Tech Alert Briefing for 3/21/2008
March 21, 2008
Update covering March 14 - 20, 2008
Welcome to Tech Talk! In this edition, BOL Gurus John Burnett and Andy Zavoina write about a hacked retailer, mobile phones, online gambling and more.
Andy
John
You'll read about:
Get the details below.
When Meeting Standards Isn't Enough As data security at Hannaford Brothers is minutely examined in the wake of its data breach announcement, first reports suggest that the theft occurred in spite of Hannaford's compliance with highly-touted Payment Card Industry (PCI) data security standards. One security vendor is investigating a number of data breaches that parallel the Hannaford experience -- theft of data during transfers between retailers and credit card processors in the authorization process. Security Fix reports hackers are targeting gaps left even after PCI standards are followed.
Supermarket Data Breach
Early this week, the Maine-based Hannaford Brothers supermarket chain announced an intrusion into its computer network that resulted in the theft of about 4.2 million credit and debit card numbers and expiration dates. The information was reportedly stolen during card authorization transmissions, and affected Hannaford stores in New England and New York, and Sweetbay stores in Florida, along with some independently-owned stores that routed card transactions through the Hannaford system.To date, about 1,800 fraud cases have been linked to the Hannaford breach, according to details in the InfoWorldarticle.
Hopefully you'll never have to research the data breach laws in all states, but in case you do, check out this interactive map at CSO online. It may be a site you'll want to bookmark.
10 Security Mistakes to Avoid
Your bank may spend a lot of money on information security. But there are 10 security mistakes that can spell disaster in spite of all the money you spend on technology. They run the gamut from email address foul-ups to throwing too many of the wrong people at a problem, to keeping the wrong data. Read the InfoWorld article to get the whole Top Ten list.
Back to the Old Vishing Hole
Last week we warned against mobile spam via text message. Ironically, last week also saw a number of "vishing" attacks against financial institutions' customers. Phony text messages announced that a bank account had been closed for suspicious activity, and provided a phone number to call "to reactivate the account." Of course, the phone number led to a voice mail box that convinced the caller to give up a debit or credit card number, expiration date and PIN. In the latest version of these attacks, text messages are geographically targeted to increase the likelihood of reaching real targets. Security Fix has details of how the recent scams were initiated.
Is Outsourcing the Answer?
Outsourcing routine security functions may be tempting. It can free up your IT staff to work on enterprise strategy priorities. Or it can surrender control of your institution's data security to outsiders whose interests focus on fulfilling a contract and collecting a fee. Recent surveys indicate that IT pros aren't racing to push security management to outside firms. Read a discussion of the pros and cons of security outsourcing in a NetworkWorld article.
Microsoft Patch Miscalculation
"Oops!" said Microsoft in a warning to Excel 2003 users. Certain users of the spreadsheet who use Real Time Data sources in Visual Basic to incorporate data from outside applications will get incorrect results after applying one of the patches released last week. Miscrosoft has re-released the update and corrected the error. See the PC World article for details.
Major Apple Updates
Apple released two huge security updates this week. Version 3.1 of its Safari web browser patches 13 security vulnerabilities that affect both the Windows and Mac editions. According to a Computerworld report, most of the vulnerabilities were cross-site scripting bugs. Apple's major update, however, came in Security Update 2008-002, which addressed 87 holes in Mac OS X versions 10.4.11and 10.5.2 client and server editions. Eighteen of the OS X components affected are Apple products. Another dozen are third-party applications in the OS X bundle. A second Computerworld article offers details on the major OS X security release.
Virtual Safe Deposit Boxes Available
As more and more people realize the need to protect electronic documents, they are weighingsafety, accessibility and whether the "vault" they choose will be around in the years to come. Nobody wants to see a dot-com bust that exposes their data or makes it inaccessible. Enter Wells Fargo and its plans for a virtual safe deposit box. Read about it in the San Francisco Chronicle.
Getting Your Point Across
How good are you at communicating your needs to upper management of your financial institution? Do your discussions about botnets, servers, and the PCI Data Security Standard fall on deaf ears? If you can't talk in terms of risk to the enterprise -- whether it's financial or reputation risk -- management won't get the message. Before they tell you "It's all 'geek' to us," get some help to understand the perspective of your audience. InfoWorld has more on this story.
Will the Spam King Finally Pay?
You may have heard of Robert Soloway. The 28-year-old professional spammer may finally be getting his comeuppance. For years he has avoided paying any of the judgments in several civil cases against him. However, last Friday he pleaded guilty to Justice Department charges of fraud and tax evasion. Whether or not Soloway is ordered to pay any of the $700,000 that Justice sought in its 2007 charges, he does face up to 26 years in jail when he is sentenced on June 20. For more on this story, read the Computerworld article.
Wider Screens for Increased Output
The University of Utah produced a "Productivity, Screens and Aspect Ratio" study and concluded that larger monitors for employees can increase their work productivity by 76 work days a year. Should you invest in wider screens? Read the specifics on the study in PCW Business Center.
Please Show Your Cell Phone Boarding Pass and ID
E-tickets and check-in kiosks when you're flying are nothing new. But what is the next step? Electronic boarding passes with your cell phone as the device of choice. Continental Airlines is testing a system using an encrypted bar code sent to a mobile phone. That bar code may be scanned by the airlnes and by security. Approval is pending from TSA, which seems to like the idea. For details on how it works, read the New York Times story.
And speaking of increased cell phone use...
It may be time to ensure the code on your website is as clean as it should be. Or consider offering a mobile version of your site. With cell phones offering better plans and faster connections, Google reports that website use on mobile devices is rising. Scientific American has the story.
It's March Madness, Gimme $50 On...
March Madness is here and with it the usual spate of office pools. The FBI warns that internet gambling is illegal, and ifpools show up on social networking sites, there could be penalties to pay. Computerworld has the story.
Vista SP1 is Here
Microsoft has released Vista Service Pack 1. It purports to improve reliability, security and performance.Comments on the download and results are posted with more information on myway.
116 Make Latest US-CERT List
The US-CERT Vulnerability Summary for the Week of March 10, 2008, lists 63 High and 52 Medium weaknesses, and one Low-severity flaw. High severity security faults were listed for Adobe and Microsoft products, among others.
Subscribe to Tech Talk and BOL Tech Advisories
In the Banker Store
CD ROM Training
Implementing the Red Flag Guidelines
Video Training
FACTA: Responding to Identity Theft
CD ROM Training
Patch & Vulnerability ManagementArchived Articles on Technology and eBankingYou have access to archived Tech Talk pages and Tech Alerts on BankersOnline's Technology & eBanking Archive page.
Plus, you'll find the latest technology and eBanking articles and guru Q&As there, too.You'll find many more related articles in our InfoVault.
print
share