R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

July 20, 2003

CONTENT
INTERNET COMPLIANCE INFORMATION SYSTEMS SECURITY INFORMATION SECURITY QUESTION
INTERNET PRIVACY PENETRATION TESTS - WEB SITE AUDITS


FYI - Penetration Testing for Web Applications (Part Two)  http://www.securityfocus.com/printable/infocus/1709 

FYI- New IT auditors - Auditing Physical Network Components http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5423 

FYI- Ridge unveils programs for protecting financial systems - http://www.govexec.com/dailyfed/0703/070803td2.htm 

 FYI- Security products need standardization - Despite wide use across government, intrusion detection systems have no standard metrics to measure their performance, according to a new report by the National Institute of Standards and Technology.  http://www.securityfocus.com/news/6327 
FYI - New site spoofs PayPal to get billing information - A new Web site spoofs the PayPal Inc. online payment site and attempts to trick PayPal customers into divulging sensitive account and billing information. The fake Web site is the latest example in what security experts say is a rising trend of "brand-spoofing" scams.  http://www.computerworld.com/printthis/2003/0,4814,82888,00.html 

 FYI - A French high school student is being investigated on suspicion of breaking into and defacing some 2,000 Web sites -- including that of the U.S. Navy, police said Thursday.  http://www.cnn.com/2003/TECH/internet/07/11/young.hacker.ap/index.html 

FYI - Cyberscam strikes Massachusetts state lottery - Scam artists have spoofed the Web site of the Massachusetts State Lottery Commission in an attempt to steal personal and financial information from lottery players across the country.  http://www.computerworld.com/printthis/2003/0,4814,82892,00.html 

FYI - Congress considers imposing security standards on businesses.  http://www.pcworld.com/news/article/0,aid,111535,tk,dn071103X,00.asp 

 Return to the top of the newsletter

INTERNET COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." 

A. RISK DISCUSSION

Reputation Risk

Customers may be confused about whether the financial institution or a third party is supplying the product, service, or other website content available through the link. The risk of customer confusion can be affected by a number of factors:

  • nature of the third-party product or service;
  • trade name of the third party; and
  • website appearance.

Nature of Product or Service

When a financial institution provides links to third parties that sell financial products or services, or provide information relevant to these financial products and services, the risk is generally greater than if third parties sell non-financial products and services due to the greater potential for customer confusion. For example, a link from a financial institution's website to a mortgage bank may expose the financial institution to greater reputation risk than a link from the financial institution to an online clothing store.

The risk of customer confusion with respect to links to firms selling financial products is greater for two reasons. First, customers are more likely to assume that the linking financial institution is providing or endorsing financial products rather than non-financial products. Second, products and services from certain financial institutions often have special regulatory features and protections, such as federal deposit insurance for qualifying deposits. Customers may assume that these features and protections also apply to products that are acquired through links to third-party providers, particularly when the products are financial in nature.

When a financial institution links to a third party that is providing financial products or services, management should consider taking extra precautions to prevent customer confusion. For example, a financial institution linked to a third party that offers nondeposit investment products should take steps to prevent customer confusion specifically with respect to whether the institution or the third party is offering the products and services and whether the products and services are federally insured or guaranteed by the financial institution.

Financial institutions should recognize, even in the case of non-financial products and services, that customers may have expectations about an institution's due diligence and its selection of third parties to which the financial institution links its website. Should customers experience dissatisfaction as a result of poor quality products or services, or loss as a result of their transactions with those companies, they may consider the financial institution responsible for the perceived deficiencies of the seller.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

Access Rights Administration (4 of 5)

The access rights process programs the system to allow the users only the access rights they were granted. Since access rights do not automatically expire or update, periodic updating and review of access rights on the system is necessary. Updating should occur when an individual’s business needs for system use changes. Many job changes can result in an expansion or reduction of access rights. Job events that would trigger a removal of access rights include transfers, resignations, and terminations. Institutions should take particular care to remove promptly the access rights for users who have remote access privileges, and those who administer the institution’s systems.

Because updating may not always be accurate, periodic review of user accounts is a good control to test whether the access right removal processes are functioning, and whether users exist who should have their rights rescinded or reduced. Financial institutions should review access rights on a schedule commensurate with risk.

Access rights to new software and hardware present a unique problem. Typically, hardware and software are installed with default users, with at least one default user having full access rights. Easily obtainable lists of popular software exist that identify the default users and passwords, enabling anyone with access to the system to obtain the default user’s access. Default user accounts should either be disabled, or the authentication to the account should be changed.  Additionally, access to these default accounts should be monitored more closely than other accounts.

Sometimes software installs with a default account that allows anonymous access. Anonymous access is appropriate, for instance, where the general public accesses an informational web server. Systems that allow access to or store sensitive information, including customer information, should be protected against anonymous access.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

1.  Evaluate the adequacy and accuracy of the network architecture.

a)  Obtain a schematic overview of the financial institution’s network architecture.

b)  Review procedures for maintaining current information, including inventory reporting of how new hardware are added and old hardware is removed.

c)  Review audit and security reports that assess the accuracy of network architectureschematics and identify unreported systems.
Return to the top of the newsletter

INTERNET PRIVACY - We continue covering various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

Account number sharing

A. If available, review a sample of telemarketer scripts used when making sales calls to determine whether the scripts indicate that the telemarketers have the account numbers of the institution's consumers (§12).

B. Obtain and review a sample of contracts with agents or service providers to whom the financial institution discloses account numbers for use in connection with marketing the institution's own products or services. Determine whether the institution shares account numbers with nonaffiliated third parties only to perform marketing for the institution's own products and services. Ensure that the contracts do not authorize these nonaffiliated third parties to directly initiate charges to customer's accounts (§12(b)(1)).

C. Obtain a sample of materials and information provided to the consumer upon entering a private label or affinity credit card program. Determine if the participants in each program are identified to the customer when the customer enters into the program (§12(b)(2)).

This concludes our review of the "Privacy of Consumer Financial Information."  Next week we begin a series listing regulatory-privacy examination questions.  By answering these questions on a weekly basis, you  will  ensure compliance with the privacy regulations.

Return to the top of the newsletter

PENETRATION TESTS - WEB SITE AUDITS - We offer independent Internet auditing regarding web sites compliance and penetration-vulnerability  testing.  Visit http://www.bankwebsiteaudits.com for more information about web site audits.  For information regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated