[ISN] FDIC advises banks on how to protect against spyware

From: InfoSec News (isn@private)
Date: Mon Jul 25 2005 - 01:22:37 PDT


http://www.computerworld.com/securitytopics/security/story/0,10801,103450,00.html

By Lucas Mearian 
JULY 22, 2005
COMPUTERWORLD

The Federal Deposit Insurance Corp.  (FDIC) today issued a list of
best practices for financial services firms that details how to
protect against spyware, which the agency said can be used by
criminals to collect customer data or hack into banking systems.

"It is critical that banks stay vigilant about the risks involved with
this malicious software and take appropriate action so that they and
their customers do not fall victim to it," said Michael Zamorski,
director of the FDIC's Division of Supervision and Consumer
Protection.

The guidance spells out the risks associated with spyware and
recommends actions that financial institutions can take to mitigate
those risks on internal computers as well as on those used by
customers to connect to transactional banking Web sites.

The FDIC recommends rolling out multifactor authentication to limit
the ability of identity thieves to access customer accounts. Firms
should also consider spyware as part of their risk-assessment analysis
and bolster security against it by setting Internet-use policies for
employees. The FDIC also recommends that banks advise customers on the
risks of using public computers such as those in hotels, libraries or
Internet cafes to connect to online banking Web sites because of the
uncertainty of what spyware may have been installed on the public
equipment.

According to the FDIC, the risks associated with spyware include
allowing attackers to eavesdrop and intercept sensitive
communications, such as customer IDs and passwords; allowing
unauthorized access to user accounts; permitting unauthorized access
to bank systems; and increasing vulnerability to other Internet-based
attacks, such as phishing.



_________________________________________
Attend the Black Hat Briefings and
Training, Las Vegas July 23-28 - 
2,000+ international security experts, 
10 tracks, no vendor pitches.
www.blackhat.com 



This archive was generated by hypermail 2.1.3 : Mon Jul 25 2005 - 01:40:15 PDT