Internet Banking News

February 10, 2013

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - This week, I will be taking some time to be with family and friends. I will have my laptop but may not respond to emails as quickly as normal. I will be back in the office Tuesday February 19.

FYI - Top firms open to voluntary cybersecurity rules - Many Fortune 500 companies support the creation of federal cybersecurity standards to protect them from Internet threats like hacking as long as they are voluntary, according to a Senate survey of top U.S. chief executives released on Wednesday. http://www.nbcnews.com/technology/technolog/top-firms-open-voluntary-cybersecurity-rules-senate-1B8185954

FYI - GAO - Information Security: Federal Communications Commission Needs to Strengthen Controls over Enhanced Secured Network Project.
http://www.gao.gov/products/GAO-13-155

FYI - App owner to pay $800k to settle child privacy charges - A San Francisco-based app operator will pay $800,000 to settle Federal Trade Commission (FTC) charges that it violated the Children's Online Privacy Protection Act (COPPA) by collecting youngsters' personal information without parental consent, the agency announced Friday.
http://www.scmagazine.com/app-owner-to-pay-800k-to-settle-child-privacy-charges/article/278788/?DCMP=EMC-SCUS_Newswire
http://news.cnet.com/8301-1009_3-57567179-83/privacy-at-risk-as-path-app-lets-location-data-slip/

FYI - Following breaches, Utah Senate passes data protection law - The Utah State Senate has passed legislation that would set best practices for the storing and transmitting on state servers of residents' personally identifiable information (PII). Sen. Stuart Reid, R-Utah, began drafting the bill last year, following a massive breach when a Utah Department of Health server was hacked. http://www.scmagazine.com/following-breaches-utah-senate-passes-data-protection-law/article/278764/?DCMP=EMC-SCUS_Newswire

FYI - Obama can 'order pre-emptive cyber-attack' if U.S. faces threat - According to a source speaking to The New York Times, President Obama can authorize a 'pre-emptive strike' against a nation if U.S. national security is at risk. http://www.zdnet.com/obama-can-order-pre-emptive-cyber-attack-if-u-s-faces-threat-7000010769/

FYI - U.S. weighs retaliation to alleged Chinese cyberattacks - Following a string of cyberattacks allegedly coming from China, the U.S. government is debating what from the response should take. The Obama administration is considering further action after the failure of high-level talks with Chinese officials over cyberattacks against America, according to the Associated Press. http://news.cnet.com/8301-1009_3-57567089-83/u.s-weighs-retaliation-to-alleged-chinese-cyberattacks/

FYI - Defense positions a military cyber squad on DHS turf - Pentagon plans to deploy a military cyber squad to guard U.S. networks sustaining hospitals and other vital commercial sectors drew hopeful skepticism from technology experts -- and silence from counterparts at the Homeland Security Department. http://www.nextgov.com/cybersecurity/2013/02/defense-positions-military-cyber-squad-dhs-turf/61057/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers in China Attacked The Times for Last 4 Months - For the last four months, Chinese hackers have persistently attacked The New York Times, infiltrating its computer systems and getting passwords for its reporters and other employees. http://www.nytimes.com/2013/01/31/technology/chinese-hackers-infiltrate-new-york-times-computers.html?hp&_r=1&

FYI - Wall Street Journal also a victim of espionage - Less than a day after The New York Times revealed that its reporters were targeted by Chinese hackers, The Wall Street Journal disclosed on Thursday that its systems were also breached by attackers from China wanting to observe the newspaper's coverage of the country. http://www.scmagazine.com/wall-street-journal-also-a-victim-of-espionage/article/278498/?DCMP=EMC-SCUS_Newswire

FYI - Anonymous claims to expose bank executive details - Hacktivist group Anonymous said it has posted the sensitive details of 4,000 bank executives on a government website. http://www.scmagazine.com/anonymous-claims-to-expose-bank-executive-details/article/278982/?DCMP=EMC-SCUS_Newswire

FYI - Federal Reserve confirms its Web site was hacked- Days after Anonymous claimed to have stolen and published private information from more than 4,000 bank executives, the Fed says its system was attacked.
http://news.cnet.com/8301-1009_3-57567824-83/federal-reserve-confirms-its-web-site-was-hacked/
http://www.scmagazine.com/internal-site-hacked-federal-reserve-confirms/article/279403/?DCMP=EMC-SCUS_Newswire

FYI - Department Of Energy Confirms Data Breach - Online attackers successfully penetrated the Department of Energy (DOE) network in the middle of January and obtained copies of personally identifiable information (PII) pertaining to several hundred of the agency's employees and contractors. http://www.informationweek.com/security/attacks/department-of-energy-confirms-data-breac/240147877

FYI - Dutch man sentenced in US to 12 years in credit card scam - A 22-year-old Dutch man who sold credit card details online was sentenced on Friday to 12 years in a U.S. prison in a fraud case that prosecutors alleged caused more than $63 million in damages, according to the Department of Justice. http://www.computerworld.com/s/article/9236488/Dutch_man_sentenced_in_US_to_12_years_in_credit_card_scam?taxonomyId=17

FYI - Washington Post Also Broadly Infiltrated By Chinese Hackers in 2012 - The Washington Post was among several major U.S. newspapers that spent much of 2012 trying to untangle its newsroom computer networks from a Web of malicious software thought to have been planted by Chinese cyberspies, according to a former information technology employee at the paper. http://krebsonsecurity.com/2013/02/source-washington-post-also-broadly-infiltrated-by-chinese-hackers-in-2012/

FYI - Energy Department latest to be struck by skilled hackers - The personally identifiable information (PII) of hundreds of U.S. Department of Energy (DOE) employees and contractors was accessed by intruders that breached DOE's networks. http://www.scmagazine.com/energy-department-latest-to-be-struck-by-skilled-hackers/article/279178/?DCMP=EMC-SCUS_Newswire

FYI - HRSDC loses 583,000 personal data of Canadians - Human Resources and Skills Development Canada (HRSDC), a department of the Government of Canada, was reeling last month after the personal data of 583,000 Canadians was lost on a portable hard drive. http://www.scmagazine.com/hrsdc-loses-583000-personal-data-of-canadians/article/279205/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 2 of 3)

Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
Internet-related fraudulent schemes present a substantial risk to the reputation of any financial institution that is impersonated or spoofed. Financial institution customers and potential customers may mistakenly perceive that weak information security resulted in security breaches that allowed someone to obtain confidential information from the financial institution. Potential negative publicity regarding an institution's business practices may cause a decline in the institution's customer base, a loss in confidence or costly litigation.

In addition, customers who fall prey to e-mail and Internet-related fraudulent schemes face real and immediate risk. Criminals will normally act quickly to gain unauthorized access to financial accounts, commit identity theft, or engage in other illegal acts before the victim realizes the fraud has occurred and takes action to stop it.

Educating Financial Institution Customers About E-Mail and Internet-Related Fraudulent Schemes
Financial institutions should consider the merits of educating customers about prevalent e-mail and Internet-related fraudulent schemes, such as phishing, and how to avoid them. This may be accomplished by providing customers with clear and bold statement stuffers and posting notices on Web sites that convey the following messages:

! A financial institution's Web page should never be accessed from a link provided by a third party. It should only be accessed by typing the Web site name, or URL address, into the Web browser or by using a "book mark" that directs the Web browser to the financial institution's Web site.
! A financial institution should not be sending e-mail messages that request confidential information, such as account numbers, passwords, or PINs. Financial institution customers should be reminded to report any such requests to the institution.
! Financial institutions should maintain current Web site certificates and describe how the customer can authenticate the institution's Web pages by checking the properties on a secure Web page.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

Data Transmission and Types of Firewalls

Data traverses the Internet in units referred to as packets. Each packet has headers which contain information for delivery, such as where the packet is from, where it is going, and what application it contains. The varying firewall techniques examine the headers and either permit or deny access to the system based on the firewall's rule configuration.

There are different types of firewalls that provide various levels of security. For instance, packet filters, sometimes implemented as screening routers, permit or deny access based solely on the stated source and/or destination IP address and the application (e.g., FTP). However, addresses and applications can be easily falsified, allowing attackers to enter systems. Other types of firewalls, such as circuit-level gateways and application gateways, actually have separate interfaces with the internal and external (Internet) networks, meaning no direct connection is established between the two networks. A relay program copies all data from one interface to another, in each direction. An even stronger firewall, a stateful inspection gateway, not only examines data packets for IP addresses, applications, and specific commands, but also provides security logging and alarm capabilities, in addition to historical comparisons with previous transmissions for deviations from normal context.

Implementation

When evaluating the need for firewall technology, the potential costs of system or data compromise, including system failure due to attack, should be considered. For most financial institution applications, a strong firewall system is a necessity. All information into and out of the institution should pass through the firewall. The firewall should also be able to change IP addresses to the firewall IP address, so no inside addresses are passed to the outside. The possibility always exists that security might be circumvented, so there must be procedures in place to detect attacks or system intrusions. Careful consideration should also be given to any data that is stored or placed on the server, especially sensitive or critically important data.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Consumer and Customer:

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.

For example, a customer relationship may be established when a consumer engages in one of the following activities with a financial institution:

1) maintains a deposit or investment account;

2) obtains a loan;

3) enters into a lease of personal property; or

4) obtains financial, investment, or economic advisory services for a fee.

Customers are entitled to initial and annual privacy notices regardless of the information disclosure practices of their financial institution.

There is a special rule for loans. When a financial institution sells the servicing rights to a loan to another financial institution, the customer relationship transfers with the servicing rights. However, any information on the borrower retained by the institution that sells the servicing rights must be accorded the protections due any consumer.

Note that isolated transactions alone will not cause a consumer to be treated as a customer. For example, if an individual purchases a bank check from a financial institution where the person has no account, the individual will be a consumer but not a customer of that institution because he or she has not established a customer relationship. Likewise, if an individual uses the ATM of a financial institution where the individual has no account, even repeatedly, the individual will be a consumer, but not a customer of that institution.