October 10, 2005
A note about broken links: In the News links to current stories at various news sources on the Internet. Over time, some of the links may become broken when a source removes the stories from its pages. Often you can find the same story at another source by searching the title or author of the article. If you have questions about a link, send us an e-mail by clicking here.
IBM Announces It Will Not Use Genetic Information on Employees
U.S. Banks Slow to Adopt Biometrics
The Associated Press reports that banks in South America are increasing adopting biometrics to identify customers at automated teller machines. But banks in the United States have been slow to do so because of a concern for expense and privacy. "Privacy concerns, expense keep fingerprinting, eye scans out of U.S. ATMs," http://www.sanluisobispo.com/mld/sanluisobispo/business/12855627.htm
Zombie Army Shut Down in the Netherlands
Dutch authorities have arrested three men who allegedly controlled a network of over 100,000 zombie computers that they used to launch denial of service attacks and to hack into sites likes PayPal. See "Dutch smash 100,000-strong zombie army," http://www.theregister.co.uk/2005/10/07/dutch_police_smash_zombie_network/ For more information on zombies, see "Hunting Down Zombies and the Criminals Who Use Them," "In the News," Friday, October 7, 2005.
Another Stolen Laptop With Financial Information
Bank of America is advising customers that sensitive information about their accounts was on a laptop computer that was stolen at the end of August. The computer, which reportedly belonged to a third-party service provider, was not encrypted. Bank of America notifying customers after laptop theft: Users of Visa Buxx prepaid debit cards affected, http://www.computerworld.com/securitytopics/security/story/0,10801,105246,00.html?source=x73
October 11, 2005
Industry Groups Align Behind Data Security Bill
This morning's American Banker reports that major industry groups, including the U.S. Chamber of Commerce and the Financial Services Roundtable, are lining up behind a data security bill introduced by Representatives Steven C. LaTourette (OH), Michael Castle (DE), and others. The bill would require companies that hold sensitive consumer information to take steps to protect the security of that data and to notify consumers if such security measures are breached. The bill appeals to industry because it is among the narrowest bills currently being considered. Other bills, such as the bill proposed by Senators Arlen Specter and Patrick Leahy, would go beyond requiring security procedures and notice and give consumers additional rights, such as a right to block businesses from accessing their credit reports. "Data Security: Debate Starts on Legislative Response," http://www.americanbanker.com/article.html?id=20051007VJ9OQOUY&from=washregu (subscription required)
Is the U.S. Ready for a Cybersecurity Attack?
CNet News.Com has an article questioning whether the country is ready for a cybersecurity attack. The authors suggest that changes in personnel at the Department of Homeland Security and the administration's shift in focus after 9/11 have contributed to a lack of readiness. The House of Representatives has adopted legislation creating an Assistant Secretary of Cybersecurity. The Senate has not yet acted on the bill. "U.S. cybersecurity due for FEMA-like calamity?," http://news.com.com/U.S.+cybersecurity+due+for+FEMA-like+calamity/2100-7348_3-5891219.html?tag=cd.top
Lack of Trust Puts Damper on Internet Sales
B to B Magazine's site includes an article that discusses an increasing reluctance among consumers to transact business online. The article notes that businesses too are becoming more wary of the Internet. "Lack of trust hampering online direct marketing," http://www.btobonline.com/article.cms?articleId=25689
Who Should Pay for Identity Theft Protection?
Recognizing the impact that recent security breaches have had on consumer trust, banks are beginning to offer identity theft protection services to their customers for a fee. But, as the Portland Business Journal notes, privacy groups argue that banks should not be permitted to charge for such services, but instead should provide them as a feature of their normal product offerings. The Journal quotes a representative of the Privacy Rights Clearinghouse as saying, "My feeling is no one should have to pay for credit monitoring. . . If there's activity, the customer should be notified. It's as simple as that." "Bank ID-theft charges rankle privacy groups," http://www.bizjournals.com/portland/stories/2005/10/10/story2.html
Fighting Credit Card Fraud With PINs
Beginning February 14, 2006, consumers in the United Kingdom will need to enter a personal identification number to authenticate their credit card transactions. UK card issuers experimented with chip and PIN technology in the first six months of 2005 and found excellent acceptance by consumers, who overwhelmingly thought the technology was easy to use. They also found that credit card fraud losses decreased by almost 30%. "Chip and PIN gets loved up," http://www.theregister.co.uk/2005/10/10/chip_and_pin/
October 12, 2005
Debating RFID Technology
Debate over the use of radio frequency identification (known as "RFID") tags by the consumer products industry and by government continues to percolate beneath the surface of American public opinion. It is likely that few in the general population have heard about RFID technology, although it is already widely in use. An RFID tag is a small computer chip with an antenna that is used to communicate with an RFID receiver. The tags contain information that is read by the receiver.
In a supply chain, for example, the tag might include an identification of the product, the date of manufacture, and the store to which it is to be delivered. Tags can also be used to hold and transmit information about people. For example, MasterCard has begun putting RFID chips in debit cards ("MasterCard to Put RFID Chip in Debit Cards," In the News, September 21, 2005) and governments are beginning to use RFID chips to track vehicles ("U.K.'s Car Tracking System," http://www.npr.org/templates/story/story.php?storyId=4805343&sourceCode=RSS) and people ("Tracking People With RFID Tags," In the News, September 7, 2005).
Last week, In the News linked to a review of a book that alleges that business and government are conspiring to track the movements of people. ("Conspiracy Theory: Opposition to RFID Technology From Fundamentalist Christians," In the News, October 6, 2005.) Hiawatha Bray, writing for The Boston Globe, wrote a column earlier this week in which he suggests that the concerns expressed in the book should not be dismissed as paranoid. Bray argues that regulation of RFID cannot be left to developing industry standards without government oversight and restraint. "You need not be paranoid to fear RFID," http://www.boston.com/business/technology/articles/2005/10/10/you_need_not_be_paranoid_to_fear_rfid/
Bret Clevenger, reviewing the book for the student newspaper at Northern Illinois University counsels people not to fear RFID technology. Clevenger believes that the leaders in the RFID industry are aware of the privacy concerns and working to address them. He concludes that, "RFID is a technology that will bring us accuracy, convenience and safety. It's something we should embrace and look forward to." "Don't fear tracking technology," http://www.star.niu.edu/articles/?id=11932
Meanwhile, InformationWeek has a lengthy story that describes some of the uses to which industry is attempting to put RFID tags and the technological difficulties of doing so. "RFID Implementation Challenges Persist, All This Time Later," http://www.informationweek.com/story/showArticle.jhtml?articleID=171203904
Technology Is Not the Only Threat to Your Data
News stories about phishing attacks, spyware, and data breaches are apparently taking a toll on the level of consumer confidence in transacting business on the Internet. See "Lack of Trust Puts Damper on Internet Sales," In the News, October 11, 2005. An article in The Wall Street Journal, however, reminds us that the Internet is responsible for just a small portion of identity theft and fraud. Instead most identity theft and fraud occurs the old fashion way, through the theft of credit cards, bank statements and other physical documents. According to The Journal, only 2.2% of the cases of identity theft or fraud are attributable to computer viruses or hackers. Twenty-nine percent are the result of a lost or stolen credit card, checkbook, or wallet. The remainder is attributed to "friends and relatives, corrupt employees, stolen mail, Dumpster-diving, and computer spyware." (It is not clear how computer spyware differs from viruses.) "Identity Theft Unplugged," http://online.wsj.com/public/article/SB112872681279163325-yzL7dPyoMbmIOHY5mDZKt0DBmOQ_20061007.html.
A Health Information Network: It's a Matter of Trust
The Markle Foundation has released a survey showing that 70% of Americans support a nationwide health-information exchange or network for doctors and patients. According to the survey, 80% of respondents think that if physicians kept electronic medical records on patients, health-care quality would improve and medical errors would be reduced. However, the Markle Foundation notes the ensuring patient privacy and security remains the top priority in order for consumers to accept any such network, and sets forth 7 patient and consumer principles that should guide the development of such a network. "Most Americans Support Notion Of Health Information Network," http://www.informationweek.com/showArticle.jhtml?articleID=172300244.
October 13, 2005
August Phishing Trends Report
The Anti-Phishing Working Group ("APWG") has issued its Phishing Activity Trends Report for August 2005. The report showed a slight reduction in unique phishing e-mail reports (13,776) but an increase in the number of unique phishing web sites (5,259). The number of phishing web sites was at an all-time high. The APWG suggests that this increase may reflect two trends: the targeting of a broader group of smaller brands and the increased use of multiple phishing sites, making it more difficult to take them down.
The APWG reported that phishing sites targeting very small financial institutions in North America are appearing steadily. It also found the number of phishing messages purporting to come from Internet service providers is on the increase. The financial services sector continues to be the primary target for phishing attacks (84.5%). The APWG also noted that the use of keyloggers continued to climb. "Phishing Activity Trends Report: August 2005," http://antiphishing.org/apwg_phishing_activity_report_august_05.pdf
Sophos, a software security company, reports that the number of spam messages being relayed by computers in the United States has fallen, while spam originating from South Korea and China is up. Sophos says that more than 60% of spam is sent from zombie computers working at the direction of spammers. Press Release: "Sophos reveals latest "dirty dozen" spamming countries" http://www.sophos.com/pressoffice/pressrel/us/dirtydozoct05.html.
Who Should Regulate Spyware?
Declan McCullagh, writing for CNET News.com notes that there are currently five spyware related bills in Congress, but argues that Congress should do nothing. McCullagh advocates a state-by-state approach, allowing the states to become "laboratories of democracy." He quotes a 2001 paper by two professors from George Mason University who maintain that federal legislation hampers Internet technology while a state-by-state approach would better suit "the evolving nature of the Internet." "Get ready for 'Son of Can-Spam,'" http://news.com.com/Get+ready+for+Son+of+Can-Spam/2010-1071_3-5892166.html
U.S. Law Affects Canadian Companies
David Frazer, who writes The Canadian Privacy Law Blog, has posted an article he wrote for Lawyer's Weekly, describing how Canadian businesses are affected by U.S. privacy laws, especially the USA Patriot Act. "The Impact of U.S. Law on Canadian IT Businesses," http://www.privacylawyer.ca/blog/2005/10/impact-of-us-law-on-canadian-it.html.
October 14, 2005
Bank Agencies Say Single-Factor Authentication Not Enough
The Federal Financial Institutions Examination Council, composed of the federal bank, thrift, and credit union regulators, has issued a new Guidance regarding how banks should authenticate customers who use Internet banking services. In it, the regulators say that single-factor authentication – such as the use of a password – for some Internet transactions is not sufficient to protect customers.
The FFIEC directs financial institutions to do a risk assessment of their Internet-based products and services and to adopt an authentication method appropriate to the level of risk. Financial institutions must "assess the adequacy of such authentication techniques in light of new or changing risks such as phishing, pharming, malware, and the evolving sophistication of compromise techniques." The FFIEC declares that a single-factor method of authentication, such as an ID/password, will be considered inadequate for "high-risk transactions involving access to customer information or the movement of funds to other parties." The appendix to the Guidance includes a useful catalog of multifactor authentication methods a bank may wish to consider.
The new Guidance, which can be found at http://www.ffiec.gov/pdf/authentication_guidance.pdf, replaces one that was issued in 2001. The new guidance applies to all customers of the bank, both retail and commercial.
This morning's American Banker is running an article describing multifactor authentication methods on display at the annual convention of the Association for Financial Professionals, a trade group for corporate treasury executives. "Different Approaches to Corporate Authentication," http://www.americanbanker.com/article.html?id=20051013Z34V1PXI&from=technology. (Subscription required.)
Cyberthieves Counter New Authentication Method With Screen Scrapers
In an effort to guard against keyloggers – malware that records a computer user's keystrokes and forwards them to a cyberthief – some financial institutions have begun to require users to enter their passwords by using a mouse to click a keyboard displayed on the screen. In the chess game that is hacking, cyberthieves have responded by using "screen scrapers," malware that records the interaction of the mouse and the screen. An article in eWeek.com discusses screenscrapers and the efforts of some banks to foil them using multifactor authentication methods. "Phishers Zero in on E-Banking," http://www.eweek.com/article2/0,1759,1867957,00.asp?kc=EWRSS03119TX1K0000594
This message is provided by the Privacy and Information Security Task Force at Warner Norcross & Judd LLP to advise you of recent developments in the law affecting privacy and data security. Because each business situation is different, this information is intended for general information purposes only and is not intended to provide legal advice on any specific facts and circumstances.
Warner Norcross & Judd LLP (www.wnj.com) is a full-service law firm with four offices in Michigan. Our Privacy and Information Security Task Force includes lawyers from across the Firm's practice areas who work together to help businesses ensure the security of their information systems and electronic data and to assist businesses who have experienced a data breach to limit their liabilities and prosecute hackers and data thieves. For information about the Privacy and Information Security Task Force at Warner Norcross & Judd LLP, e-mail Rodney Martin at firstname.lastname@example.org or write him at Warner Norcross & Judd LLP, 111 Lyon Street NW, Grand Rapids, MI 49503.
"Privacy and Information Security In the News" is a free publication of Warner Norcross & Judd LLP and its Privacy and Information Security Task Force. You can choose to receive it either daily (usually by 9 a.m. each weekday) or weekly (usually by 9 a.m. on Friday morning). If you would like to receive this publication, please respond to this e-mail and let us know the frequency at which you would like to receive it. If there are others in your organization who should receive "In the News," either include their names and e-mail addresses in your message or forward this message to them so they can respond.
Should you ever wish to stop receiving "In the News," simply click here to send us an e-mail message and we will remove your name from the subscription list. Rest assured that we will not sell your contact information or share it with anyone outside our firm.