Internet Banking News

March 16, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - St. Louis Fed's Review: 1918 Influenza Pandemic and Its Modern-Day Implications; A Comparison of Monetary Policy Rules; A Primer on the Empirical Identification of Government Spending Shocks; In Memoriam: Anatol "Ted" Balbach; Market Bailouts and the "Fed Put." www.stlouisfed.org/news/releases/2008/03_03_08b.html

FYI - Google Readies Google Health - The upcoming service is expected to look similar to Google News and provide links to profile data, medical contacts, health notices, and drug interaction warnings. Having more or less recovered from Wall Street's infectious doubt about the health of its ad business earlier this week, Google on Thursday offered a glimpse of Google Health, its upcoming personal health records management service. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=206900841

FYI - UK 'Home Office' disc wedged in laptop sold on eBay - A laptop containing what could be sensitive Home Office data has been sold on eBay. The laptop was bought by an unsuspecting consumer who subsequently took the equipment to be fixed by Leapfrog computer repairs in Greater Manchester. It was only as the laptop casing was opened that a disc was discovered wedged beneath the keyboard. http://www.securecomputing.net.au/news/71107,uk-home-office-disc-wedged-in-laptop-sold-on-ebay.aspx

FYI - Over 50% of companies have fired workers for e-mail, Net abuse - Most employees knew they were being monitored - Think you can get away with using e-mail and the Internet in violation of company policy? Think again.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9065659&source=rss_topic17
http://www.itworld.com/Tech/4535/companies-fire-employees-email-080228/pfindex.html

FYI - Tucson police bust man at ATM, find 200 credit cards and $168,000 cash - The arrest of a man using a Downtown ATM machine Saturday afternoon resulted in the recovery of more than 200 credit cards and $176,000 in cash, police said. http://www.azstarnet.com/sn/hourlyupdate/228009.php

FYI - Judge Allows Wikileaks Site to Re-Open - A federal judge who shuttered the renegade Web site Wikileaks.org reversed the decision Friday and allowed the site to re-open in the United States. In mid-February, U.S. District Court Judge Jeffrey White issued an injunction against Wikileaks after the Zurich-based Bank Julius Baer accused the site of posting sensitive account information stolen by a disgruntled former employee. http://ap.google.com/article/ALeqM5iDWyWp3GfGD4juECC5_zs64xphOQD8V4ANF80

FYI - Top Banks Named in New Identity Theft Study - Report Examines Incidents at Major U.S. Financial Institutions - Shockwaves rumbled through the US banking industry this week with the release of a new report estimating the annual incidents of Identity Theft associated with the nation's top banks. http://www.bankinfosecurity.com/articles.php?art_id=724

FYI - Lawyer admits computer breach - Spying on firm may cost license - A Charleston lawyer could be suspended from the State Bar after admitting that he accessed another law firm's computer system because he suspected his wife was having an affair. http://sundaygazettemail.com/News/200803010561

FYI - Wheat trader for MF Global loses $141.5 million in unauthorized trading - For nearly two decades Evan Dooley quietly made a living trading commodities like wheat in his home state, Tennessee, far from the hurly-burly of Wall Street. But on Thursday, Dooley, 40, became the talk of the financial markets when MF Global, the giant commodities brokerage, accused him of making unauthorized trades that led to $141.5 million in losses for the firm. Dooley, the firm said, wagered on wheat futures with money he did not have. http://www.iht.com/articles/2008/02/29/business/29trader.php

FYI - Windows-based cash machines 'easily hacked' - ATMs that rely on desktop PC technology--and that's a lot of them--are at risk from worms, key loggers, and denial-of-service attacks. Security experts have hacked ATMs to show how easy it is to steal money and bank account details from modern cash machines. http://www.news.com/Windows-based-cash-machines-easily-hacked/2100-7349_3-6233030.html?tag=cd.lede

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Finjan uncovers database storing more than 8,700 stolen FTP credentials - Data enables cybercriminals to upload malware to compromised systems more easily - A fresh discovery by security vendor Finjan Inc. provides yet another example of how easy it is becoming for almost anyone to find the tools needed to break into, infect or steal data from corporate Web sites. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9065038&intsrc=hm_list

FYI - NY laptop theft breaches no data protection rules - The loss of a laptop containing the files of up to 175,000 Irish blood donors, which was stolen earlier this month in New York, does not constitute a breach of the Data Protection Acts and the encryption on the laptop is sufficient to protect the files, Ireland's Data Protection Commissioner said today. http://www.siliconrepublic.com/news/news.nv?storyid=single10391

Return to the top of the newsletter

WEB SITE COMPLIANCE - Fair Housing Act

A financial institution that advertises on-line credit products that are subject to the Fair Housing Act must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy if required by rules of the institution's regulator.

Home Mortgage Disclosure Act (Regulation C)

The regulations clarify that applications accepted through electronic media with a video component (the financial institution has the ability to see the applicant) must be treated as "in person" applications. Accordingly, information about these applicants' race or national origin and sex must be collected. An institution that accepts applications through electronic media without a video component, for example, the Internet or facsimile, may treat the applications as received by mail.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INFORMATION SECURITY RISK ASSESSMENT

KEY RISK ASSESSMENT PRACTICES (2 of 2)

4) Accountable Activities - The responsibility for performing risk assessments should reside primarily with members of management in the best position to determine the scope of the assessment, and the effectiveness of risk reduction techniques. For a mid - sized or large institution, that organization will likely be the business unit. The information security officer(s) are responsible for overseeing the performance of each risk assessment and the integration of the risk assessments into a cohesive whole. Senior management is accountable for abiding by the board of directors' guidance for risk acceptance and mitigation decisions.

5) Documentation - Documentation of the risk assessment process and procedures assists in ensuring consistency and completeness, as well as accountability. Documentation of the analysis and results provides a useful starting point for subsequent assessments, potentially reducing the effort required in those assessments. Documentation of risks accepted and risk mitigation decisions is fundamental to achieving accountability for risk decisions.

6) Enhanced Knowledge - Risk assessment increases management's knowledge of the institution's mechanisms for storing, processing, and communicating information, as well as the importance of those mechanisms to the achievement of the institution's objectives. Increased knowledge allows management to respond more rapidly to changes in the environment. Those changes can range from new technologies and threats to regulatory requirements.

7) Regular Updates - Risk assessments should be updated as new information affecting information security risks are identified (e.g., a new threat, vulnerability, adverse test result, hardware change, software change or configuration change). At least once a year, senior management should review the entire risk assessment to ensure relevant information is appropriately considered.

Return to the top of the newsletter

IT SECURITY QUESTION: A. AUTHENTICATION AND ACCESS CONTROLS - Authentication

7. Determine whether authentication error feedback (i.e., reporting failure to successfully log-in) during the authentication process provides a prospective attacker clues that may allow them to hone their attack. If so, obtain and evaluate a justification for such feedback.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Opt Out Notice

19. If the institution discloses nonpublic personal information about a consumer to a nonaffiliated third party, and the exceptions under §§13-15 do not apply, does the institution provide the consumer with a clear and conspicuous opt out notice that accurately explains the right to opt out? [§7(a)(1)]