R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

March 14, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI  - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes - The FDIC is alerting financial institutions to the increasing prevalence of e-mail and Internet-related fraudulent schemes targeting financial institution customers. The attached guidance provides financial institutions with background information on these schemes and describes how institutions can assist in protecting their customers. www.fdic.gov/news/news/financial/2004/fil2704.html

FYI - Feds: E-mail subpoena ruling hurts law enforcement - A federal appeals court has declined to reverse last year's decision that the issuance of an egregiously overbroad subpoena for e-mail can qualify as a computer intrusion in violation of anti-hacking laws, despite an argument by the Justice Department that a side-effect of the ruling has already made it harder for law enforcement officials to obtain Americans' private e-mail.  http://www.securityfocus.com/printable/news/8199

FYI - Firms Look to Limit Liability for Online Security Breaches - In the face of ongoing attacks by computer hackers, some companies that store their customers' personal data are adopting a new defensive tactic: If your information is stolen, they're not legally responsible.  http://www.washingtonpost.com/ac2/wp-dyn/A31874-2004Mar4?language=printer

FYI - Phishing scam 'most devious ever' - An email attempting to trick Australian online-banking customers into divulging their details has been labelled the most 'devious' example that an antivirus vendor has encountered.  http://news.zdnet.co.uk/internet/security/0,39020375,39147979,00.htm 

 FYI - Bank ATMs Converted to Steal IDs of Bank Customers - A team of organized criminals is installing equipment on legitimate bank ATMs in at least 2 regions to steal both the ATM card number and the PIN. The team sits nearby in a car receiving the information transmitted wirelessly over weekends and evenings from equipment they install on the front of the ATM.  http://www.utexas.edu/admin/utpd/atm.html

Return to the top of the newsletter

INTERNET COMPLIANCEElectronic Fund Transfer Act, Regulation E (Part 2 of 2)

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code.  According to the Official Staff Commentary (OSC,) an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated," is a consumer's authorization via a home banking system.  To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request).  The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability.  A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device.  Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.
Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - APPLICATION ACCESS (Part 1 of 2)

Sensitive or mission - critical applications should incorporate appropriate access controls that restrict which application functions are available to users and other applications. The most commonly referenced applications from an examination perspective support the information processing needs of the various business lines. These computer applications allow authorized users or other applications to interface with the related database. Effective application access control can enforce both segregation of duties and dual control. Access rights to sensitive or critical applications and their database should ensure that employees or applications have the minimum level of access required to perform their business functions. Effective application access control involves a partnership between the security administrators, the application programmers (including TSPs and vendors), and the business owners.

Some security software programs will integrate access control for the operating system and some applications. That software is useful when applications do not have their own access controls, and when the institution wants to rely on the security software instead of the application’s access controls. Examples of such security software products for mainframe computers include RACF, CA - ACF2, and CA - TopSecret. Institutions should understand the functionality and vulnerabilities of their application access control solutions and consider those issues in their risk assessment process.

Return to the top of the newsletter

IT SECURITY QUESTION:

D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)

2. Determine whether workstations are configured either for secure remote administration or for no remote administration.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

36. Does the institution use a reasonable means for delivering the notices, such as:

a. hand-delivery of a printed copy; [§9(b)(1)(i)]

b. mailing a printed copy to the last known address of the consumer; [§9(b)(1)(ii)]

c. for the consumer who conducts transactions electronically, clearly and conspicuously posting the notice on the institution’s electronic site and requiring the consumer to acknowledge receipt as a necessary step to obtaining a financial product or service; [§9(b)(1)(iii)] or 

d. for isolated transactions, such as ATM transactions, posting the notice on the screen and requiring the consumer to acknowledge receipt as a necessary step to obtaining the financial product or service? [§9(b)(1)(iv)]

(Note: insufficient or unreasonable means of delivery include: exclusively oral notice, in person or by telephone; branch or office signs or generally published advertisements; and electronic mail to a customer who does not obtain products or services electronically. [§9 (b)(2)(i) and (ii), and (d)])

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated