Internet Banking News

February 17, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Consumers can scan bank deposits at home - Online banking service provider CheckFree Corp. is rolling out technology that could mean consumers will no longer have to go to a bank branch to deposit checks. http://seattlepi.nwsource.com/business/1700ap_scanning_checks.html

FYI - Interagency Statement on Pandemic Planning Guidance for Minimizing a Pandemic's Potential Adverse Effects - The Federal Financial Institutions Examination Council has issued the attached "Interagency Statement on Pandemic Planning" (Statement) identifying actions that financial institutions should take to minimize the potential adverse effects of a pandemic. www.fdic.gov/news/news/financial/2008/fil08006.html

FYI - Internet outages overseas prompt business continuity awareness - Major internet disruptions occurring today across the Middle East and parts of Asia and Africa after two undersea cables were sliced should prompt global businesses of all sizes to review their business continuity and disaster recovery strategies, experts said. http://www.scmagazineus.com/Internet-outages-overseas-prompt-business-continuity-awareness/article/104819/

FYI - Symantec says network availability biggest concern for IT managers - How organizations define IT risk is expanding, according to Symantec's second IT Risk Management Report, which also indicates that concerns about network availability have become foremost in the minds of those responsible for managing enterprise networks. http://www.scmagazine.com/uk/news/article/781155/symantec-says-network-%20-availability-biggest-concern-managers/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Swedish plods cuff remote-access robbery ring - Swedish crooks almost managed to rob a bank using remote access gear attached to a computer, according to reports. The movie-style ploy was foiled only at the last minute by an alert employee unplugging the kit, according to local prosecutors and cops. http://www.theregister.co.uk/2008/01/31/remote_access_bank_robbery_unplugged/print.html

FYI - Data breaches probed at New Jersey Blue Cross, Georgetown - Stolen laptop had personal data on 300,000 health plan members; swiped disk had data on 38,000 - Companies are paying a lot of attention to securing their networks against malicious attackers and other threats, but some still lag in implementing similar measures for protecting data on desktops, laptops and portable storage devices.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9060299&source=rss_topic17
http://www.nj.com/news/ledger/jersey/index.ssf?/base/news-9/1201671434279680.xml&coll=1

FYI - Wake EMS Laptop is Missing - Wake County Emergency Medical Services officials waited eight days to file a formal report on the suspected theft of a laptop containing names, addresses and Social Security numbers of as many as 850 patients transported by county ambulances.
http://www.firefightingnews.com/article-US.cfm?articleID=44430
http://www.theboltonnews.co.uk/misc/print.php?artid=2003952

FYI - 38,000 Social Security Numbers Potentially Exposed After Theft - A hard drive containing the Social Security numbers of nearly 40,000 Georgetown students, alumni, faculty and staff was reported stolen from the office of Student Affairs on Jan. 3, potentially exposing thousands of students to identity theft. http://www.thehoya.com/node/15151

FYI - LimeWire led to data breach: N.L. justice minister - A popular file-sharing program exposed the private details of more than 150 people over the internet earlier this month, the Newfoundland and Labrador government said. http://www.cbc.ca/canada/newfoundland-labrador/story/2008/02/01/limewire-breach.html

FYI - Hackers breach Davidson Companies client database - The Davidson Companies, a Montana-based financial-services firm, said this week that one of its databases, containing the names and Social Security numbers of 226,000 current and past clients, was illegally accessed "by a third party through a sophisticated network intrusion." http://www.scmagazineus.com/Hackers-breach-Davidson-Companies-database-access-clients-names-Social-Security-numbers/article/104782/

FYI - Doctor Loses Flash Drive With Patient Information - Parents with fertility problems know that it's a very private struggle. Couples often don't even tell close friends or relatives they're having trouble having a baby. That's why the loss of patient information at the University of Minnesota's Reproductive Medicine Center has leaders there especially worried. http://wcco.com/health/doctor.patient.information.2.642107.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 2 of 2)

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the Official Staff Commentary (OSC,) an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated," is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INFORMATION SECURITY RISK ASSESSMENT

ANALYZE INFORMATION (1 of 2)

The information gathered is used to characterize the system, to identify and measure threats to the system and the data it contains and transmits, and to estimate the likelihood that a threat will take action against the system or data.

System characterization articulates the understanding of the system, including the boundaries of the system being assessed, the system's hardware and software, and the information that is stored, processed, and transmitted. Since operational systems may have changed since they were last documented, a current review of the system should be performed. Developmental systems, on the other hand, should be analyzed to determine their key security rules and attributes. Those rules and attributes should be documented as part of the systems development lifecycle process. System characterization also requires the cross-referencing of vulnerabilities to current controls to identify those that mitigate specific threats, and to assist in highlighting the control areas that should be improved.

A key part of system characterization is the ranking of data and system components according to their sensitivity and importance to the institution's operations. Additionally, consistent with the GLBA, the ranking should consider the potential harm to customers of unauthorized access and disclosure of customer non - public personal information. Ranking allows for a reasoned and measured analysis of the relative outcome of various attacks, and the limiting of the analysis to sensitive information or information and systems that may materially affect the institution's condition and operations.

Threats are identified and measured through the creation and analysis of threat scenarios. Threat scenarios should be comprehensive in their scope (e.g., they should consider reasonably foreseeable threats and possible attacks against information and systems that may affect the institution's condition and operations or may cause data disclosures that could result in substantial harm or inconvenience to customers). They should consider the potential effect and likelihood for failure within the control environment due to non-malicious or malicious events. They should also be coordinated with business continuity planning to include attacks performed when those plans are implemented. Non-malicious scenarios typically involve accidents related to inadequate access controls and natural disasters. Malicious scenarios, either general or specific, typically involve a motivated attacker (i.e., threat) exploiting a vulnerability to gain access to an asset to create an outcome that has an impact.

An example of a general malicious threat scenario is an unskilled attacker using a program script to exploit a vulnerable Internet-accessible Web server to extract customer information from the institution's database. Assuming the attacker's motivation is to seek recognition from others, the attacker publishes the information, causing the financial institution to suffer damage to its reputation. Ultimately, customers are likely to be victims of identity theft.

Return to the top of the newsletter

IT SECURITY QUESTION: A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

3. Evaluate the effectiveness of password and shared secret administration for employees and customers considering the complexity of the processing environment and type of information accessed. Consider:

Confidentiality of passwords and shared secrets (whether only known to the employee/customer);

Maintenance of confidentiality through reset procedures;

The frequency of required changes (for applications, the user should make any changes from the initial password issued on enrollment without any other user's intervention);

Password composition in terms of length and type of characters (new or changed passwords should result in a password whose strength and reuse agrees with the security policy);

The strength of shared secret authentication mechanisms;

Restrictions on duplicate shared secrets among users (No restrictions should exist); and

The extent of authorized access (e.g., privileged access, single sign-on systems).

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

15. If the institution provides a short-form initial privacy notice with the opt out notice, does the institution do so only to consumers with whom the institution does not have a customer relationship? [§6(d)(1)]