|
January 19, 2003
FYI - The Federal Reserve Board
announced the availability of a new booklet designed to help
consumers protect themselves against identity theft. You may
want to link the "Identity Theft" brochure off your web
site.
Press release - http://www.federalreserve.gov/BoardDocs/Press/other/2003/20030116/default.htm
"Identity Theft" Brochure
- http://www.bos.frb.org/consumer/identity/idtheft.pdf
FYI
- Old hard drives yield data bonanza - Two Massachusetts Institute of Technology
graduate students have uncovered a treasure trove of personal and
corporate information on used disk drives. http://news.com.com/2100-1040-980824.html?tag=fd_top
FYI - Money
Laundering: A Banker's Guide to Avoiding Problems, December 2002 - This
booklet, which updates a 1993 publication, discusses how bankers can
identify and manage the risks associated with money laundering and
terrorist financing. The revision was prompted by the growing
sophistication of money launderers, a growing international response
to money laundering, changes to anti-money laundering laws, and
recent anti-terrorist financing legislation. www.occ.treas.gov/moneylaundering2002.pdf
FYI -
University
falls prey to phone tricksters - Telephone
hackers in Saudi Arabia broke into Texas A&M University's phone
system and left voice mail messages that enabled them to make
international calls charged to the school, an A&M spokesman
said. http://www.cnn.com/2003/US/Southwest/01/10/university.phones.reut/
FYI - Complaints mount from TurboTax customers - Software
maker Intuit has created an uninstaller program for its TurboTax
tax-preparation programs, as customer complaints mount about
anti-piracy technology included in the software. http://news.com.com/2100-1040-980600.html?tag=fd_top
INTERNET
COMPLIANCE - Truth in Lending Act (Regulation Z)
The commentary to regulation Z was amended recently to clarify that
periodic statements for open-end credit accounts may be provided
electronically, for example, via remote access devices. The
regulations state that financial institutions may permit customers
to call for their periodic statements, but may not require them to
do so. If the customer wishes to pick up the statement and the plan
has a grace period for payment without imposition of finance
charges, the statement, including a statement provided by electronic
means, must be made available in accordance with the "14-day
rule," requiring mailing or delivery of the statement not later
than 14 days before the end of the grace period.
Provisions pertaining to advertising of credit products should be
carefully applied to an on-line system to ensure compliance with the
regulation. Financial institutions advertising open-end or
closed-end credit products on-line have options. Financial
institutions should ensure that on-line advertising complies with
the regulations. For on-line advertisements that may be deemed to
contain more than a single page, financial institutions should
comply with the regulations, which describe the requirements for
multiple-page advertisements.
INTERNET SECURITY - We continue our review of
the FDIC paper "Risk Assessment Tools and Practices or
Information System Security."
INTRUSION DETECTION SYSTEMS
Vulnerability assessments and penetration analyses help ensure that
appropriate security precautions have been implemented and that
system security configurations are appropriate. The next step is to
monitor the system for intrusions and unusual activities. Intrusion
detection systems (IDS) may be useful because they act as a burglar
alarm, reporting potential intrusions to appropriate personnel. By
analyzing the information generated by the systems being guarded,
IDS help determine if necessary safeguards are in place and are
protecting the system as intended. In addition, they can be
configured to automatically respond to intrusions.
Computer system components or applications can generate detailed,
lengthy logs or audit trails that system administrators can manually
review for unusual events. IDS automate the review of logs and audit
data, which increases the reviews' overall efficiency by reducing
costs and the time and level of skill necessary to review the logs.
Typically, there are three components to an IDS. First is an agent,
which is the component that actually collects the information.
Second is a manager, which processes the information collected by
the agents. Third is a console, which allows authorized information
systems personnel to remotely install and upgrade agents, define
intrusion detection scenarios across agents, and track intrusions as
they occur. Depending on the complexity of the IDS, there can be
multiple agent and manager components.
Generally, IDS products use three different methods to detect
intrusions. First, they can look for identified attack signatures,
which are streams or patterns of data previously identified as an
attack. Second, they can look for system misuse such as unauthorized
attempts to access files or disallowed traffic inside the firewall.
Third, they can look for activities that are different from the
users or systems normal pattern. These "anomaly-based"
products (which use artificial intelligence) are designed to detect
subtle changes or new attack patterns, and then notify appropriate
personnel that an intrusion may be occurring. Some anomaly-based
products are created to update normal use patterns on a regular
basis. Poorly designed anomaly-based products can trigger frequent
false-positive responses.
Although IDS may be an integral part of an institutions overall
system security, they will not protect a system from previously
unknown threats or vulnerabilities. They are not self-sufficient and
do not compensate for weak authentication procedures (e.g., when an
intruder already knows a password to access the system). Also, IDS
often have overlapping features with other security products, such
as firewalls. IDS provide additional protections by helping to
determine if the firewall programs are working properly and by
helping to detect internal abuses. Both firewalls and IDS need to be
properly configured and updated to combat new types of attacks. In
addition, management should be aware that the state of these
products is highly dynamic and IDS capabilities are evolving.
IDS tools can generate both technical and management reports,
including text, charts, and graphs. The IDS reports can provide
background information on the type of attack and recommend courses
of action. When an intrusion is detected, the IDS can automatically
begin to collect additional information on the attacker, which may
be needed later for documentation purposes.
FYI
- Please remember that we perform vulnerability-penetration studies
and would be happy to e-mail {custom4} a proposal. E-mail Kinney
Williams at examiner@yennik.com
for more information.
PRIVACY - At the request of our readers, we begin
our review of the issues in the
"Privacy of Consumer Financial Information" published by
the financial regulatory agencies in May 2001.
On November 12, 1999, President Clinton signed into law the
Gramm-Leach-Bliley Act (the "Act"). Title V, Subtitle A of
the Act governs the treatment of nonpublic personal information
about consumers by financial institutions. Section 502 of the
Subtitle, subject to certain exceptions, prohibits a financial
institution from disclosing nonpublic personal information about a
consumer to nonaffiliated third parties, unless the institution
satisfies various notice and opt-out requirements, and provided that
the consumer has not elected to opt out of the disclosure. Section
503 requires the institution to provide notice of its privacy
policies and practices to its customers. Section 504 authorizes the
issuance of regulations to implement these provisions.
Accordingly, on June 1, 2000, the four federal bank and thrift
regulators published substantively identical regulations
implementing provisions of the Act governing the privacy of consumer
financial information. The regulations establish rules governing
duties of a financial institution to provide particular notices and
limitations on its disclosure of nonpublic personal information, as
summarized below.
1) A financial institution must provide a notice of its
privacy policies, and allow the consumer to opt out of the
disclosure of the consumer's nonpublic personal information, to a
nonaffiliated third party if the disclosure is outside of the
exceptions in sections 13, 14 or 15 of the regulations.
2) Regardless of whether a financial institution shares
nonpublic personal information, the institution must provide notices
of its privacy policies to its customers.
3) A financial institution generally may not disclose customer
account numbers to any nonaffiliated third party for marketing
purposes.
4) A financial institution must follow reuse and redisclosure
limitations on any nonpublic personal information it receives from a
nonaffiliated financial institution. |
