Internet Banking News

January 28, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Swedish bank hit by 'biggest ever' online heist - Swedish bank Nordea has told ZDNet UK that it has been stung for between seven and eight million Swedish krona--up to $1.1 million--in what security company McAfee is describing as the "biggest ever" online bank heist. Over the last 15 months, Nordea customers have been targeted by e-mails containing a tailor-made Trojan, said the bank. http://news.com.com/2102-7349_3-6151546.html?tag=st.util.print

FYI - RSA Catches Financial Phishing Kit - RSA, The Security Division of EMC, announced Jan. 10 that it has identified a new phishing kit that was being sold and used online by hackers to target users' personal information in real time. The phishing kit, known as a Universal Man-in-the-Middle Phishing Kit, is meant to help online hackers create attacks involving financial organizations by enabling the hacker to create a fake URL through a user-friendly online interface. The fraudulent URL communicates with the legitimate Web site of the targeted organization in real time. http://www.eweek.com/article2/0,1759,2082039,00.asp

MISSING COMPUTERS/DATA

FYI - T.J. Maxx, Marshalls Operator Reports Customer ID Thefts After Hacking Detected - TJX Cos., operator of T.J. Maxx and Marshalls discount stores, said Wednesday its computer systems were hacked late last year and customer data has been stolen. http://www.foxnews.com/story/0,2933,244472,00.html?sPage=fnc.business/identitytheft
http://www.usatoday.com/tech/news/2007-01-18-tj-maxx-hack_x.htm

FYI - Stolen hard drive could give patients a headache - A local doctor's office is keeping mum on a stolen hard drive that may contain personal information on hundreds of patients who seek care there. http://www.tribune-democrat.com/local/local_story_003233725.html

FYI - New Jersey duo arrested for changing grades with unauthorized network access - A student and a recent graduate of a Cherry Hill, N.J. high school have been charged with using unauthorized access privileges to change students' grades. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070116/625754/

FYI - Hacker cracks University of Arizona network, may have breached employee information - A hacker may have obtained the personal information of University of Arizona employees, as well as details of the institution's financial transactions. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070116/625387/

FYI - MoneyGram says consumer info accessed - MoneyGram International Inc., a global payment services provider, announced Friday that a company server with consumer information for about 79,000 bill payment customers was unlawfully accessed over the Internet last month. http://www.businessweek.com/ap/financialnews/D8MJSR0O1.htm

FYI - Laptop theft puts residents at risk - A laptop computer containing files on 30,000 taxpayers was stolen from the car of an N.C. Department of Revenue employee last month, and state officials are cautioning everyone on the list to keep an eye on their finances for potential fraud. http://www.charlotte.com/mld/charlotte/16451423.htm

Return to the top of the newsletter

WEB SITE COMPLIANCE - Reserve Requirements of Depository Institutions (Regulation D)

Pursuant to the withdrawal and transfer restrictions imposed on savings deposits, electronic transfers, electronic withdrawals (paid electronically) or payments to third parties initiated by a depositor from a personal computer are included as a type of transfer subject to the six transaction limit imposed on passbook savings and MMDA accounts.

Institutions also should note that, to the extent stored value or other electronic money represents a demand deposit or transaction account, the provisions of Regulation D would apply to such obligations.

Consumer Leasing Act (Regulation M)

The regulation provides examples of advertisements that clarify the definition of an advertisement under Regulation M. The term advertisement includes messages inviting, offering, or otherwise generally announcing to prospective customers the availability of consumer leases, whether in visual, oral, print, or electronic media. Included in the examples are on-line messages, such as those on the Internet. Therefore, such messages are subject to the general advertising requirements.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

LOGGING AND DATA COLLECTION (Part 2 of 2)

When evaluating whether and what data to log, institutions should consider the importance of the related system or information, the importance of monitoring the access controls, the value of logged data in restoring a compromised system, and the means to effectively analyze the data. Generally, logs should capture source identification information; session ID; terminal ID; and the date, time, and the nature of the access attempt, service request, or process. Many hardware and software products come with logging disabled and may have inadequate log analysis and reporting capabilities. Institutions may have to enable the logging capabilities and then verify that logging remains enabled after rebooting. In some cases, additional software will provide the only means to analyze the log files effectively.

Many products such as firewall and intrusion detection software can simplify the security monitoring by automating the analysis of the logs and alerting the appropriate personnel of suspicious activity. Log files are critical to the successful investigation and prosecution of security incidents and can potentially contain sensitive information. Intruders will often attempt to conceal any unauthorized access by editing or deleting log files. Therefore, institutions should strictly control and monitor access to log files. Some considerations for securing the integrity of log files include:

! Encrypting log files that contain sensitive data or that are transmitting over the network,
! Ensuring adequate storage capacity to avoid gaps in data gathering,
! Securing backup and disposal of log files,
! Logging the data to a separate, isolated computer,
! Logging the data to write - only media like a write - once/read - many (WORM) disk or drive,
! Utilizing centralized logging, such as the UNIX "SYSLOG" utility, and
! Setting logging parameters to disallow any modification to previously written data.

The financial institution should have an effective means of tracing a security event through their system. Synchronized time stamps on network devices may be necessary to gather consistent logs and a consistent audit trail. Additionally, logs should be available, when needed, for incident detection, analysis and response.

When using logs to support personnel actions, management should consult with counsel about whether the logs are sufficiently reliable to support the action.

Return to the top of the newsletter

IT SECURITY QUESTION: BUSINESS CONTINUITY-SECURITY

1. Determine if adequate physical security and access controls exist over data back-ups and program libraries throughout their life cycle, including when they are created, transmitted/taken to storage, stored, retrieved and loaded, and destroyed.

! Review the risk assessment to identify key control points in a data set's life cycle.
! Verify controls are in place consistent with the level of risk presented.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

38. For customers only, does the institution ensure that the initial, annual, and revised notices may be retained or obtained later by the customer in writing, or if the customer agrees, electronically? [§9(e)(1)]