Legal Disclaimer

  • This blog is made available by the law firm of Dickinson, Mackaman, Tyler & Hagen, P.C. for educational purposes only. It is intended to provide general information and a general understanding of the law, but not specific legal advice. This blog should not be used as a substitute for competent legal advice from a licensed professional attorney in your state. Use of this blog does not create an attorney-client relationship between you and Dickinson, Mackaman, Tyler & Hagen, P.C. or any of its attorneys. The content of this blog is not an advertisement for legal services, nor is it an invitation to form an attorney-client relationship. Statements made in this blog are the viewpoints of the individual authors, and do not necessarily reflect the views of Dickinson, Mackaman, Tyler & Hagen, P.C. or any of its clients. Although this blog may address certain tax issues, it is not intended to constitute a reliance opinion as described in IRS Circular 230 and, therefore, cannot be relied upon by itself to avoid any tax penalties.

Categories

Recent Posts

Archives

More...

Other Banking Law Websites

Privacy

Wednesday, October 06, 2010

New FDIC Guidance on Copy Machines: An Update to “How Much Does Your Copy Machine Know About You?”

- Posted by Mary A. Zambreno

On September 15, 2010, the FDIC issued new guidance to financial institutions on mitigating the privacy risks created by confidential and sensitive information stored on copy machines, fax machines and printers.

 

We first warned about the potential for such risks in a May 2010 blog post titled “How Much Does Your Copy Machine Know About You?”

 

The FDIC’s guidance suggests the digital images stored by financial institutions on certain electronic devices that contain a hard drive – such as copy machines, fax machines, and printers – are at risk of being proliferated to third parties.  Because many financial institutions lease these machines and then either return them to the leasing company at the end of the leasing period or sell them, third parties who later take possession of the machines will have access to the sensitive data stored on the hard drives.

 

The FDIC, therefore, has advised that all financial institutions implement written policies and procedures to identify the devices they use which store digital images.  These policies will need to include a procedure to ensure that these hard drives are either erased or otherwise destroyed before they are disposed of.  This issue may come up during a bank examination, so financial institutions need to be prepared. 

 

If your financial institution needs assistance in drafting such a policy or if you have questions regarding the FDIC’s latest guidance to financial institutions, please contact Mary A. Zambreno at 515-246-4512 or mzambreno@dickinsonlaw.com.

Posted at 12:15 PM in FDIC Regulation, Indentify Theft, Privacy, Web/Tech | | Comments (0) | TrackBack (0)

Tuesday, September 07, 2010

Vishing and Smishing = The New Phishing?

According to various community banks across the country—from such states as Illinois, Rhode Island, New York, Oregon, Arkansas, Virginia, Alabama, and Texas—phone- and text-based banking attacks are on the rise.  Phone-based phishing, or “vishing” attacks, and text message-based phishing, or “smishing” attacks, are becoming more prevalent in low-fraud locations, according to this Bank Info Security article.  The reasons?  Customers are becoming more aware of e-mail attacks, e-mail spam filters are becoming more sophisticated, and text-based mobile banking is growing in popularity.

 

Customers are contacted by the so-called vishing or smishing fraudsters claiming to be representatives of the customer’s bank or credit union.  These fraudsters are apparently obtaining customer telephone lists through methods as simple as dumpster diving.  Customers are advised not to respond to a request via telephone or text message that requests information that could compromise their identity.  Banks are advised to educate their customers about secure mobile telephone usage.

 

For more information, please contact Mary A. Zambreno at 515-246-4512 or mzambreno@dickinsonlaw.com.

Posted at 04:14 PM in Bank Security, Consumer Protection, Indentify Theft, Internet Banking, Privacy, Web/Tech | | Comments (0) | TrackBack (0)

Tuesday, June 22, 2010

Should Your Bank Have the Jitters Over Jitter?

More than $1 billion annually – that’s the U.S. Secret Service estimate of losses attributable to ATM “skimming,” according  to this Bank Information Security article.  And according to ADT Security Solutions, losses per skimming incident are averaging approximately $30,000 and tend to cost financial institutions and their customers as much as ten times more than losses during a robbery.

 

What exactly is skimming?  A skimmer is a device that is attached to an ATM and is designed to read customers’ account information stored on the magnetic strip on the back of bank cards.  Depending on the complexity of the device, it could also store customers’ personal identification numbers as they are being typed into the ATM keypad.  The idea is to trick customers into believing the skimmer is where their cards should be inserted.  Fraudsters can then gain access to the customers’ account information and PINs to generate new cards and deplete the customers’ bank accounts.  Skimming can also take place at cash registers.  Generally, wherever bank cards are used, customers are vulnerable to skimming fraud.

 

More than seven years ago, various manufacturers came out with “jitter” technology designed to prevent skimming.  Jitter technology uses a start-stop motion – hence the name – when the card is inserted into the ATM.  Because the motion is not the fluid motion skimmers need to accurately copy magnetic strip information, the recorded copy becomes entirely unusable.  Most financial institutions worldwide use jitter technology on their ATMs.  In fact, the Vice President of Risk Policy Management for the American Bankers Association stands behind jitter technology as a reliable method of preventing skimming. 

 

Others argue, however, that jitter technology is outdated and also does not work on machines with dip readers, where customers are required to manually insert and remove cards, or on cash registers and pin pads, where cards have to be fluidly swiped.  Still others recommend that jitter technology be used in combination with other approaches, such as radio-frequency jamming, which would detect foreign objects placed on ATMs; camera surveillance of ATMs; or vibration sensors to detect when a skimmer is drilled into an ATM.

 

Until there is a way to store customers’ account information somewhere other than on a bank card’s magnetic strip, it appears jitter remains a cost-effective measure for financial institutions.  In the meantime, customers should be vigilant when using ATMs, avoid ATMs that seem fishy, and report a suspicious ATM to the appropriate bank or to police immediately.  Financial institutions should take precautions to properly and frequently monitor all of their ATMs to maximize their chances of detecting skimming devices before they can be used.

 

For more information, please contact Mary A. Zambreno at 515-246-4512 or mzambreno@dickinsonlaw.com.

Posted at 11:27 AM in Bank Security, Consumer Protection, Indentify Theft, Privacy | | Comments (0) | TrackBack (0)

Technorati Tags: , ,

Wednesday, May 26, 2010

How Much Does Your Copy Machine Know About You?

Do not open attachments from senders you do not recognize.  Do not download applications from websites you do not trust.  Scrub your metadata clean before sending documents via email.  Privacy and identity theft issues have been a source of concern for anyone using a computer in the last couple of decades.  As a result of everything from hackers accessing bank account information to viruses downloaded by unknowing individuals, today's consumers want to ensure that their private and sensitive information remains just that – private.

 

Much focus has been placed on protecting private and sensitive information stored on computers.  But what about copy machines?  Nearly every recent digital copy machine functions by taking an image of the page you want reproduced, scanned, or emailed and then generating duplicates based on the stored image.  The same goes for fax machines.  Like computers, copy machines have hard drives where these images are stored.  And like computers, these hard drives can be easily accessed by hackers or by unsuspecting second-hand purchasers.

 

An interesting CBS News story recently discussed this very topic.  In its investigation, CBS purchased four used copy machines from a warehouse without knowing where each machine originated, then accessed the hard drives from each machine using free forensics software they downloaded from the web.  The results were astonishing.  From the copy machine that originated from the Buffalo Police Department, CBS was able to download detailed domestic violence complaints and lists of sex offenders.  From the narcotics department, it downloaded a list of targets in a major drug raid.  From a New York construction company, it downloaded specific plans and sketches for a building going up near Ground Zero and copies of its employees’ paystubs and checks.  From a New York insurance company, it downloaded 300 pages of individual medical records, from blood test results to prescriptions.

 

With the vast amount of sensitive information stored on copy machines, and the fact that such data can be accessed by anyone, companies might inadvertently find themselves in breach of federal and state privacy laws and ethics rules.  Just as the hard drive must be scrubbed or removed from a computer that is being retired, so must the hard drive on a copy machine be erased or removed to prevent your clients’ and customers’ data – or your own – from falling into the wrong hands.  Currently, there are no laws or standards that stipulate how data on copy machines or fax machines should be permanently removed.  Some newer models of copy machines contain a feature that automatically erases the stored data with the push of a button, but such functionality is still far from prevalent. 

 

As always, with new technologies come new privacy concerns and issues.  And as always, vigilance is necessary when it comes to protecting your private and sensitive information and that of your customers, employees, and other constituents.

 

For more information, please contact Mary Zambreno at 515-246-4512 or mzambreno@dickinsonlaw.com.

Posted at 11:39 AM in Indentify Theft, Privacy, Web/Tech | | Comments (0) | TrackBack (0)

Search

Firm Website

Contact Us

Enter your email address:

Delivered by FeedBurner

Suggested Blogs & Sites

Copyright Notice

  • © Dickinson, Mackaman, Tyler & Hagen, P.C. and Iowa Banking Law Blog, 2007-2010. Unauthorized use and/or duplication of this material without express and written permission from this blog’s owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Dickinson, Mackaman, Tyler & Hagen, P.C. and the Iowa Banking Law Blog with appropriate and specific direction to the original content.