Internet Banking News

March 11, 2012

CONTENT	Internet Compliance	Information Systems Security
IT Security	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Federal Cybersecurity Guidelines Now Cover Cloud, Mobility - Emerging technologies and cyber threats are focus of NIST's first update to feds' security handbook in three years. New technologies, such as mobile and cloud computing, that are rapidly being adopted by the federal government have informed a major update to federal cybersecurity standards. http://www.informationweek.com/news/government/security/232601767

FYI - Air Force aims to turn cyber into a career - The military has known for years that it will never be able to compete with the private sector when it comes to paying cyber experts. http://www.federalnewsradio.com/?nid=396&sid=2768121

FYI - Cyber Challenge Fills Education Void - The U.S. Cyber Challenge is attracting young college graduates who feel their education has not effectively prepared them for cybersecurity work. http://wiredworkplace.nextgov.com/2012/02/cyber_challenge_fills_education_void.php?oref=latest_posts

FYI - Banking Trojan hijacks live chat to run real-time fraud - Simpler, faster, better... for crooks - A new strain of financial malware is hijacking live chat sessions in a bid to hoodwink business banking customers into handing over their banking login credentials or into authorising fraudulent transactions. http://www.theregister.co.uk/2012/02/28/banking_trojan_hijack_live_chat/

FYI - Constitutional Showdown Voided: Feds Decrypt Laptop Without Defendant’s Help - Colorado federal authorities have decrypted a laptop seized from a bank-fraud defendant, mooting a judge’s order that the defendant unlock the hard drive so the government could use its contents as evidence against her. http://www.wired.com/threatlevel/2012/02/decryption-flap-mooted/

FYI - FCC seeks comment on police shutdowns of cell service - Last year's police shutdowns of cell phone service in San Francisco subways was prompted by protests against police shootings. The FCC wants public input on the issues around shutdowns. http://news.cnet.com/8301-1009_3-57389838-83/fcc-seeks-comment-on-police-shutdowns-of-cell-service/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Microsoft India warns that hackers accessed customer data - The company's online store in India was hacked earlier this month - Microsoft has warned customers that their financial data such as credit card information may have been compromised by hackers who attacked the company's online store in India earlier this month. http://www.computerworld.com/s/article/9224699/Microsoft_India_warns_that_hackers_accessed_customer_data

FYI - Stolen NASA laptop had Space Station control codes - And no encryption for supervillains to crack - A NASA laptop stolen last year had not been encrypted, despite containing codes used to control and command the International Space Station, the agency's inspector general told a US House committee. http://www.theregister.co.uk/2012/03/01/nasa_stolen_laptop_unencrypted/

FYI - Michael Jackson catalog among files stolen in Sony breach - Hackers ripped off an estimated 50,000 music files, involving Michael Jackson's entire back catalog, from Sony's internal music-sharing site. http://www.scmagazine.com/michael-jackson-catalog-among-files-stolen-in-sony-breach/article/230729/?DCMP=EMC-SCUS_Newswire

FYI - Hackers had 'full functional control' of Nasa computers - Hackers gained "full functional control" of key Nasa computers in 2011, the agency's inspector general has told US lawmakers. http://www.bbc.co.uk/news/technology-17231695

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Introduction

Banking organizations have been delivering electronic services to consumers and businesses remotely for years. Electronic funds transfer, including small payments and corporate cash management systems, as well as publicly accessible automated machines for currency withdrawal and retail account management, are global fixtures. However, the increased world-wide acceptance of the Internet as a delivery channel for banking products and services provides new business opportunities for banks as well as service benefits for their customers.

Continuing technological innovation and competition among existing banking organizations and new market entrants has allowed for a much wider array of electronic banking products and services for retail and wholesale banking customers. These include traditional activities such as accessing financial information, obtaining loans and opening deposit accounts, as well as relatively new products and services such as electronic bill payment services, personalized financial "portals," account aggregation and business-to-business market places and exchanges.

Notwithstanding the significant benefits of technological innovation, the rapid development of e-banking capabilities carries risks as well as benefits and it is important that these risks are recognized and managed by banking institutions in a prudent manner. These developments led the Basel Committee on Banking Supervision to conduct a preliminary study of the risk management implications of e-banking and e-money in 1998. This early study demonstrated a clear need for more work in the area of e-banking risk management and that mission was entrusted to a working group comprised of bank supervisors and central banks, the Electronic Banking Group (EBG), which was formed in November 1999.

The Basel Committee released the EBG's Report on risk management and supervisory issues arising from e-banking developments in October 2000. This Report inventoried and assessed the major risks associated with e-banking, namely strategic risk, reputational risk, operational risk (including security and legal risks), and credit, market, and liquidity risks. The EBG concluded that e-banking activities did not raise risks that were not already identified by the previous work of the Basel Committee. However, it noted that e-banking increase and modifies some of these traditional risks, thereby influencing the overall risk profile of banking. In particular, strategic risk, operational risk, and reputational risk are certainly heightened by the rapid introduction and underlying technological complexity of e-banking activities.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

PERSONNEL SECURITY

Security personnel allow legitimate users to have system access necessary to perform their duties. Because of their internal access levels and intimate knowledge of financial institution processes, authorized users pose a potential threat to systems and data. Employees, contractors, or third - party employees can exploit their legitimate computer access for malicious, fraudulent, or economic reasons. Additionally, the degree of internal access granted to some users increases the risk of accidental damage or loss of information and systems. Risk exposures from internal users include:

! Altering data,
! Deleting production and back up data,
! Crashing systems,
! Destroying systems,
! Misusing systems for personal gain or to damage the institution,
! Holding data hostage, and
! Stealing strategic or customer data for corporate espionage or fraud schemes.

BACKGROUND CHECKS AND SCREENING

Financial institutions should verify job application information on all new employees. The sensitivity of a particular job or access level may warrant additional criminal background and credit checks. Institutions should verify that contractors are subject to similar screening procedures. Typically, the minimum verification considerations include:

! Character references;
! Confirmation of prior experience, academic record, and professional qualifications; and
! Confirmation of identity from government issued identification.

After employment, managers should remain alert to changes in employees' personal circumstances that could increase incentives for system misuse or fraud.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

6) Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices at least annually (that is, at least once in any period of 12 consecutive months) to all customers, throughout the customer relationship? [§5(a)(1)and (2)]
(Note: annual notices are not required for former customers. [§5(b)(1)and (2)])