Internet Banking News

March 24, 2013

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Pentagon cyberdefenses weak, report warns - A new report for the Pentagon concludes that the nation’s military is unprepared for a full-scale cyber-conflict with a top-tier adversary and must ramp up its offensive prowess. http://www.washingtonpost.com/world/national-security/pentagon-cyberdefenses-weak-report-warns/2013/03/05/b0c8af5a-8504-11e2-999e-5f8e0410cb9d_story.html

FYI - White House puts report on cybersecurity on hold - The Obama administration is sitting on a report about the security of federal government computer networks because it is embarrassing, a senior Republican senator said Thursday. http://www.washingtontimes.com/news/2013/mar/7/white-house-puts-report-on-cybersecurity-on-hold/

FYI - EU feeling pressure to tweak data, privacy legislation - Some European Union member states want the European Commission to ease off certain elements of proposed legislation concerning data protection and privacy. http://news.cnet.com/8301-1009_3-57573051-83/eu-feeling-pressure-to-tweak-data-privacy-legislation/

FYI - VA disputes charge that it transmits unencrypted personal data over public Internet - Investigation by Inspector General's office finds that VA centers don't encrypt personal data during transmission to other offices. http://www.computerworld.com/s/article/9237456/_VA_disputes_charge_that_it_transmits_unencrypted_personal_data_over_public_Internet?taxonomyId=17

FYI - Appeals Court Curbs Border Agents’ Carte Blanche Power to Search Your Gadgets - A federal appeals court for the first time ruled Friday that U.S. border agents do not have carte blanche authority to search the cellphones, tablets and laptops of travelers entering the country. http://www.wired.com/threatlevel/2013/03/gadget-border-searches/

FYI - Is Carhacking a Serious Threat? Some Analysts Think So. - A U.S. senator drives from Capitol Hill to her home in Virginia, listening to the CD a constituent gave her. Going with the speed of traffic at 60 miles per hour, her brakes suddenly engage. http://www.nextgov.com/emerging-tech/2013/03/carhacking/61774/?oref=ng-HPtopstory

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Ex-Exel president found guilty of hacking former employers - Turns out you really can't trust the boss - The former president of transportation logistics firm Exel has been found guilty of hacking into the servers of his former employer to glean secrets for his new business. http://www.theregister.co.uk/2013/03/05/exel_president_guilty_hacking/

FYI - Hacktivists plan to resume DDoS campaign against U.S. banks - Citing inadequate efforts to remove an anti-Muslim video from the web, a hacktivist group is calling for more distributed denial-of-service (DDoS) attacks to be launched against U.S. bank sites. http://www.scmagazine.com/hacktivists-plan-to-resume-ddos-campaign-against-us-banks/article/283474/?DCMP=EMC-SCUS_Newswire

FYI - Australia's central bank targeted by hackers - Australia's central bank has confirmed that it has been targeted by hackers. The Reserve Bank of Australia (RBA) said it had "on occasion been the target of cyber attacks", following a report in an Australian newspaper. http://www.bbc.co.uk/news/business-21738540

FYI - Harvard University administrators secretly searched deans’ email accounts, hunting for media leak - Harvard University central administrators secretly searched the email accounts of 16 resident deans last fall, looking for a leak to the media about the school’s sprawling cheating case, according to several Harvard officials interviewed by the Globe. http://www.boston.com/metrodesk/2013/03/09/harvard-university-administrators-secretly-searched-deans-email-accounts-hunting-for-media-leak/d5lYY8vXLyZQYWtTNGxWkL/story.html

FYI - DDoS attack strikes JPMorgan Chase website - A representative of JPMorgan Chase confirmed to CNET Tuesday that its consumer banking website had suffered a distributed denial-of-service (DDoS) attack. http://www.scmagazine.com/ddos-attack-strikes-jpmorgan-chase-website/article/284261/?DCMP=EMC-SCUS_Newswire

FYI - Celebrity data stolen from online credit report service - Some of the private information belonging to high-profile government officials and celebrities recently hacked was stolen from AnnualCreditReport.com, a website that allows consumers free access to their own credit reports. http://www.scmagazine.com/celebrity-data-stolen-from-online-credit-report-service/article/284253/?DCMP=EMC-SCUS_Newswire

FYI - Reuters social media editor indicted for conspiring with Anonymous - A deputy social media editor at Thomson Reuters has been indicted in California for conspiring with members of the hacktivist group Anonymous. http://www.scmagazine.com/reuters-social-media-editor-indicted-for-conspiring-with-anonymous/article/284469/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Risk Management of Outsourced Technology Services ( Part 4 of 4)

Service Provider Oversight

Institutions should implement an oversight program to monitor each service provider’s controls, condition, and performance. Responsibility for the administration of the service provider relationship should be assigned to personnel with appropriate expertise to monitor and manage the relationship. The number of personnel, functional responsibilities, and the amount of time devoted to oversight activities will depend, in part, on the scope and complexity of the services outsourced. Institutions should document the administration of the service provider relationship. Documenting the process is important for contract negotiations, termination issues, and contingency planning.

Summary

The board of directors and management are responsible for ensuring adequate risk mitigation practices are in place for effective oversight and management of outsourcing relationships. Financial institutions should incorporate an outsourcing risk management process that includes a risk assessment to identify the institution’s needs and requirements; proper due diligence to identify and select a provider; written contracts that clearly outline duties, obligations and responsibilities of the parties involved; and ongoing oversight of outsourcing technology services.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - Over the next few weeks, we will cover the OCC Bulletin about Infrastructure Threats and Intrusion Risks.

This bulletin provides guidance to financial institutions on how to prevent, detect, and respond to intrusions into bank computer systems. Intrusions can originate either inside or outside of the bank and can result in a range of damaging outcomes, including the theft of confidential information, unauthorized transfer of funds, and damage to an institution's reputation.

The prevalence and risk of computer intrusions are increasing as information systems become more connected and interdependent and as banks make greater use of Internet banking services and other remote access devices. Recent e-mail-based computer viruses and the distributed denial of service attacks earlier this year revealed that the security of all Internet-connected networks are increasingly intertwined. The number of reported incidences of intrusions nearly tripled from 1998 to 1999, according to Carnegie Mellon University's CERT/CC.

Management can reduce a bank's risk exposure by adopting and regularly reviewing its risk assessment plan, risk mitigation controls, intrusion response policies and procedures, and testing processes. This bulletin provides guidance in each of these critical areas and also highlights information-sharing mechanisms banks can use to keep abreast of current attack techniques and potential vulnerabilities.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 5 of 6)

Limitations on Disclosure of Account Numbers:

A financial institution must not disclose an account number or similar form of access number or access code for a credit card, deposit, or transaction account to any nonaffiliated third party (other than a consumer reporting agency) for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

The disclosure of encrypted account numbers without an accompanying means of decryption, however, is not subject to this prohibition. The regulation also expressly allows disclosures by a financial institution to its agent to market the institution's own products or services (although the financial institution must not authorize the agent to directly initiate charges to the customer's account). Also not barred are disclosures to participants in private-label or affinity card programs, where the participants are identified to the customer when the customer enters the program.