Internet Banking News

March 19, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Former US government IT worker guilty of hacking - A former IT system auditor for a US government agency faces a five-year prison sentence on a computer hacking charge after secretly monitoring his supervisor's e-mail and computer use, the U.S. Department of Justice (DOJ) said.
http://www.computerworld.com.au/pp.php?id=1689984712&fp=2&fpid=1
http://www.scmagazine.com/us/news/article/544445/?n=us

FYI - Bank cards compromised by security breach - Around 800 Bank of Bermuda customers have had their cards compromised after a security breach in the US. It comes less than a year after 1,600 of the bank's customers were hit when a hacker broke into a system - again in America. http://www.theroyalgazette.com/apps/pbcs.dll/article?AID=/20060301/NEWS/103010124

FYI - Researcher develops 'active cookies' to take a bite out of cyber crooks - An Indiana University School of Informatics scientist has said that his newly developed active cookie technology provides a "strong shield" against identity theft and cyber attacks. http://www.scmagazine.com/us/news/article/544464/?n=us

FYI - Ohio secretary of state sued over ID info posted online - The inclusion of residents' Social Security numbers online is being challenged - An Ohio man is suing the Ohio secretary of state for posting his and other residents' Social Security numbers for years on state Web sites where publicly searchable records are stored, showing retail purchases made using credit cards or bank loans. http://www.computerworld.com/printthis/2006/0,4814,109213,00.html

FYI - Server hack at Georgetown Univ. probed - Data on as many as 41,000 people may have been compromised - Georgetown University in Washington has called in the U.S. Secret Service to investigate a server breach that may have exposed confidential information including the names, dates of birth and Social Security numbers belonging to more than 41,000 people. http://www.computerworld.com/printthis/2006/0,4814,109245,00.html

FYI - State college in Colorado warns 93,000 after laptop theft - Student-employee had sensitive info on machine - A state college in Denver believes it may have lost sensitive information on more than 93,000 students after one of the school's laptop computers was stolen from an employee's home late last month. http://www.computerworld.com/printthis/2006/0,4814,109208,00.html

FYI - Researcher Hacks Microsoft Fingerprint Reader - Hackers could steal your fingerprint information. Never mind worrying about hackers stealing your password. A security researcher with the Finnish military has shown how people could steal your fingerprint, by taking advantage of an omission in Microsoft's Fingerprint Reader, a PC authentication device that Microsoft has been shipping since September 2004. http://www.pcworld.com/news/article/0,aid,124978,tk,dn030706X,00.asp

FYI - New debit card fraud tied to West Coast case - A spate of fraudulent debit card charges in Massachusetts, New Mexico and Bermuda is being linked to a case that led some West Coast financial institutions last month to replace 200,000 cards. Citibank, a major issuer of debit and credit cards, has "detected several hundred fraudulent cash withdrawals in three countries," spokesman Robert Julavitis wrote in an e-mail Tuesday. The bank told customers the thefts are a result of an information breach at a "third-party business" that it did not name. http://news.com.com/2102-1029_3-6047100.html?tag=st.util.print

FYI - 'Computer terrorist' Mitnick teaches hacker blocking - He argues that while sophisticated technology can help keep networks clean from viruses, it is useless if hackers can con a company's employees into handing over passwords by posing, for example, as colleagues. http://news.com.com/2102-1029_3-6047245.html?tag=st.util.print

FYI - Vulnerabilities up by over a third - The Threat Insight Quarterly, published by security firm ISS, found that the number of vulnerabilities in 2005 had increased by over a third from the previous year. Analysts from X-Force, the research and development team at ISS, evaluated 4,472 vulnerabilities in both hardware and software last year. http://www.scmagazine.com/us/news/article/545041/?n=us

FYI - Visa warns software may store customer data - A popular software that retailers use to control debit-card transactions may inadvertently store sensitive customer information, including PIN codes, says Visa. http://msn-cnet.com.com/Visa+warns+software+may+store+customer+data/2100-1029_3-6051261.html?part=msn-cnet&subj=ns_2510&tag=mymsn

FYI - Feds Get Low Marks for Computer Security - Department of Homeland Security is among the federal agencies receiving a failing grade. The U.S. government will get low marks for computer security in a congressional report scheduled to be released Thursday. According to documents obtained by the IDG News Service, the federal government will get a D+ overall rating in the 2005 federal computer security scorecards, the same score it received last year. http://www.pcworld.com/news/article/0,aid,125110,tk,dn031606X,00.asp

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC "Authentication in an Internet Banking Environment."

Background

Financial institutions engaging in any form of Internet banking should have effective and reliable methods to authenticate customers. An effective authentication system is necessary for compliance with requirements to safeguard customer information, to prevent money laundering and terrorist financing, to reduce fraud, to inhibit identity theft, and to promote the legal enforceability of their electronic agreements and transactions. The risks of doing business with unauthorized or incorrectly identified persons in an Internet banking environment can result in financial loss and reputation damage through fraud, disclosure of customer information, corruption of data, or unenforceable agreements.

There are a variety of technologies and methodologies financial institutions can use to authenticate customers. These methods include the use of customer passwords, personal identification numbers (PINs), digital certificates using a public key infrastructure (PKI), physical devices such as smart cards, one-time passwords (OTPs), USB plug-ins or other types of "tokens", transaction profile scripts, biometric identification, and others. The level of risk protection afforded by each of these techniques varies. The selection and use of authentication technologies and methods should depend upon the results of the financial institution's risk assessment process.

• Something the user knows (e.g., password, PIN);

• Something the user has (e.g., ATM card, smart card); and

• Something the user is (e.g., biometric characteristic, such as a fingerprint).

Authentication methods that depend on more than one factor are more difficult to compromise than single-factor methods. Accordingly, properly designed and implemented multifactor authentication methods are more reliable and stronger fraud deterrents. For example, the use of a logon ID/password is single-factor authentication (i.e., something the user knows); whereas, an ATM transaction requires multifactor authentication: something the user possesses (i.e., the card) combined with something the user knows (i.e., PIN). A multifactor authentication methodology may also include "out-of-band" controls for risk mitigation.

The success of a particular authentication method depends on more than the technology. It also depends on appropriate policies, procedures, and controls. An effective authentication method should have customer acceptance, reliable performance, scalability to accommodate growth, and interoperability with existing systems and future plans.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

Examples of Common Authentication Weaknesses, Attacks, and Offsetting Controls (Part 2 of 2)

Social engineering involves an attacker obtaining authenticators by simply asking for them. For instance, the attacker may masquerade as a legitimate user who needs a password reset, or a contractor who must have immediate access to correct a system performance problem. By using persuasion, being aggressive, or using other interpersonal skills, the attackers encourage a legitimate user or other authorized person to give them authentication credentials. Controls against these attacks involve strong identification policies and employee training.

Client attacks are an area of vulnerability common to all authentication mechanisms. Passwords, for instance, can be captured by hardware - or software - based keystroke capture mechanisms. PKI private keys could be captured or reverse - engineered from their tokens. Protection against these attacks primarily consists of physically securing the client systems, and, if a shared secret is used, changing the secret on a frequency commensurate with risk. While physically securing the client system is possible within areas under the financial institution's control, client systems outside the institution may not be similarly protected.

Replay attacks occur when an attacker eavesdrops and records the authentication as it is communicated between a client and the financial institution system, then later uses that recording to establish a new session with the system and masquerade as the true user. Protections against replay attacks include changing cryptographic keys for each session, using dynamic passwords, expiring sessions through the use of time stamps, expiring PKI certificates based on dates or number of uses, and implementing liveness tests for biometric systems.

Hijacking is an attacker's use of an authenticated user's session to communicate with system components. Controls against hijacking include encryption of the user's session and the use of encrypted cookies or other devices to authenticate each communication between the client and the server.

Return to the top of the newsletter

IT SECURITY QUESTION:

B. NETWORK SECURITY

16. Determine whether appropriate notification is made of requirements for authorized use, through banners or other means.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 2 of 3)

B. Use the information gathered from step A to work through the "Privacy Notice and Opt Out Decision Tree." Identify which module(s) of procedures is (are) applicable.

C. Use the information gathered from step A to work through the Reuse and Redisclosure and Account Number Sharing Decision Trees, as necessary (Attachments B & C). Identify which module is applicable.

D. Determine the adequacy of the financial institution's internal controls and procedures to ensure compliance with the privacy regulation as applicable. Consider the following:

1) Sufficiency of internal policies and procedures, and controls, including review of new products and services and controls over servicing arrangements and marketing arrangements;

2) Effectiveness of management information systems, including the use of technology for monitoring, exception reports, and standardization of forms and procedures;

3) Frequency and effectiveness of monitoring procedures;

4) Adequacy and regularity of the institution's training program;

5) Suitability of the compliance audit program for ensuring that:

     a) the procedures address all regulatory provisions as applicable;
     b) the work is accurate and comprehensive with respect to the institution's information sharing practices;
     c) the frequency is appropriate;
     d) conclusions are appropriately reached and presented to responsible parties;
     e) steps are taken to correct deficiencies and to follow-up on previously identified deficiencies; and

6) Knowledge level of management and personnel.