fi hotspot, only 22% use any form of encryption to protect it. 37% of wi-fi users surveyed said they have used networks belonging to unknown businesses and residents nearby, exposing themselves to the risk that their data could be intercepted by the operators of those hotspots.
The survey revealed that although many users are aware of the threats that their PC is exposed to when connected to the internet, they are less aware of the risk that their data is exposed to as it travels through wi-fi hotspots. While 77% of respondents used antivirus software and 72% used a firewall, only 8% encrypted their data and only 14% used a secure, encrypted link to the internet. The vast majority of wi-fi users know they’re being reckless: only 14% were unaware that somebody could intercept their data while they are connected via Wi-Fi.
Read the article
Banks Plot Rival Exchange
The stock exchanges have been among the biggest beneficiaries of the booming market, so it is hardly surprising that they have themselves been the subject of long-running global takeover battles.
Last week, the European exchanges faced a new threat when seven investment banks unveiled plans to create their own exchange. The plot, codenamed Project Turquoise, has been formed by Citigroup, Credit Suisse, Deutsche Bank, Goldman Sachs, Merrill Lynch, Morgan Stanley and UBS, which are responsible for 50% of volumes on the London Stock Exchange (LSE).
The banks claim the charges of all the European exchanges - in particularly the LSE - are too high and since their demands for the exchanges to lower fees have been ignored they have decided to create their own, mutually owned exchange.
Read the Times Online Business News article (foot of page 2 et seq)
Security firms clash over phishy e-mails
Banks and security experts cannot agree if it is safe for banks to use e-mail for communicating with their customers because the medium has been hijacked by criminals who try and fool online banking users into divulging their log-in details.
Last week, ZDNet Australia reported that an e-mail sent by Citibank confused both customers and security experts because neither group could distinguish the genuine e-mail from a phishing attack.
Security experts criticised Citibank because its e-mail asked recipients to update their online bank log-in details due to an update of the company's security system. Experts claimed the bank had contradicted its own security guidelines and confused its customers.
In response to the story, antivirus firm Sophos on Thursday highlighted the increasing number of phishing attacks but claimed that even though there is "little room for error", banks could safely continue using e-mail for contacting customers -- as long as they take precautions.
Read the article on ZDNet India , then join in the discussion
Get Smart About Your Confidential Phone Data
Before you upgrade or resell your smart phone, you should take a moment to consider your duty to protect confidential client information. Has all the client information on your smart phone been erased? How can you be sure?
McClean, Va.-based technology outfit, Trust Digital, revealed the findings of vulnerabilities in smart phone technology unbeknownst to most companies and consumers. In their experiment, Trust Digital's engineers randomly purchased 10 smart phones from eBay.com. Using software currently found on the Internet, the engineers were able to retrieve nearly 27,000 pages of corporate and personal data from the phones. Such an alarming discovery prompted Illinois Governor Rod Blagojevich to write a letter addressed to both the Federal Communications Commission and Federal Trade Commission, calling for the two agencies to provide greater protection for information stored on cell phones.
While government agencies, corporations and the occasional cheating spouse viewed Trust Digital's revelation with serious concern, lawyers and law firms -- one of the likeliest victims of smart phone information theft -- have been silent. Trust Digital's experiment should be of serious concern for the modern law firm. While the need to upgrade to the latest and greatest form of mobile information technology accelerates, the rules and laws protecting a client's information and communication with their attorney, remain stagnant.
Read the article on Law.com and then tell us about your experiences
WestCom and VeriSign® Announce Strategic Alliance
WestCom Corp. and VeriSign, Inc., today (16 November 2006) announced a strategic alliance agreement to jointly market and deliver a suite of next-generation converged IP services to the global financial community. The Alliance brings together one of the world's largest providers of trader voice services, with the leading global provider of intelligent infrastructure services.
The Alliance enhances WestCom's existing voice and data network by embedding VeriSign's advanced routing and security technologies into the network. The companies will work together to create next-generation solutions supported by the VeriSign Network Routing Directory (NRD) to offer portal-based trader line mobility and other enhanced applications that help meet the demanding standards of the financial services community for secure, real-time communications.
Read the article
Citibank phishes itself! An email too far?
A seemingly innocent e-mail from Citibank Australia introducing a new online banking process has been mistaken for a phishing attack.
The e-mail (click it to enlarge in a new window) was sent last month and described a new sign-on procedure that promised to be "even more secure". As part of a security upgrade, customers were asked to update their log-in credentials.
The message also asked recipients to log on to the bank's Web site and authenticate themselves by entering their Citicard or credit card number, and ATM PIN.
The bank has a strict policy to safeguard customers from such scams. Its online security section says: "Customers should understand that Citibank will never send e-mails to customers to verify personal and/or account information… It is important you disregard and report e-mails which… request any customer information - including your ATM PIN or account details."
Read the article on ZDNet Australia, then tell us what you think
Mobile spam spells trouble for text-based ads
For Jeffrey Paul, his mobile phone was the last bastion of communication solitude in a world overrun with telemarketing, junk mail and email spam. But now, even his mobile isn't safe from unwanted solicitations.
The 40-year-old sales executive from Los Angeles said he uses text messaging sporadically to contact friends, so he was extremely annoyed when he started getting text messages offering him a deal to buy or rent a time-share from Webuyresorts.com.
Even though the unwanted messages were costing Paul 10 cents a pop, he said he wasn't as annoyed about the cost, because he had only received a few of these messages. Instead, he was concerned that his phone would soon be hijacked by marketers, including his own mobile phone provider, contacting him with unwanted advertisements.
"The real annoyance is that now I can't even be left alone on my cell phone," he said. "I actually cancelled my home phone because I was being bombarded with telemarketing. I guess I thought that my cell phone was a telemarket-free zone."
As more people subscribe to mobile phone services -- nearly 220 million in the US as of June, according to the CTIA Wireless Association -- marketers see the mobile market as a ripe opportunity. According to research firm Informa, marketers will spend more than $11bn (£5.8bn) on mobile advertising by 2011.
Read the article at News.com and tell us what you think
Samsung Telecom Site hosting Crimeware
- Source Websense, September 2006
According to Websense, Samsung Telecom has been hosting "Crimeware" for some time. Websense says:
"Websense® Security Labs™ has received reports that the Samsung Telecom website is hosting malicious code. The site, which is hosted in the United States, has been hosting a number of directories and files which, when downloaded and run, install malicious code on end-users' machines.
The server appears to have been compromised and has been hosting a variety of files for some time (the owners have been contacted).
The most current code, which is still available for download, is a Trojan Horse that attempts to disable anti-virus programs, modify registry keys, download additional files, and log keystrokes when connecting to banking websites."
The alert does not state whether the site is now clean
Read the full Alert at Websense
Microsoft wins record amount from spammer
Microsoft has won what it believes to be the largest civil award against a spammer in Europe.
Paul Fox, whose e-mail messages were intended to direct traffic toward his pornographic download site, was this week forced by a court order to pay Microsoft 45,000 pounds, or $84,177, for breaching the terms and conditions of its free Hotmail service. Those terms explicitly prohibit the delivery of spam to its customers.
But while Microsoft has clearly won, the case highlights a failure in the British legal system to tackle spam. Despite efforts by the Information Commissioner's Office to gain power from the Department of Trade & Industry to deal with spam, Information Commissioner Richard Thomas remains hamstrung.
"He can do very little," Struan Robertson of law firm Pinsent Masons said. Because Thomas' office can only deal with spam originating in the United Kingdom, the actions it can take are limited, said Robertson, who believes there should be more serious deterrents in place.
Read the article at News.com and tell us what you think
Information Security Driving Business Process Improvements - But Need for Continuous Attention to Minimize Risk
Information Security is increasingly recognized as a driver of business improvement, says Ernst & Young's 9th Annual Global Information Security Survey, but companies still need to do more to improve their information security posture in the globalized business environment where the largest opportunities also carry the greatest risks. Among the five key priorities identified by the report as being most critical to future success, the one making the most dramatic leap up the boardroom risk agenda is privacy and personal data protection; the most consumer-driven of these issues.
The survey, "Achieving Success in a Globalized World — Is Your Way Secure?" sought the views of nearly 1,200 senior information security professionals in 48 countries, as well as benchmarking the current information security practices of more than 350 organizations in 38 countries.
Paul van Kessel, Global Leader of Ernst & Young's Technology and Security Risk Services, comments, “We have identified five major information security priorities in which companies are showing significant progress, but also where continuous improvements are necessary to keep pace with the growing requirements of effective risk management.
Read the Article
Compliance and Privacy Newletter - 15 November 2006
In this issue:
- What are you doing against Internal Threats?
- Data chief challenges US access to European Bank data
- Korean Government to Mandate SSL Certificates
- Jeff Richards's Demand Insights Blog
- MiFID: "Implement on time or face legal action" - McCreevy
- Most security professionals "unaware" of basic online security when shopping
- Sarbanes-Oxley: Newfound Benefits
- VeriSign Security Review - October 2006
- Combating Online Banking Fraud - VeriSign APACS and Deloitte Touche
- Switch on to Data Protection
Click Here for the Newsletter
Switch on to data protection
Following the recent media coverage of identity theft and the dumping of customers' personal information by banks, the Information Commissioner's Office has launched ‘The lights are on…'. This new interactive training DVD is being released to improve understanding of the Data Protection Act in the work place and ensure individuals' personal information is effectively protected.
The DVD highlights a few common mistakes and the eight principles of good data protection practice, to encourage better compliance with the Act. It explains the problems that can arise for individuals when their personal information is wrongly disclosed to a third party.
Read the Article, get the DVD
Pump&Dump.con: Tips for Avoiding Stock Scams on the Internet
One of the most common Internet frauds involves the classic "pump and dump" scheme. Here's how it works: A company's web site may feature a glowing press release about its financial health or some new product or innovation. Newsletters that purport to offer unbiased recommendations may suddenly tout the company as the latest "hot" stock. Messages in chat rooms and bulletin board postings may urge you to buy the stock quickly or to sell before the price goes down. Or you may even hear the company mentioned by a radio or TV analyst.
Unwitting investors then purchase the stock in droves, creating high demand and pumping up the price. But when the fraudsters behind the scheme sell their shares at the peak and stop hyping the stock, the price plummets, and investors lose their money.
Read the article (source the US SEC)
Two-factor technology opens new e-markets
UK businesses should soon be able to conduct trade electronically with their counterparts in Macedonia and with other states that have until now been deemed too great an e-commerce risk, thanks to an initiative between security techology firm VeriSign and the US Agency for International Development.
Banks in Macedonia, part of the former Yugoslavia, are poised to issue their customers with two-factor authentication devices to turn around the country's reputation as a risky trading partner for e-commerce.
Until now, the country has in effect been blacklisted by major e-commerce sites such as eBay and PayPal, stifling the ability of Macedonian firms to trade online.
The US Agency for International Development has partnered with VeriSign to provide Macedonia's banks with the smart tokens that will allow the country's citizens and businesses to trade securely online.
Read the full article in ComputerWeekly.com
Phishing reaches record numbers
Protecting the integrity of a brand is a top priority for all business. The damage caused to a brand due to a phishing attack can be far more severe than the funds or credentials compromised by the criminal groups perpetrating these acts. In July of this year the Anti-Phishing Working Group (APWG) reported a record number of legitimate "brands" hijacked. This group is reporting that 154 banks, financial companies, electronic retailers, or other organizations had their brands hijacked through phishing in July 2006 - a new record.
Security Focus goes on to say:
... They also report to have found 23,670 total phishing websites used to commit identity theft, fraud and other malicious activity in July 2006. This number is second only to the record 28,571 phishing sites found in June 2006, and is nearly double the 14,135 phishing sites found in July 2005. Of these sites, 14,191 are considered "new" phishing sites, compared to just 4,564 new sites found one year prior, in July 2005.
There is a full report available for download.
Read the full article at Security Focus
Bank fraud drives adoption of two-factor authentication
Banks will come under further pressure to adopt two-factor authentication technology following a 55% increase in the cost of online banking fraud over the past year.
Figures released today (7 November) by the Association of Payment Clearing Services (Apacs), show bank losses reached £22.5m in the first six months of the year, up from £14.m over the same period in 2005.
The increase has been driven by a dramatic rise in the volume of phishing incidents, which rose from 312 in the first six months of 2005 to 5,059 in the first half of 2006.
Several banks, including Alliance & Leicester and HSBC, are trialling two-factor authentication technology in an effort to stem the tide of phishing fraud. Apacs said it was working with banks and retailers to test what could become an industry standard version of two-factor authentication next year. The system uses low-cost handheld card readers to generate one-time passwords, which can be used to verify purchases online or over the phone.
Read the full article in Computer Weekly
Data Breaches are a Growing ID Theft Concern
According to an article at The Privacy Rights Clearing House, a data breach has become the nightmare scenario for most companies. These incidents can result in severe brand damage, loss of consumer confidence even litigation. Starting with ChoicePoint's massive data disclosure in February of 2005, the article provides a detailed chronology of this very real and dangerous problem. It's a vast page, it's slow to load. But take the time and scan down the list.
Read the Article
Symantec and VeriSign® to Deliver Stronger Identity Protection for Consumers
Joint Identity Protection and Authentication Solutions to be Offered to Financial Institutions, Online Retailers and Consumers
Symantec and VeriSign announced on 10 October 2006 plans to deliver security solutions to combat the growing threat of consumer identity theft and fraud on the Internet. Symantec plans to offer support for the VeriSign® Identity Protection (VIP) Authentication Service, which allows consumers to utilize one-time passwords to protect their online identity. The VIP Authentication Service is enhanced by the VIP Shared Authentication Network which enables consumers to use one credential across multiple member websites. In addition, the two companies intend to jointly market combined identity and security solutions to financial institutions, online retailers and end users.
As part of its Security 2.0 strategy, Symantec will provide its Norton customers with the best available solutions for stronger authentication, with support and integration of Norton Accounts with the VIP authentication credentials. The company plans to provide access to a VIP, two-factor credential in a future release of Norton security software. The VIP Shared Authentication Network enables consumers to use a single credential across multiple websites. With two of the most trusted Internet security brands, Symantec and VeriSign have the potential to create a widely-used standard for global identity protection. Symantec's more than 50 million active Norton subscribers, plus millions of additional consumers who are reached through Symantec's OEM and ISP channels, will have access to the joint offering.
Read the Article
High Assurance SSL
Apart from the actual security provided by digital certificates in a Web environment, in terms of encryption of data and authentication of participants, they are meant to be a confidence-boosting measure.
That little lock icon in the browser and the "https" in the address tell the user that the communications are secure. Users can also click through some dialog boxes linked from the icon to see specifics of the certificates for the site they are viewing and make a decision about the authenticity of that site. Of course, 99% of users never do any such thing, and probably very few even notice the relatively obscure lock icon.
Even the value of the lock icon has been diminished lately. There have been recent examples of scammers obtaining a certain kind of SSL certificate, called a domain-authenticated SSL certificate, that can be obtained with very little in the way of verification of the bona fides of the applicant. Even if the user takes care to look for the lock symbol, he or she can be fooled by such a certificate.
A new standard hopes to address this situation with a new class of certificate. Some reports indicate that the final official name for these certificates will be "Extended Validation," but they are more widely known as "High Assurance" SSL certificates.
Read the full article in IIS Zone
A New Type of SSL Certificate Is on the Way
Web businesses face a crisis in confidence. Consumer trust in the security of sites is declining, and in increasing numbers they are scaling back online transactions - or opting out entirely. According to Forrester Research on December 8, 2005, an astonishing 24% of Internet users reported that they would not be shopping online that holiday season because they did not feel safe. A full 61% reported that they had at least reduced online purchases for the same reason. This phenomenon has been masked by the overall increase in online activities like shopping, banking, trading securities, and filing taxes. The fact remains, however, that these online businesses are less effective than they should be, and are leaving money on the table.
Starting early in 2007, Web sites will be able to definitively demonstrate their identity to customers—and customers will be able to confirm identity before trusting sites. This opportunity comes thanks to the greatest development in the Web's secure backbone in over ten years. 2007 will see the introduction of a new kind of SSL Certificate, the first since the technology's origin over a decade ago.
These new certificates will be called Extended Validation SSL Certificates, and they represent over a year's effort by an industry consortium called the CA/Browser Forum. Starting early in 2007 the CA/Browser Forum intends to make these new certificates available for the benefit of Web businesses and site visitors alike. These certificates can facilitate online commerce in all its forms by increasing visitor confidence in legitimate sites and greatly reducing the effectiveness of phishing attacks.
Read the Article
Can IE 7 kill off phishing?
Phishing could soon be a thing of the past and the credit may have to go to Microsoft. That's according to a leading web security expert who says functionality built into Internet Explore 7 could shutter fraudulent websites within 18 months.
Tim Callan, a director at VeriSign, said anti-phishing guards in IE 7 - which will warn users off malicious websites where they may be asked to submit personal information such as bank or credit cards details - will help restore badly damaged consumer confidence.
Callan said: "Consumer confidence is falling and the biggest reason for that is fear, pure and simple. People fear that something bad is going to happen to them."
And he said phishing is the major cause of concern.
Read What Callan says at Silicon.com, then tell us if IE7 will reassure you
The Lord Mayor of London, David Brewer, last week issued a wake-up call to financial institutions to take a global lead in combating cybercrime.
“Cybercrime is more lucrative and less risky than drugs,” he said. “There is no better place to start than in London,” he continued, highlighting the City's capability of taking over all of New York's trading on 9/11 in just half an hour.
“We are already seeing evidence of failure to grasp the nettle,” he warned a select meeting of leading City influencers in London last week.
He warned that while the internet is key to the future success of the City and the global financial marketplace, it is spoken of as if it were regulated, structured and planned, which it is not.
The baseline for the Internet is threefold, he said: security, stability and availability.
Faced with major new cybersecurity threats, companies need to adopt a new approach, said Mark Reece, trading systems architect at the London Stock Exchange, speaking at the same event.
Read the full computerweekly.com article
Australian Business Clarity1 Fined $AUS5.5m for Spam
The first company to be convicted under Australia's tough anti-spamming laws was fined Friday 5.5 million Australian dollars for sending 280 million advertising e-mails.
The Federal Court fined Clarity1 Pty Ltd, based in the west coast city of Perth, $3.4 million and its director Wayne Mansfield $760,000 for sending unsolicited e-mails advertising seminars and other products.
The business had sent 280 million spam e-mails of which about 74 million were successfully delivered over two years. The court also banned Clarity1 from sending unsolicited e-mails in the future.
Many articles cover this judgement: the best source is a Google search. Once you've read enough, tell us what you think
MiFID Rules Break the Exchange Monopoly on Trade Reporting
A consortium of investment banks is building Project Boat, a platform for trade data reporting and market data publishing which will take advantage of new MiFID regulations.
As Europe braces for new pre-trade data and post-trade reporting requirements resulting from the Markets in Financial Instruments Directive (MiFID), the Pan-European legislation already is shaking up the status quo in the exchange-dominated market data business. Under the legislation, which takes effect in November 2007, investment banks will be in a position to form their own trade reporting authorities and charge for disseminating their own market data.
The opportunity for investment banks to capture, pool and disseminate their own market data "has been there for a very long time," according to Andrew Miller, managing director of Arcontech, a London-based real-time market data software specialist. But, he says, "MiFID is legislating that things must be done differently, so it's already shaking up the status quo and serving as a catalyst" for brokers across Europe to set up their own market data communities.
Read the Wall Street & Technology article
Sarbanes-Oxley: Newfound Benefits
Small to medium-sized companies were forced to both develop and document their financial and IT processes much earlier in their business maturity than they would otherwise have. In the past, little attention was paid by these companies to process documentation and controls. SOX created the imperative to develop controls because of its rigorous focus on operational performance.
The press has been replete with complaints from companies that have to comply with Sarbanes-Oxley (SOX). Some of the criticisms were based upon the outsized cost of compliance. Other criticisms revolved around the difficulty and intricacy of compliance, especially to Section 404, Management Assessment of Internal Controls.
The complaints, it seems to me, have reached a crescendo and now seem to be dissipating. Out of the turmoil and confusion relating to SOX compliance, it seems that some people are beginning to see real benefits to the act - benefits that could actually enhance the bottom line of a business.
Theodore F. di Stefano in the E-Commerce Times on 27 October 2006 where you can read the full article. and then discuss its impact on you and your business
Push intensifies for personal data rules change
Calls for a change to international rules on data transfers intensified Monday when two leading trade associations called on U.S. and European Union decision-makers to take action.
The American Chamber of Commerce to the European Union (AmCham EU) and the International Chamber of Commerce (ICC) "urgently call upon decision-makers on both sides of the Atlantic to deliver real progress on international transfers of personal data, a matter of growing concern for businesses worldwide," the trade groups said in a statement.
The call for action comes as more and more companies face legal uncertainty sparked by the very different approach to data privacy in the U.S. and Europe.
In recent weeks SWIFT, a Belgian financial data transfer company, has been found guilty of handing over personal data to U.S. authorities in breach of European data protection laws. SWIFT was forced to hand over the data by U.S. officials investigating terrorist financing.
Read the full article at InfoWorld then discuss the impact here
Most Security Professionals fail to check for secure shopping
In our long running survey on user security awareness when shopping, which we opened in June 2006 and closed after four months, the results showed a sad lack, even in a security aware readership, of knowledge of basic aspects of online self protection.
The current results are astounding . They show a cavalier disregard for even the most basic security precautions when buying online. And this is by educated users!
See the results
Enterprises forced to revamp security policies
Combination of hackers and regulations prompt major rethink
Increasingly stringent government and industry regulations, combined with an ongoing assault from cyber-criminals and malware, will force organisations to revamp security policies, IDC has predicted.
The analyst firm said that this shifting landscape has spawned a new competitive market, which it labels Security Compliance and Control.
"Regulatory compliance initiatives are quickly becoming part of larger corporate governance and risk management strategies," said IDC research analyst Rose Ryan.
Read the vnunet article
Independent survey finds UK companies seriously failing to control employee access to sensitive information
An independent survey published on 18 October 2006 by UK company Secerno suggests that databases are open to attack from growing insider threats. Key findings from the survey were:
- Over 60 per cent of UK employees have access to computer records at their place of work
- 41% have access to records that are not necessary for their job
- One in ten has been tempted to abuse this access
- 56% of employees have no restrictions placed on the information they have privileges to access
Databases lie at the heart of most companies, and contain many of the most valuable assets of these organisations, and indeed of their customers. These assets range from research data, development plans and price lists through to Social Security numbers, credit card information, health records and buying habits. According to Gartner the database management systems software market is set to grow dramatically over the next five years bringing it to $13.2 billion in 2009. According to Yankee Group research, the confidentiality and integrity of an estimated 70% (by volume) of all critical and sensitive information relies on database mechanisms.
Read the Article
For Sale - The True cost of purchasing Drivers' Details in the USA
The purchase of 650,000 names and addresses from the Florida Department of Highway Safety and Motor Vehicles landed a US Bank in trouble with the courts last month to the tune of $50 million.
The Fidelity Bank & Trust bought the personal data of 656,000 individuals living in a number of Florida counties for direct marketing purposes, namely for car loan solicitations. According to documents disclosed in court the data in question was purchased for a mere $5,656.
Read the Article
McCreevy Warns EU Members On MiFID Implementation
Speaking at a dinner this week hosted by the Financial Times, EU Internal Market Commissioner, Charlie McCreevy warned member states that they are likely to face legal action if they are not ready to to introduce the markets in financial instruments directive (MiFID) on time.
The directive needs to be implemented by the end of January 2007, and will come into force in November of that year.
MiFID aims to create a single market for financial products and providers and allow greater competition between different institutions with regard to the provision of certain investment products.
Read the full article on Taxnews.com
Korean Government to Mandate SSL Certificates
Starting January 1, 2007, any businesses in Korea collecting personal information on-line or conducting e-commerce transactions will be mandated to run SSL certificates in the server side. While the client certificates mainly for personal Internet banking and on-line purchases by individuals have been widely and almost ubiquitously used as already mandated by the government, there have been very little adoptions of server certificates meaning this new legislation will be a major shift in the government policy in Korea to drive major adoptions of server certificates. With this legislation, the Korean Government expects on-line businesses in Korea to have 10K new certificates installed by the end of this year and additional 40K within Year 2007.
Read The Article. As we learn more this will be updated.
Internal Attacks are Serious Threat
An example is the recent case of David Lennon launching an e-mail attack on his former employer, Domestic & General Group. Lennon caused chaos for Domestic & General by generating millions of hoax e-mails. The insurance company's router and mail server crashed and the cost was in the tens of thousands of pounds. This followed Lennon's dismissal from his part-time job.
Although Lennon was sentenced to a 2-month curfew and electronic tagging, companies would be ill-advised to assume that this is the type of attack which is their primary threat, dangerous that it was.
Insider frauds are proliferating. For example, a bank manager in Scotland created £21million in false loans in a five year period.
Read the Article
Compliance and Privacy Newletter - 13 October 2006
In this issue:
- Trusted Computing Group - Open Specification For Mobile Phone Security
- Larry Seltzer's Security Weblog
- APACS: people are unaware of basic security measures for eBanking
- Cyber Attacks Increasingly Target Home Users for Financial Gain
- 83% of Adults Who Social Network Expose Themselves To Hackers and Identity Thieves
- New concerns over web security
- RSA Conference Europe the number one dedicated European Security Event
- Wicked Rose and the NCPH Hacking Culture
Click Here for the Newsletter