R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

April 24, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


This week I am attending the ISACA North America CACS 2005 Network Security Conference being held in Las Vegas.  If you are attending the conference, I look forward to meeting you.

 FYI - Federal Bank, Thrift and Credit Union Regulatory Agencies Provide Brochure with Information on Internet "Phishing."
Press Release: www.occ.treas.gov/scripts/newsrelease.aspx?JNR=1&Doc=CYVFS1NN.xml 
Attachment: www.occ.treas.gov/consumer/PhishBrochFINAL-SCREEN.pdf

FYI - NCUA Security Program and Appendix B - Guidance on Response Programs for Unauthorized Access to Member Information and Member Notice. www.ncua.gov/RegulationsOpinionsLaws/RecentFinalRegs/F-748.pdf 

FYI - Medical group: Data on 185,000 people was stolen - A California medical group is telling nearly 185,000 current and former patients that their financial and medical records may have been exposed following the theft of computers containing personal data. http://news.zdnet.com/2102-1009_22-5660514.html?tag=printthis

FYI - Police hard drive sold on eBay - A computer hard drive, containing confidential data from the Brandenburg police in Germany, has been auctioned over eBay, according to a report by Spiegel, a leading weekly German newspaper. It was bought by a student. http://www.channelregister.co.uk/2005/04/07/hard_drive_with_police_info_sold_on_ebay/

FYI - Indian call center workers charged with Citibank fraud - Former employees of a call center in Pune, India, were arrested this week on charges of defrauding four Citibank account holders in New York, to the tune of $300,000, a police official said. http://www.computerworld.com/printthis/2005/0,4814,100900,00.html

FYI - Hacker cracks bank's computer code - A hacker who managed to break into the computer network of the Postal Bank and transfer large sums of money to the accounts of co-conspirators was sentenced to 16 months in prison by the Haifa magistrate's court. http://www.jpost.com/servlet/Satellite?pagename=JPost/JPArticle/Printer&cid=1112754019642&p=1078027574097

FYI - Some MasterCard holders exposed to data theft - Global bank HSBC Holdings is notifying at least 180,000 people who used MasterCard credit cards to make purchases at Polo Ralph Lauren that criminals may have obtained access to their credit card information, and that they should replace their cards. http://news.com.com/Some+MasterCard+holders+exposed+to+data+theft/2100-7348_3-5670509.html?tag=nefd.top

FYI - British banks to provide extra Web security - Major British banks are set to agree on a physical security device for all U.K. online customers to use. Identity theft e-mails, known as phishing attacks, cost U.K. banks $22.6 million last year, according to the Association of Payment and Clearing Systems, which represents the British banking industry. http://news.com.com/British+banks+to+provide+extra+Web+security/2100-1029_3-5671175.html?tag=cd.top

Return to the top of the newsletter

WEB SITE COMPLIANCE - Advertisement Of Membership

The FDIC and NCUA consider every insured depository institution's online system top-level page, or "home page", to be an advertisement. Therefore, according to these agencies' interpretation of their rules, financial institutions subject to the regulations should display the official advertising statement on their home pages unless subject to one of the exceptions described under the regulations. Furthermore, each subsidiary page of an online system that contains an advertisement should display the official advertising statement unless subject to one of the exceptions described under the regulations. Additional information about the FDIC's interpretation can be found in the Federal Register, Volume 62, Page 6145, dated February 11, 1997.
Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITYWe continue the series  from the FDIC "Security Risks Associated with the Internet." 

Data Integrity 

Potentially, the open architecture of the Internet can allow those with specific knowledge and tools to alter or modify data during a transmission. Data integrity could also be compromised within the data storage system itself, both intentionally and unintentionally, if proper access controls are not maintained. Steps must be taken to ensure that all data is maintained in its original or intended form.  

Authentication 

Essential in electronic commerce is the need to verify that a particular communication, transaction, or access request is legitimate. To illustrate, computer systems on the Internet are identified by an Internet protocol (IP) address, much like a telephone is identified by a phone number. Through a variety of techniques, generally known as "IP spoofing" (i.e., impersonating), one computer can actually claim to be another. Likewise, user identity can be misrepresented as well. In fact, it is relatively simple to send email which appears to have come from someone else, or even send it anonymously. Therefore, authentication controls are necessary to establish the identities of all parties to a communication.
Return to the top of the newsletter

IT SECURITY QUESTION:  Regulations - ensuring compliance:

a. Does the IT department have the current regulatory IT press releases and bulletins?
b. Is the IT department following the intent of the regulatory IT press releases and bulletins?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

 Content of Privacy Notice

16. If the institution provides a short-form initial privacy notice according to §6(d)(1), does the short-form initial notice:

a. conform to the definition of "clear and conspicuous"; [§6(d)(2)(i)]

b. state that the institution's full privacy notice is available upon request; [§6(d)(2)(ii)] and

c. explain a reasonable means by which the consumer may obtain the notice?  [§6(d)(2)(iii)]

(Note: the institution is not required to deliver the full privacy notice with the shortform initial notice. [§6(d)(3)])
VISTA penetration-vulnerability testing - Does {custom4} need an affordable internal or external penetration-vulnerability test?  R. Kinney Williams & Associates provides the independence required by the FFIEC IT Examination Manual.  We are IT auditors and do not sell hardware or software like many IT testing companies and consultants. In addition, we have over 30 years experience auditing IT operations for financial institutions, which includes 21 years examination experience.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated