Bank starts to sell PKI

July 2005 Network Security

NEWS

Bank starts to sell PKI

Brian McKenna

The Royal Bank of Scotland haslaunched a managed PKI service intendedto take the technology beyond large orga-nizations.

The bank's four-year old TrustAssureddivision has unveiled Eident, an identitymanagement service that uses digital cer-tificates to secure emails, protect data andsecure online communications.

RBS is hoping to parlay two hundredyears of banking activity into the under-writing of business-to-business e-com-merce. "This is about putting trust intotransactions", said George Evers, Head ofSolution Design, RBS, TrustAssured."Technology companies are not reallyable to do that, hence the failure ofMicrosoft Passport. Anyone could get anidentity under that, and no value wasplaced on the value of the identities".

Eident builds on the same PKI technolo-gy and digital credentials used to secure thepayment clearing system in the UK viaBACS. RBS digital certificates currentlyhelp to secure 43% of all credit paymentsmade through the new Internet based pay-ment system, BACSTEL-IP.

Harry Croydon, CEO of Coverpoint,an online insurance quoting and brokingsystem, and one of the first customers ofthe service, said, in a statement: "Wefound Eident affordable and easy to inte-grate into our existing IT infrastructure.Knowing that a trusted UK bank is secur-ing our communications gives us, andmost importantly our customers, absoluteconfidence in our online businessprocesses."

RBS's Evers added: "Until now, compre-hensive identity management systemscould only be justified and implementedby the very largest organizations. By intro-ducing Eident, we have developed a flexibleand easy to implement service that will costup to four times less than developing an in-house identity management system".

He said that the new service extended aplatform to smaller organizations

He confirmed that Wells Fargo offers asimilar capability in the US.

3

HACK EXPOSES 40M+ CREDIT CARDS TOFRAUD… MasterCard International says a breach of pay-ment card data has potentially exposed morethan 40 million cards supplied by a variety ofbrands to fraud – about 14 million of which areMasterCard-branded. Other affected brandsinclude American Express. The breach occurredat Tuscon-based CardSystems Solutions, athird-party processor of payment card data.MasterCard warns it is giving the processor ‘alimited amount of time’ to demonstrate com-pliance with its security requirements.MasterCard says it immediately notified its cus-tomer banks of specific card accounts that mayhave been subject to compromise, after discov-ering the breach. The data did not includeaddresses or Social Security numbers, accordingto MasterCard. The FBI is investigating.

...AS REPORT HIGHLIGHTS WRONGEMPHASIS FOR ID THEFTMost credit card providers are doing too little toaddress ID theft, focusing on resolution ratherthan prevention and detection, says a reportreleased by Javelin Strategy & Research. Thereport surveyed 39 banks and ranked card-issuers on the three areas of prevention, detec-tion, and resolution. Researchers posing as cus-tomers asked about the banks’ ID theft policies.Issuers could score a maximum of 100 points:40 points each for prevention and detection,and 20 points for resolution. The average scorefor all banks was 41 points. For prevention anddetection, banks achieved average scores of 16.7and 9.7 respectively. For resolution, banksachieved an average score of 14.4.

MICROSOFT RELEASES 10 PATCHES In mid-June Microsoft released 10 patches –three of them critical – to fix vulnerabilities inWindows and Internet Explorer. The IE bugcould allow Web pages with malicious codestored in the form of PNG graphics files over-power PCs. The file format flaw is seen as themost significant of the three. Microsoft alsofound a critical bug in the Windows HTMLHelp system, as well as in its SMB file-sharingprotocol. The patches include moderate updatesfor Services for Unix, Internet Security andAcceleration Server, and Small Business Server.

INTERNAL ATTACKS RISE IN FINANCIALSERVICESInternal attacks on IT systems have exceededexternal attacks at the world’s largest financialinstitutions, according to Deloitte’s 2005Global Security Survey. 35% of respondentsconfirmed encountering attacks from insidetheir organization within the last 12 months(up sharply from 14% in 2004) compared to26% from external sources (up from 23% the

previous year). The survey was carried out withsenior security officers from the world’s top 100global financial institutions. Phishing andpharming (luring people to disclose sensitiveinformation by using bogus emails and web-sites) are two new additions to the top securitythreats financial institutions faced in the pastyear. Increases were also noted in anti-virussolutions (98% vs. 87% in 2004), VirtualPrivate Networks (79% vs. 75%) and contentfiltering and monitoring (76% vs.60%).

GARTNER PLAYS DOWN MOBILE VIRUSTHREATFast-spreading viruses or worms will not affectmobile devices before the end of 2007,Gartner analysts say. The research firmbelieves the conditions required for a real virusor worm to spread quickly among the mass ofmobile devices will not converge until then. Itadds, “Mobile network operators must devel-op antivirus strategies before then.” Gartnerlisted what it considers the most over-hypedsecurity threats during its recent three-day ITSecurity Summit: ‘Internet Protocol (IP) tele-phony is unsafe’; ‘mobile malware will causewidespread damage’; ‘‘Warhol Worms’ willmake the Internet unreliable for business traf-fic and virtual private networks (VPNs)’ ; ‘reg-ulatory compliance equals security; wirelesshot spots are unsafe’.

300 KEY UK ORGANIZATIONS FACE TROJAN ATTACKS The UK's National Infrastructure Security Co-Ordination Centre (NISCC) says that morethan 300 government departments and busi-nesses are being targeted by a series of emailattacks designed to steal sensitive and economi-cally valuable information. In contrast withphishing attacks, the NISCC says the attackersare specifically targeting governmental and com-mercial organizations. Although they use similarmethods, the attacks are distinct from incidentsof recently-reported industrial espionage.

CUSTOMER DATA SECURITY CASE SETTLEDIn yet another case of customer data theft -where thousands of customers’ details were usedfor making fraudulent purchases in other stores,BJ's Wholesale Club Inc. has agreed to put inplace a comprehensive data-security system andface biannual security audits for the next 20years under a settlement with the Federal TradeCommission. The FTC said the warehouse buy-ing club had failed to take adequate precautionsto guard its customer credit card and debit carddata from theft and fraudulent use. Millions ofdollars of unauthorized and fraudulent purchas-es were made on customer credit and debit cardsafter the customers had visited BJ's stores inearly 2004, according to the FTC.

In brief