to help enterprise security across Europe
The resource centre for busy senior executives seeking the latest insights into IT Compliance & Privacy issues for major organizations
sarbaines oxley ofcom communications regulator
Latest Resources      data protection register
compliance resources privacy resource center

Breaking Global News
Global Compliance and Privacy News
- Breaking News, updated every 30 minutes
•   Compliance, Privacy and Security
•  Money Laundering
•  Phishing
•  Regulatory Issues
•  SOX, Basel 2, MiFID

You Tell Us:

We use SSL Technology for web data entry points:

What is SSL?

Are Smartphones Endangering Security? - Wick Hill
Dealing with Internet Security Threats - Ian Kilpatrick
How the New EU Rules on Data Export Affect Companies in and Outside the EU - Thomas Helbing
Farmers' Data Leak Highlights Old Technology Use - Wick Hill
Saving Money with SFTP - Wick Hill
UK Information Commissioner targets firm selling vetting data - Eversheds e80
12 Key Steps to Internet Security - Wick Hill
Telephone Monitoring Legality in the UK - Dechert
Firewall or UTM - Wick Hill
UK Information Commissioner demands mobile device encryption - Eversheds e80
Data loss - liability, reputation and mitigation of risk - Eversheds e80
Phorm, Webwise and OIX - BCS Security Forum
The challenges of PCI DSS compliance - Thales, Russell Fewing
"Quality" Data Vendor Spams us! Editor astounded!
National Gateway Security Survey 2008 - Wick Hill
Unified Threat Management - Watchguard Technologies

news archives
0 | 1 | 2 | 3 | 4 | 5 |
6 | 7 | 8 | 9 | 10 | 11 |
12 | 13
[What is this?]

Industry Blogs
Tim Berners Lee's Blog
Tim Callan's SSL Blog
Davis Wright Tremaine's Privacy & Security Law Blog
Emergent Chaos Blog
Michael Farnum's Blog
Phillip Hallam-Baker's Blog - The dotFuture Manifesto: Internet Crime, Web Services, Philosophy
Stuart King's Security and Risk Management Blog
David Lacey's IT Security Blog
Metasploit Official Blog
Jeff Pettorino's Security Convergence Blog
Jeff Richards's Demand Insights Blog
David Rowe's Risk ManagementBlog
Bruce Schneier's Security Blog
Larry Seltzer's Security Weblog
Mike Spinney's Private Communications Blog
Richard Steinnon's Threat Chaos Blog
The TechWeb Blog
Tim Trent's Marketing by Permission Blog
Rebecca Wong 's DP Thinker Blog

23 February Newsletter
Newsletter Archives are located in "News"

Industry Update
Internet Security Intelligence Briefing - November 2005
Find out the latest trends in e-commerce, web usage & the latest threats from adware/Spyware

Phorm, Webwise and OIX
- BCS Security Forum

'The Any Era has Arrived, and Everyione has Noticed' - Stratton Sclavos - VeriSign
Identity Security - Time to Share
Malicious code threats - iDefense
Public Alerts - updated as they happen from
Public Alerts - updated as they happen from Websense
Public Advisories - updated as they happen, from iDefense
Phoraging - Privacy invasion through the Semantic web: a special report by Mike Davies of VeriSign

Privacy Laws & Business International E-news, Issue 57
Privacy Laws & Business UNited Kingdom E-news, Issue 60

Security Reviews
February 2007 - VeriSign Security Review
The security review archive is here

Case Studies
Finance Industry
Case Study Example

A case study on a Finance industry company.

White Papers
VeriSign® Intelligent Infrastructure for Security
VeriSign® Intelligent Infrastructure: An Overview
Identity Protection Fraud Detection Service - description of the service
Life of a Threat - Video on Threat Management Lifecycle
Optimizing Enterprise Information Security Compliance - Dealing with all the audits
For a full list of all whitepapers, visit our Whitepaper library

Legal Notices
Privacy Policy
Terms of use

basel 2 sarbanes oxley
data controller notification binding corporate rules BCR data transfer third countries third part data transfer basel 2 regualtor regulation regulate FSA banking network security RSA encryptin algorithm Bits sacked bank staff
Blogs compliance Reports compliancy Legislation Data Protection Case Studies data privacy White Papers data protection act News information commissioner Events security standards Links information security iDefense
Retail Solutions

News - a Roundup of all the news items between early February 2007 and Early March 2007, Newest First

Current News Updates compliance and privacy

News - a Roundup of all the news items between early February 2007 and Early March 2007, Newest First

To avoid long load times news is archived periodically. If you can't find what you are looking for on this page please refer to our archives. Please use the search engine for ease of retrieval.

Main News page | Archives: (oldest) 1 | 2 | 3 | 4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 | 13 (most recent)

Amcat praises customer’s decision to abandon AMD (Answer Machine Detect)

Excell Contact Centres highlights the benefits of better customer service management and 100% compliance

Amcat, a global leader in customer care & interaction solutions, is behind steps taken by existing outsource customer, Excell Contact Centres to turn off AMD (Answer Machine Detect) functionality on ALL its outbound campaigns. Based in Irvine, Scotland, Excell has reported no loss in productivity (an argument the industry has typically used against rejecting the use of AMD), and also reports how it has improved customer service and gives 100% guarantee of eradicating silent calls.

Excell Contact Centres’ General Manager of IT & Telecoms, Charles Vincent said, “I admit that initially we had doubts when Amcat suggested we turn off AMD as we thought it would have a detrimental effect on the volume of successful contacts made. However, this has not been the case, as it’s had a positive effect on performance and it also means that the customer will never
experience the annoyance of a silent call due to AMD false positives.”

Read the aticle

Compliance and Privacy Newletter - 23 February 2007

In this issue:

  • Nationwide customers pay £1m fine
  • PayPal CISO outlines antifraud strategy
  • MiFID Recruitment Timebomb Ready to Explode
  • One-year anniversary of chip and PIN change over - UK leads the way in chip and PIN rollout
  • Banking industry reports progress on new faster internet and phone payment service
  • Are 'Sealed' Websites Any Safer?
  • Free MiFID briefings on offer
  • Managed Security Services: Buy Or Build?
  • IE7 gives green light to trusted websites
  • Tablus Partners With VeriSign to Provide PCI Auditing and Scanning Services
  • 'The Any Era Has Arrived And Everyone Has Noticed' - Stratton Sclavos, VeriSign

Click Here for the Newsletter

UK FSA fines Nationwide GBP980,000 over security failures

The UK Financial Services Authority has fined Nationwide Building Society GBP980,000 for failing to have effective systems and controls to manage its information security risks. According to the watchdog, these failings came to light when a laptop was stolen from a Nationwide employee's house in August 2006.

The Financial Services Authority (FSA) commented that, during its investigation, it found that Nationwide did not have adequate information security procedures and controls in place, potentially exposing its customers to an increased risk of financial crime. It added that it had taken swift enforcement action to send a clear message to all firms about the importance of information security.

According to the FSA, Nationwide worryingly did not realize that the laptop contained confidential customer information or start an investigation until three weeks after the theft. According to the BBC, the computer has still not been recovered.

Margaret Cole, FSA director of enforcement, said: "Nationwide is the UK's largest building society and holds confidential information for over 11 million customers. Nationwide's customers were entitled to rely upon it to take reasonable steps to make sure their personal information was secure."

Read the article in Computer Business Review

Nationwide customers pay £1m fine

The customers, not the directors, of Britain's biggest building society will pay a £980,000 fine for lapses in data security.

Nationwide was fined on Wednesday after a laptop was stolen from an employee's home in August.

It took three weeks before the society realised the extent and sensitivity of the customer details on the computer.

But Nationwide has told the BBC that it "would not be fair" if the directors paid the fine.

As a building society, Nationwide is owned by its members - the 11m customers - so any penalty, in effect, comes from their money.

Many are not happy that they will have to pay the penalty for their data being compromised.

Jill called BBC Radio 4's Money Box programme to say: "Because it's a mutual society, any fine will have to be picked up by the members, because there are no shareholders.

"It's a double whammy. It's bad enough to think your details may have been spread across the globe unnecessarily. But to be told as a member of a mutual society you are going to be fined, that seems a little unfortunate."

Read the BBC article

PayPal CISO outlines antifraud strategy

PayPal has 133 million customers that use its Internet-based money-transfer service, which handled US$37 billion in transactions last year. Michael Barrett, who is CISO at the eBay subsidiary, recently spoke with Network World senior editor Ellen Messmer about new approaches PayPal is taking to combat online fraud.

Almost every day I get a fake PayPal e-mail that's obviously a phishing scam. How do you deal with this phishing fraud or even use e-mail to communicate with PayPal customers?

There's a lot of spoofing of and We get e-mail from customers asking questions about this and other topics and we respond within 15 minutes. We use our own Web-based e-mail to communicate. The problem with phishing and spoofing generally is there's no magic bullet. So it's classic defense in depth.

How much fraud hits PayPal each year?

As a class of operational loss, it's 0.41 percent. In the industry, that's known as 41 basis points, which is pretty low. When our customers are victimized, their user ID and password are compromised, we compensate them.

What are some of your defensive strategies?

If the consumer actually never actually saw the phish e-mail, it's hard for the criminal to victimize you. We're working with people who make e-mail clients and the ISPs, such as Yahoo, MSN and AOL, on a technical strategy that says if the e-mail is not signed by us, drop it. We're having good discussions, but we have nothing to announce now.

Read the Computerworld article

MiFID Recruitment Timebomb Ready to Explode

There are just nine months to go before the Markets in Financial Instruments Directive (MiFID) is enforced by the FSA and London compliance recruitment agency, Joslin Rowe, is warning that this has big implications for compliance recruitment in London and across the UK.

“Over the last two months we have seen a 20% increase in the number of temporary compliance jobs focusing on MiFID orientated projects and this number is rising every week,” says Michelle Myers of Joslin Rowe. “It's becoming a hotbed of compliance recruitment across the temporary market as financial institutions scramble to get the right people on board immediately. As a consequence multiple compliance job offers are becoming commonplace and contract rates are rocketing. Companies cannot afford to hang around if they want to have the right people on board to hit the November 1st deadline smoothly.”

According to the Joslin Rowe recruitment research an extra 1,200 temporary workers skilled in compliance will be required in the City of London over the next 10 months – thanks to MiFID alone.

Read the article

One-year anniversary of chip and PIN change over - UK leads the way in chip and PIN rollout

Wednesday 14 February 2007 marks the one-year anniversary of PIN Day – the official change over to chip and PIN in the UK. To recognise this milestone, APACS, the UK payments association, has issued an update on the successful progress of chip and PIN. As at January 2007 APACS figures show that:

  • More than 99.9 per cent of all chip and PIN card transactions are now PIN-verified – confirming that very few card accepting businesses have not upgraded to chip and PIN.
  • More than 185 chip and PIN transactions take place every second. This compares with 125 every second a year ago.
  • The UK 's banks and card companies have now issued 138 million chip and PIN cards - representing 97 per cent of the UK 's 142 million payment cards. This is eight million more than were in circulation six months ago and over 30 million more than eighteen months ago. In 2007, remaining cards will continue to be upgraded.
  • Approximately 900,000 shop tills have been upgraded to chip and PIN. This represents 98 per cent of all shop tills in the UK – an increase of over 75,000 tills since PIN day.
  • Total card fraud losses fell in 2005 and we expect the figures to reveal that this trend continued in 2006
  • As customers have got used to using their PIN retailers have reported that transaction times have become quicker with queues in shops shorter.

Read the article

Banking industry reports progress on new faster internet and phone payment service

  • New central system on track to be in place from November 2007
  • Thirteen financial institutions* confirmed to be founding members

To coincide with today's (Monday 12 February 2007) publication of the OFT's final Payment Systems Task Force Report, the UK banking industry today confirms that they are on track to introduce the new faster payments system, agreed with the Task Force, by November 2007. They also announced that there are thirteen founding members* of the new system.

Read the article

Are 'Sealed' Websites Any Safer?

As consumers become more concerned about protecting their information online, more "secure" labels have emerged, each promising to serve as a "Good Housekeeping seal of approval" for Website security. Hacker Safe and ControlScan, for example, prove that a site has been vulnerability-scanned. The new Extended Validation SSL (EV SSL) moniker, championed by digital certificate vendors such as VeriSign and Cybertrust, help verify that a site is not a phish or a phony. (See Cybertrust Enters EV SSL Fray .)

And now ScanAlert is rolling its "Hacker Safe" seal into a service for enterprises, company executives say. Hacker Safe Enterprise is a fully managed service that includes vulnerability assessment, hands-on analysis, and support from ScanAlert's security experts.

VeriSign, whose VeriSign Secured Seal logo is displayed on over 65,000 Websites, and Cybertrust, are in the process of rolling out EV SSL. If a site is EV SSL-certified, its address shows up in green on newer browsers such as Internet Explorer 7.

But are sites with a Website seal really more secure?

Website operators say displaying these logos demonstrates that they have made a good faith effort to run a clean site, and that they are being proactive in securing their sites. "I know that by implementing [Hacker Safe], I'm still ten times more secure than without it," says Lynnette Montgomery, general manager of e-commerce for Levenger, a $75 million reading and writing tools retailer that offers its products online as well as through stores and paper catalogs. "It's more that you are covering your bases, trying to be the best you can be, honest and putting your best foot forward."

Montgomery says another attraction of the Hacker Safe seal is its potential to bring in new customers. "Most companies I spoke to [about Hacker Safe] increased their conversion rate," she says. And that provides an ROI for the security service: "If I receive a two percent increase in conversion of customers, that's almost $500,000 in additional sales," she explains.

Read the article in Dark Reading

Fear and Loafing at RSA

It's the end of yet another RSA security conference, and we're tempted to trade our PCs for an abacus and hole up in the basement while the nightmarish robot invasion on mankind plays out. Malware, we were repeatedly told over the past five days, is lurking everywhere - in PCs, phones and online bazaars - and is waiting for the opportune moment to slip into our toasters and refrigerators.

Once the province of a ragtag bunch of nerds, computer crime is now a thriving business driven by hardened thugs. The creators of these root kits, bots and online scams bring a rigor and sophistication to their craft that rival even the most well-funded white hats.

This was the message the good guys were selling to show goers, while they talked in back-rooms to banks and retailers about ways to shore up public confidence in "secure" online shopping. Can you shop fear and court consumers at the same time? The RSA show wants to find out.

Most of what passed for news this year was data to support the all-too-familiar dystopian vision of hackers making life ugly for online users.

Read the article in Channel Register

VeriSign invests in DNS improvements

Investment in tenfold infrastructure improvements will help fight off attacks such as occurred this week

VeriSign Inc. plans to invest $100 million over three years to expand tenfold the Domain Name System (DNS) infrastructure it operates for the .com and .net top-level domains.

The DNS is a multitier system that translates the names given to Internet hosts, such as, into numerical addresses. The part VeriSign plans to expand, the top tier, indicates where to find answers for addresses in the .com and .net domains. If it fails, or slows, many Internet services break or falter. This happened on Tuesday, when attackers disrupted the operations of root DNS servers operated by the Internet Corporation for Assigned Names and Numbers (ICANN) and the U.S. Department of Defense.

"We're going to make that kind of attack harder against our services," said Ken Silva, VeriSign's chief security officer, on Thursday.

Although VeriSign's investment will make the DNS more resistant to such attacks, "this isn't just about the attacks; this is about keeping ahead of the pace of network growth," he added.

Services such as Internet telephony or video delivery rely heavily on the DNS infrastructure, and are more susceptible to variations in its performance than applications such as Web browsing. An additional 40-millisecond delay in providing an address might not be noticeable to Web surfers, but it can have a big effect on voice over IP operators, Silva said.

Through a project known as Titan, VeriSign will reinforce its DNS infrastructure in two ways.

Read the article in Computer World

Hackers slow Internet root servers with attack

Online attackers have briefly disrupted service on at least two of the 13 "root" servers that are used to direct traffic on the Internet.

The attack, which began Tuesday at about 5:30 a.m. Eastern time, was the most significant attack against the root servers since an October 2002 distributed denial of service (DDOS) attack, said Ben Petro, senior vice president of services with Internet service provider Neustar. Root servers manage the Internet's Domain Name System (DNS), used to translate Web addresses such as into the numerical IP addresses used by machines.

The attack appeared to have been launched by a group of compromised PCs, called a botnet, Petro said.

"Two of the root servers suffered badly, although they did not completely crash; some of the others also saw heavy traffic," said John Crain, chief technical officer with the Internet Corporation for Assigned Names and Numbers (ICANN), in an e-mail interview

The two hardest-hit servers are maintained by the U.S. Department of Defense and ICANN, he added.

Read the article on Network World

Microsoft unveils Vista in biggest ever launch campaign

January 30 saw the launch of Microsoft's long-awaited Windows Vista operating system, to businesses and consumers worldwide, in what the software giant described as its "biggest ever launch".

The flagship product, which according to the company is, "the most significant product launch in Microsoft's history," consists of five different versions with two options for businesses - Vista Business is designed for small companies, while Enterprise Vista meets the needs of large global organisations with complex IT structures.

Paul Stoddart, Windows marketing manager at Microsoft, says that the benefits of Vista to businesses include increased security, easier mobility and improved productivity. These benefits, he says, are being communicated to the company's partners, although there is, "no broad brushstroke marketing campaign as such, as the majority of our businesses are volume licenses, so they are ongoing and we don't need to market to them in the traditional way."

Read the article in B2B Marketing Online

McAfee and RSA team for online banking security

McAfee, Inc. (NYSE: MFE) and RSA, The Security Division of EMC (NYSE: EMC), today announced that they have signed a definitive agreement to work together on an enhanced security solution that is expected to boost consumer confidence in online banking. The two companies plan to leverage McAfee ® consumer desktop security products and the RSA ® Adaptive Authentication solution to help enable financial institutions to provide more comprehensive protection for banking and online transactions.

McAfee's real-time (always on, always updating) security-as-a-service consumer products and RSA's authentication technology will be engineered to communicate with each other securely to enhance authentication of the legitimate user to their financial institution and provide powerful protection for the identities of online banking consumers.

Read the article

Free MiFID briefings on offer

A series of free MiFID briefings looking at practical responses to the new regulatory environment will be hosted around the country by Investmaster.

Speakers set to take part include Guy Sears, deputy chief executive of APCIMS, the organisation lobbying both Canary Wharf and Brussels over issues affecting private client investment managers and stockbrokers.

Sears will focus on coming COB rule changes, but particularly the practical changes firms must implement to survive the new environment.

Discussion will also look to how automation can assist, although the idea is to offer those who are less advanced in implementing a response to MiFID the chance to gain answers to questions about just what will be expected of their operating procedures and processes after November, when the new regime comes into force.

Read more at IFA Online

Managed Security Services: Buy Or Build?

Managed services in the channel took on a life of their own in 2006. Resellers and service providers, recognizing the need among SMBs, demanded changes in vendor pricing and services so they could build or sell vendor-managed services.

Given its placement at the top of end users' priority lists, security is one of the hottest opportunities in the services market. The grand potential for VARs, of course, is the SMB space, where companies typically don't have the internal resources to effectively and cost-efficiently secure their networks.

But there's confusion in the market around the pricing of services for companies that can't afford to pay for comprehensive, 24/7 coverage.

"All along, our bread and butter has been in the enterprise," says Fergal Lyons, senior product manager for Symantec Security Information Manager (SIM). "The smaller organizations, and the VARs supporting them, are not going to spend a couple-hundred grand for enterprise-level managed services."

Read the article in VAR Business

Tablus Partners With VeriSign to Provide PCI Auditing and Scanning Services

Tablus Inc., a leading provider of content protection solutions, today announced that VeriSign will use the Tablus Content Sentinel solution as part of the VeriSign Payment Card Industry (PCI) onsite audit and scanning services practice. VeriSign is an authorized security assessor for PCI Compliance to assist merchants and service providers with required annual audits.

"Companies are being forced to take a closer look at their existing security postures to examine how they can implement stronger solutions in line with industry mandates," said Anne Bonaparte, Tablus president and CEO. "VeriSign's use of the Tablus Content Sentinel in its PCI onsite audit and scanning service practice will enable enterprises to better assess their ability to safeguard sensitive customer information from illegal or improper use."

The PCI Data Security Standard was created by major credit card companies to safeguard customer information. Visa, MasterCard, American Express, and other credit card associations mandate that merchants and service providers meet certain minimum standards of security when they store, process and transmit cardholder data. Achieving PCI compliance became mandatory on June 30, 2005, however, that has proven to be a difficult and complex process for many businesses that may lack the resources necessary to meet the strict standards set forth by PCI language. There are 12 requirements that compose the PCI Data Security Standard, including the development and maintenance of a secure network, protection of cardholder data and maintenance of an information security policy.

Read the Article

Ahead of the Bell: Information Security

With news of hackers breaking into company transaction databases and other technology breaches ever more frequent, two security conferences in San Francisco this week are likely to generate extra attention.

The week starts off with the Americas Growth Capital Information Security Conference Monday.

The one-day event will feature panel discussions on database security, consumer risk management, secure messaging, threat management and other topics and feature speakers from both public and private companies.

Among the keynote speakers scheduled are Art Coviello, president of RSA, the security division of EMC Corp.; Jay Chaudhry, vice chairman and chief security officer for Secure Computing Corp.; Fred Amoroso, president and chief executive of Macrovision Corp., and Gene Hodges, president and chief executive of Websense Inc.

Representatives from EMC, Vasco Data Security International Inc., McAfee Inc., Aladdin Knowledge Systems Ltd., Citrix Systems Inc., CA Inc., Microsoft Corp., SonicWALL Inc., the TippingPoint division of 3Com Corp., GlobalSCAPE, Tumbleweed Communications Corp., ActivIdentity Corp., BMC Software Inc., VeriSign Inc. and Websense Inc. are scheduled to take part in the panel discussions.

Read the article in

Hackers' infections slither onto Web sites

It was the year when cybercriminals targeted everything from MySpace to Wikipedia. Even a Web site maintained by a Kentucky Boy Scout troop wasn't safe for casual browsing.

Computer-security experts said 2006 was also the year that hacking stopped being a hobby and became a lucrative profession practiced by an underground of computer developers and software sellers. Like true business people, bad guys not only broadened their reach by attacking popular social-networking sites, they also diversified their product line by launching attacks through popular software applications like PowerPoint and Adobe Reader and expanded their activities overseas.

Software makers who try to stop online crooks say they are bracing for a new level of nastiness in 2007, including malicious Web sites that are booby-trapped with software that automatically loads itself onto machines of users who simply visit a site.

"Hackers realize they have a limited time before their attacks are blocked, so they are opening up their arsenal and trying everything possible," said Yuval Ben-Itzhak, chief technology officer of Finjan Software, an Internet security company headquartered in San Jose, Calif.

Alex Eckelberry, president of Sunbelt Software, predicts attackers will target Windows Vista, Microsoft's new operating system. "The problem is Microsoft has thrown down the gauntlet and said, 'We have a secure operating system,' " he said.

Read the article in the Seattle Times

Security gets mainstream attention at RSA

The annual RSA Conference this week is expected to show evidence of a maturing security industry with an increasing role for big-name companies.

The event has long moved far beyond its origins as a get-together for cryptogeeks. It has developed into an annual gathering for corporate IT pros and a showcase for hundreds of companies, small and large, that hawk security products and services to businesses. This year is the 16th anniversary of the event. Again change is in the air.

"We're going to see a flight to quality, consolidation and quite a bit of merger and acquisition activity (in 2007)," said Andrew Jaquith, Yankee Group. "That's what's different about this year's RSA Conference; there is the slight whiff of blood in the air. You can sort of hear the screeching noises of the vultures overhead."

Security is becoming more structured and part of the IT infrastructure at companies, instead of being added on later, analysts said. Companies including Oracle, Microsoft, Sun Microsystems, Cisco Systems and Intel are vying for a piece of the pie, which may hurt the smaller industry players, they said.

Read the article in USA Today

Gemalto launches Network Identity Manager for online security

Online consumers wary of phishing, keyboard logging, bots and identity theft can now take control of their own network security with the Gemalto Network Identity Manager (NIM).

This self-contained, portable, network security solution plugs into a USB port, works with a standard browser, runs on any PC and does not require any software installations or downloads. An onboard network computer and Internet software create a PIN-protected digital safety zone, impervious to malware lurking in the PC or on the Internet. Yet, it is simple and intuitive for anyone to use. In addition, the NIM supports the VeriSign Identity Protection (VIP) Network, so consumers can use Gemalto's latest innovation with many different online businesses such as Northern Trust, Charles Schwab, PayPal, eBay and Yahoo!

"The NIM is a convenience breakthrough of the first order, and it is supported by Gemalto's 15 years of experience in digital security solutions worldwide," said Cedric Collomb, senior vice president, Network Identity Solutions, Gemalto. "For the first time smart card-class security can be deployed to mass consumer markets without significant support costs and complexity."

"Consumers are already struggling with multiple screen logins, challenge/response, one-time-passwords and other security measures when conducting online transactions," said Sally Hudson, a research director at IDC. "In addition to contributing to user confusion and overall inconvenience, some of these approaches still leave gaps in security. A single form factor that allows consumers to securely 'plug and play' should prove appealing to a wide range of technology adopters."

Read the article in Finextra

IE7 gives green light to trusted websites

Microsoft has quietly flipped the switch on a new feature in Internet Explorer 7 meant to combat phishing scams.

The software giant in early January made a change on its computer systems that allowed websites fitted with a new type of security certificate to display a green-filled address bar in Internet Explorer 7 (IE7), Markellos Diorinos, a product manager for Windows at Microsoft, said in an interview.

"We have rolled out many of the parts that are required to get it working. We're coming close to the point where all the moving parts are in place," Diorinos said. Microsoft plans to promote the green bar at next week's RSA Conference in San Francisco, an annual security confab kicked off by Microsoft chairman Bill Gates.

The coloured address bar, a new weapon in the fight against phishing scams, is meant as a sign that a site can be trusted, giving web surfers the green light to carry out transactions there. The green bar already appears on the secured sites of and VeriSign.

VeriSign has about 300 customers, including online retailer, that have signed up for the green bar certification process, said Spiros Theodossiou, a senior product manager at VeriSign. The company plans to unveil the names of more participating websites at the RSA Conference, he said.

Read the article in

Microsoft warns of Excel hack

Yet another unpatched bug in Microsoft's widely-used Office application suite is being used by hackers to hijack computers, the company's security team has warned.

Late Friday, Microsoft's Security Response Center (MSRC) confirmed that malformed Excel spreadsheets are being used to trigger an unspecified vulnerability in Office 2000, Office XP, Office 2003, and Office 2004 for Mac.

"We are aware of very limited, targeted attacks attempting to use the vulnerability reported," said Alexandra Huft, a security program manager with MSRC, on the group's blog. "[We] will provide updates through the MSRC weblog or the advisory as new information develops."

In an associated security advisory, Microsoft said the zero-day vulnerability's danger could extend beyond malicious Excel files, however. "While we are currently only aware that Excel is the current attack vector, other Office applications are potentially vulnerable," the advisory read. A patch is under development, Microsoft added.

Read the article in IT News

Compliance and Privacy Newletter - 7 February 2007

In this issue:

  • Motives, Methods and Mitigation of Insider Threats - Live WebCast
  • Swedish bank suffers huge phishing fraud
  • MySpace files suit against phamous phishing king
  • MiFID: IT contractors ride high on the waves of change
  • Majority of Brits using online banking
  • Consumers Want Better Online Banking Security
  • Microsoft to push new antiphishing technology
  • McAfee Adds Phishing Protection to Free SiteAdvisor Product
  • Phishing overtakes viruses and Trojans
  • Swift data privacy not under our jurisdiction - ECB

Click Here for the Newsletter

Man-in-the-Middle Phishing Attack Successful Against Citibank’s 2-Factor Token Authentication

On July 10th, 2006, the first reports of a Man-in-the-Middle Phishing 2.0 attack against CitiBank's CitiBusinessSM service were reported by the Washington Post. The phishing scam, originating in Russia, shows that cyber criminals are integrating multiple attack methods to defeat the latest security measures such as One Time Password (OTP) Tokens implemented by banks.

“In my testimony to Congress in 2004, I warned that, as more people become aware of current “phishing” scams, the cyber criminals often get even more clever, and create new, more sophisticated techniques,” said Howard Schmidt former White House cybersecurity advisor and former Chief Security Officer of eBay and Microsoft.

In 2004, the first wave of “Phishing 1.0” attacks tricked unsuspecting consumers into clicking on links to fake bank websites and giving up their usernames, passwords, and other personal information leading to financial fraud and identity theft. Phishing 2.0 has evolved to combine traditional Phishing ‘hooks' with a Man-in-the-Middle attack (in the Citibank case involving a botnet), and URL spoofing. A Phishing 2.0 attack tricks the user into clicking on a link to login to their bank through the Man-in-the-Middle phishing proxy site. It is actually easier to launch than traditional Phishing 1.0 scams because the attacker does not need to create and maintain a copy of a fake site. The phisher merely passes through the actual pages from the real web site, then steals data or makes changes to transactions automatically using easy-to-write scripts.

Read the article in BankInfo Security

Study Finds Consumers Consistently Deceived by Phishing Messages

ICONIX, Inc., the leading provider of visual email identification solutions, today announced results from an end-user study which found that on average, email users opened one in six phishing messages – fake email messages created to defraud consumers. The study also found that consumers ' tendency to open spoof messages varied widely according to the type of message. Open rates ranged from a high of one in four fake messages claiming to be from social networks to a low of one in ten fake messages purportedly from dating services.

The study included 10,557 participants, and was conducted during a six month time period from May-October 2006. Results of the study, which recorded actual email behavior, were categorized into eight segments based on the type of message received. The open rate of spoofed messages breaks down as follows:

  • Social networks – 24.9%
  • E-cards – 17.1%
  • Payment – 16.2%
  • Financial – 15.5%
  • Auction – 14.7%
  • Info – 12.9%
  • Retail – 12.1%
  • Dating – 9.5%

Read the article

PayPal acts to stamp out phishing attacks

PayPal's decision to introduce an optional two-factor authentication system highlights the increasing concern of banks and online payment organisations over phishing.

The amount of money lost to online banking fraud in the UK increased 55 per cent to £22.5m in the first half of 2006, according to figures from banking industry body Apacs – and all the signs indicate this amount will continue to rise.

Most phishing emails now target PayPal and eBay customers, largely because they are such a huge demographic – 123 million customers at the end of 2006 – but also because PayPal is designed to make it easy to move money around, predisposing it to being phished.

Surprisingly, however, phishing is not a large financial problem for PayPal or its customers.

Michael Barrett, chief information security officer at PayPal, says the problem with phishing has more to do with perception than reality.

‘Financially, phishing is not even in the top five of categories that we suffer from fraud–wise. But when you say you work for PayPal, people say: ‘Oh I get all these emails from you. What are you doing about that?' People perceive that there is an issue, so there is an issue,' he said.

Customers receiving phishing emails lose confidence, so PayPal's two-factor efforts should help with some of these worries.

Read the IT Week article

Swift data privacy not under our jurisdiction - ECB

The European Central Bank (ECB) would like to note that central banks are responsible for fostering financial stability and promoting the smooth operation of payment and settlement systems.

As SWIFT is a messaging provider and not a payment system, central bank oversight of SWIFT (performed by the G101 central banks and the ECB) focuses on its technical security, operational reliability, resilience, appropriate governance arrangements, and its having in place risk management procedures and controls. The monitoring of SWIFT activities that do not affect financial stability is not a matter for central bank oversight and therefore the US Treasury sub-poenas of SWIFT were outside the purview of central bank oversight. The Oversight Group has no authority to oversee SWIFT with regard to compliance with data protection laws. The request by the European Data Protection Supervisor to bring data protection compliance within the remit of central bank oversight would not be in line with the allocation of legal responsibilities.

Read the article in FinExtra

PayPal tackles UK phishing concerns

Online payment broker PayPal is to offer a two-factor authentication system to UK customers before the end of the year.

The firm is testing the keyring-sized devices from VeriSign initially in the US and will then introduce them to the UK.

Michael Barrett, chief information security officer at PayPal, says the device will not be compulsory and customers wanting to use it will be charged.

‘We are looking at pricing it at about £2 to £3,' he said. ‘One of the things we are thinking about is making it compulsory for people whose accounts have been victim to fraud and for certain customer segments such as businesses,' he said.

Barrett says the system is part of a wider strategy to combat phishing.

‘This is only one piece of the puzzle. We are heavily pushing email signing technologies so that all outbound email is digitally signed using sender ID and domain keys.'

PayPal and eBay are the biggest targets of phishing attacks, with users being hit by more than 75 per cent of all phishing emails, according to security vendor Sophos .

Barrett says the VeriSign system will work with other companies that are on the same two-factor authentication network.

read the article in Computing

Phishing overtakes viruses and Trojans

Phishing attacks have outstripped the number of emails infected with viruses and Trojans for the first time, according to security experts.

Security mail services vendor MessageLabs reported on Monday that in January 2007, one in 93.3 (1.07 percent) emails comprised some form of phishing attack. There were fewer emails infected with viruses — one in 119.9 emails, or 0.83 percent.

The difference in the ratio of phishing to virus attacks is partly due to virus attacks becoming more targeted and no longer occurring as one large outbreak. This includes the recent Storm Worm and Warezov attacks, according to MessageLabs.

"If you look at infected email traffic for January, it's very spiky," said Mark Sunner, chief technology officer at MessageLabs. "With Storm Worm there are clear spikes, then drops down to normal levels. It's as though someone is turning on the tap briefly, then letting it abate," Sunner told ZDNet UK.

Read the ZDNet article


This site is independent of all its sources
The contents of the site are sourced from across the industry. All copyrights are acknowledged.