|
February 23, 2003
FYI-
Sixth-grader charged in grade switch caper - http://www.gopbi.com/partners/pbpost/epaper/editions/wednesday/martin_stlucie_e394fc8032005260000b.html
FYI
- Hacker accesses 5.6 million credit cards - The
hacker who breached a security system to get into credit card information
had access to about 5.6 million Visa and Mastercard accounts, far more
than originally announced.
http://www.cnn.com/2003/TECH/02/17/creditcard.hack/index.html
FYI
- Homeland Security Information Update - Suggested
Guidelines on Protective Measures www.federalreserve.gov/generalinfo/homeland/protectivemeasures.htm
FYI
- FTD.com hole leaks personal information - A security
flaw at FTD.com left private information open to harvesting this week, one
of the busiest of the year for the online florist. http://news.com.com/2100-1017-984585.html
INTERNET
COMPLIANCE - Disclosures and Notices
Several consumer regulations provide for disclosures and/or notices
to consumers. The compliance officer should check the specific
regulations to determine whether the disclosures/notices can be
delivered via electronic means. The delivery of disclosures via
electronic means has raised many issues with respect to the format
of the disclosures, the manner of delivery, and the ability to
ensure receipt by the appropriate person(s). The following
highlights some of those issues and offers guidance and examples
that may be of use to institutions in developing their electronic
services.
Disclosures are generally required to be "clear and
conspicuous." Therefore, compliance officers should review the
web site to determine whether the disclosures have been designed to
meet this standard. Institutions may find that the format(s)
previously used for providing paper disclosures may need to be
redesigned for an electronic medium. Institutions may find it
helpful to use "pointers " and "hotlinks" that
will automatically present the disclosures to customers when
selected. A financial institution's use solely of asterisks or other
symbols as pointers or hotlinks would not be as clear as descriptive
references that specifically indicate the content of the linked
material.
INTERNET SECURITY - We continue our
coverage of the FDIC's "Guidance
on Managing Risks Associated With Wireless Networks and Wireless
Customer Access."
Using "Wired Equivalent Privacy" (WEP) by itself to
provide wireless network security may lead a financial institution
to a false sense of security. Information traveling over the network
appears secure because it is encrypted. This appearance of security,
however, can be defeated in a relatively short time.
Through these types of attacks, unauthorized personnel could gain
access to the financial institution's data and systems. For example,
an attacker with a laptop computer and a wireless network card could
eavesdrop on the bank's network, obtain private customer
information, obtain access to bank systems and initiate unauthorized
transactions against customer accounts.
Another risk in implementing wireless networks is the potential
disruption of wireless service caused by radio transmissions of
other devices. For example, the frequency range used for 802.11b
equipment is also shared by microwave ovens, cordless phones and
other radio-wave-emitting equipment that can potentially interfere
with transmissions and lower network performance. Also, as wireless
workstations are added within a relatively small area, they will
begin to compete with each other for wireless bandwidth, decreasing
the overall performance of the wireless network.
Risk Mitigation Components -- Wireless Internal Networks
A key step in mitigating security risks related to the use of
wireless technologies is to create policies, standards and
procedures that establish minimum levels of security. Financial
institutions should adopt standards that require end-to-end
encryption for wireless communications based on proven encryption
methods. Also, as wireless technologies evolve, new security and
control weaknesses will likely be identified in the wireless
software and security protocols. Financial institutions should
actively monitor security alert organizations for notices related to
their wireless network devices.
For wireless internal networks, financial institutions should adopt
standards that require strong encryption of the data stream through
technologies such as the IP Security Protocol (IPSEC). These methods
effectively establish a virtual private network between the wireless
workstation and other components of the network. Even though the
underlying WEP encryption may be broken, an attacker would be faced
with having to defeat an industry-proven security standard.
Financial institutions should also consider the proximity of their
wireless networks to publicly available places. A wireless network
that does not extend beyond the confines of the financial
institution's office space carries with it far less risk than one
that extends into neighboring buildings. Before bringing a wireless
network online, the financial institution should perform a limited
pilot to test the effective range of the wireless network and
consider positioning devices in places where they will not broadcast
beyond the office space. The institution should also be mindful that
each workstation with a wireless card is a transmitter. Confidential
customer information may be obtained by listening in on the
workstation side of the conversation, even though the listener may
be out of range of the access device.
The financial institution should consider having regular independent
security testing performed on its wireless network environment.
Specific testing goals would include the verification of appropriate
security settings, the effectiveness of the wireless security
implementation and the identification of rogue wireless devices that
do not conform to the institution's stated standards. The security
testing should be performed by an organization that is technically
qualified to perform wireless testing and demonstrates appropriate
ethical behavior.
PRIVACY
- We continue our coverage of the various issues in the "Privacy of
Consumer Financial Information" published by the financial
regulatory agencies.
Consumer and Customer:
The distinction between consumers and customers is
significant because financial institutions have additional
disclosure duties with respect to customers. All customers covered
under the regulation are consumers, but not all consumers are
customers.
A "consumer" is an individual, or that individual's legal
representative, who obtains or has obtained a financial product or
service from a financial institution that is to be used primarily
for personal, family, or household purposes.
A "financial service" includes, among other things, a
financial institution's evaluation or brokerage of information that
the institution collects in connection with a request or an
application from a consumer for a financial product or service. For
example, a financial service includes a lender's evaluation of an
application for a consumer loan or for opening a deposit account
even if the application is ultimately rejected or withdrawn.
Consumers who are not customers are entitled to an initial privacy
and opt out notice only if their financial institution wants to
share their nonpublic personal information with nonaffiliated third
parties outside of the exceptions.
A "customer" is a consumer who has a "customer
relationship" with a financial institution. A "customer
relationship" is a continuing relationship between a consumer
and a financial institution under which the institution provides one
or more financial products or services to the consumer that are to
be used primarily for personal, family, or household purposes. |
