Internet Banking News

January 6, 2013

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Health-care sector vulnerable to hackers, researchers say - As the health-care industry rushed onto the Internet in search of efficiencies and improved care in recent years, it has exposed a wide array of vulnerable hospital computers and medical devices to hacking, according to documents and interviews. http://www.washingtonpost.com/investigations/health-care-sector-vulnerable-to-hackers-researchers-say/2012/12/25/72933598-3e50-11e2-ae43-cf491b837f7b_story.html

FYI - National banking regulator advises on DDoS deluge - The regulator for national banks issued an alert Friday about the apparent uptick in distributed denial-of-service (DDoS) attacks being waged against financial institutions. http://www.scmagazine.com/national-banking-regulator-advises-on-ddos-deluge/article/273769/

FYI - Agencies might have to obliterate private photos on devices that go AWOL - Employees at agencies such as Customs and Border Protection who convince their bosses to let them work on their own smartphones and tablets might have to allow security managers to install special software that erases stored information -- both business and personal -- if their smartphone goes missing. http://www.govexec.com/technology/2012/12/agencies-might-have-obliterate-private-photos-devices-go-awol/60246/

FYI - Mobile threats predicted top concern for 2013 - Researchers believe that the persistence of mobile threats will be a top concern for users in the coming year. http://www.scmagazine.com/mobile-threats-predicted-top-concern-for-2013/article/274259/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - U of Michigan Health System, Omnicell report patient data breach - Approximately 4,000 patients at the University of Michigan Health System (UMHS) have been notified this December that their personal health information has been compromised, UMHS officials announced. http://www.healthcareitnews.com/news/u-michigan-health-system-omnicell-report-patient-data-breach

FYI - Hacker, Verizon duel over customer record claims - A hacker said he has acquired more than 3 million Verizon customer records -- but leaks only 10 percent of them, after the phone and broadband giant fails to fix a security flaw. Verizon disagrees. http://www.zdnet.com/hacker-verizon-duel-over-customer-record-claims-7000009151/

FYI - Stabuniq malware found on servers at U.S. financial institutions - The malware appears to just be performing reconnaissance for now - Security researchers from Symantec have identified an information-stealing Trojan program that was used to infect computer servers belonging to various U.S. financial institutions. http://www.computerworld.com/s/article/9234961/Stabuniq_malware_found_on_servers_at_U.S._financial_institutions?taxonomyId=17

FYI - Nearly 30K Indiana patients notified of laptop theft - A laptop containing the personal data of thousands of patients of Gibson General Hospital in Princeton, Ind. was stolen from an employee's home. http://www.scmagazine.com/nearly-30k-indiana-patients-notified-of-laptop-theft/article/274715/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 2 of 5)

PROCEDURES TO ADDRESS SPOOFING - Detection

Banks can improve their ability to detect spoofing by monitoring appropriate information available inside the bank and by searching the Internet for illegal or unauthorized use of bank names and trademarks. The following is a list of possible indicators of Web-site spoofing:

* E-mail messages returned to bank mail servers that were not originally sent by the bank. In some cases, these e-mails may contain links to spoofed Web sites;
* Reviews of Web-server logs can reveal links to suspect Web addresses indicating that the bank's Web site is being copied or that other malicious activity is taking place;
* An increase in customer calls to call centers or other bank personnel, or direct communications from consumer reporting spoofing activity.

Banks can also detect spoofing by searching the Internet for identifiers associated with the bank such as the name of a company or bank. Banks can use available search engines and other tools to monitor Web sites, bulletin boards, news reports, chat rooms, newsgroups, and other forums to identify usage of a specific company or bank name. The searches may uncover recent registrations of domain names similar to the bank's domain name before they are used to spoof the bank's Web site. Banks can conduct this monitoring in-house or can contract with third parties who provide monitoring services.

Banks can encourage customers and consumers to assist in the identification process by providing prominent links on their Web pages or telephone contact numbers through which customers and consumers can report phishing or other fraudulent activities.

Banks can also train customer-service personnel to identify and report customer calls that may stem from potential Web-site attacks.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

SECURITY MEASURES

Symmetric and Asymmetric Key Systems

There are two types of cryptographic key systems, symmetric and asymmetric. With a symmetric key system (also known as secret key or private key systems), all parties have the same key. The keys can be used to encrypt and decrypt messages, and must be kept secret or the security is compromised. For the parties to get the same key, there has to be a way to securely distribute the key to each party. While this can be done, the security controls necessary make this system impractical for widespread and commercial use on an open network like the Internet. Asymmetric key systems can solve this problem.

In an asymmetric key system (also known as a public key system), two keys are used. One key is kept secret, and therefore is referred to as the "private key." The other key is made widely available to anyone who wants it, and is referred to as the "public key." The private and public keys are mathematically related so that information encrypted with the private key can only be decrypted by the corresponding public key. Similarly, information encrypted with the public key can only be decrypted by the corresponding private key. The private key, regardless of the key system utilized, is typically specific to a party or computer system. Therefore, the sender of a message can be authenticated as the private key holder by anyone decrypting the message with a public key. Importantly, it is mathematically impossible for the holder of any public key to use it to figure out what the private key is. The keys can be stored either on a computer or on a physically separate medium such as a smart card.

Regardless of the key system utilized, physical controls must exist to protect the confidentiality and access to the key(s). In addition, the key itself must be strong enough for the intended application. The appropriate encryption key may vary depending on how sensitive the transmitted or stored data is, with stronger keys utilized for highly confidential or sensitive data. Stronger encryption may also be necessary to protect data that is in an open environment, such as on a Web server, for long time periods. Because the strength of the key is determined by its length, the longer the key, the harder it is for high-speed computers to break the code.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Definitions and Key Concepts

In discussing the duties and limitations imposed by the regulations, a number of key concepts are used. These concepts include "financial institution"; "nonpublic personal information"; "nonaffiliated third party"; the "opt out" right and the exceptions to that right; and "consumer" and "customer." Each concept is briefly discussed below. A more complete explanation of each appears in the regulations.

Financial Institution:

A "financial institution" is any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities, as determined by section 4(k) of the Bank Holding Company Act of 1956. Financial institutions can include banks, securities brokers and dealers, insurance underwriters and agents, finance companies, mortgage bankers, and travel agents.

Nonaffiliated Third Party:

A "nonaffiliated third party" is any person except a financial institution's affiliate or a person employed jointly by a financial institution and a company that is not the institution's affiliate. An "affiliate" of a financial institution is any company that controls, is controlled by, or is under common control with the financial institution.