Internet Banking News

April 30, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Major Banking Sites Insecure - Sites do not use authentication technology to prove they are genuine, researcher says. Online bank customers may want to pay a little more attention to their browsers the next time they log in, because many of the most popular banking sites in the U.S. may be needlessly placing their customers at risk to online thieves, a noted security researcher warned this week. http://www.pcworld.com/news/article/0,aid,125493,tk,dn042106X,00.asp

FYI - Seven Steps to a Highly Effective IT Compliance Program - Documenting internal policies and controls, assigning appropriate compliance management oversight, and ensuring compliance through training are three of the seven steps incorporated into highly effective IT compliance programs. http://www.theiia.org/FSA/index.cfm?iid=449&catid=0&aid=2144

FYI - Web fraud costs victims $180M - Victims lost more than $180 million in web fraud incidents reported by the Internet Crime Complaint Center (IC3) last year, according to the IC3's fifth-annual Internet Crime Report. http://www.scmagazine.com/us/news/article/553104/?n=us

FYI - Afghans selling US army 'files' - A market has sprung up outside the Bagram airbase near Kabul - US forces in Afghanistan are checking reports that stolen computer hardware containing military secrets is being sold at a market beside a big US base. http://news.bbc.co.uk/2/hi/south_asia/4905052.stm

FYI - Hackers Access Financial Data At UMDNJ - Computer hackers were able to gain access to the Social Security numbers and other confidential financial information of almost 2,000 University of Medicine and Dentistry of New Jersey students and alumni, university officials said. http://wcbstv.com/topstories/local_story_099123340.html

FYI - Data exposure: Counties across the U.S. posting sensitive info online - Social Security numbers, driver's license data and bank account numbers are all easily available - Broward County, Fla., Maricopa County, Ariz., Fort Bend County, Texas. Three counties separated by hundreds of miles with something in common: They're among potentially hundreds of counties in several states that in recent years have made Social Security numbers, driver's license information, bank account numbers and a variety of other personally sensitive data belonging to residents available to anyone in the world with Internet access. http://www.computerworld.com/printthis/2006/0,4814,110453,00.html

FYI - Wells Fargo not required to encrypt data - Wells Fargo Bank customers sue after their personal financial data was stolen from a contractor that had not encrypted the information. http://news.zdnet.com/2102-9595_22-6061400.html?tag=printthis

FYI - Mass e-mail compromises student IDs - University of South Carolina spreads Social Security numbers by mistake - University of South Carolina officials are advising students to watch their credit reports after the Social Security numbers of as many as 1,400 students were mistakenly e-mailed to classmates. http://www.msnbc.msn.com/id/12322162/

FYI - InternetShield vendor pays to settle deceptive-ad suit - Security vendor SoftwareOnline.com Inc. has agreed to change its business practices and pay $190,000 in fines after a four-month investigation into the company by Washington state's Attorney General's Office. http://www.computerworld.com/printthis/2006/0,4814,110538,00.html

FYI - Malicious-software spreaders get sneakier, more revalent - Without you realizing it, attackers are secretly trying to penetrate your PC to tap small bits of computing power to do evil things. They've already compromised some 47 million PC's sitting in living rooms, in your kids' bedrooms, even on the desk in your office. http://www.usatoday.com/tech/news/computersecurity/infotheft/2006-04-23-bot-herders_x.htm

FYI - University of Texas probes computer breach - Files illegally accessed; Second intrusion in three years - Nearly 200,000 electronic records at the University of Texas at Austin's business school have been illegally accessed, the school said. http://www.msnbc.msn.com/id/12459840/

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 2 of 5)

PROCEDURES TO ADDRESS SPOOFING - Detection

Banks can improve their ability to detect spoofing by monitoring appropriate information available inside the bank and by searching the Internet for illegal or unauthorized use of bank names and trademarks. The following is a list of possible indicators of Web-site spoofing:

* E-mail messages returned to bank mail servers that were not originally sent by the bank. In some cases, these e-mails may contain links to spoofed Web sites;
* Reviews of Web-server logs can reveal links to suspect Web addresses indicating that the bank's Web site is being copied or that other malicious activity is taking place;
* An increase in customer calls to call centers or other bank personnel, or direct communications from consumer reporting spoofing activity.

Banks can also detect spoofing by searching the Internet for identifiers associated with the bank such as the name of a company or bank. Banks can use available search engines and other tools to monitor Web sites, bulletin boards, news reports, chat rooms, newsgroups, and other forums to identify usage of a specific company or bank name. The searches may uncover recent registrations of domain names similar to the bank's domain name before they are used to spoof the bank's Web site. Banks can conduct this monitoring in-house or can contract with third parties who provide monitoring services.

Banks can encourage customers and consumers to assist in the identification process by providing prominent links on their Web pages or telephone contact numbers through which customers and consumers can report phishing or other fraudulent activities.

Banks can also train customer-service personnel to identify and report customer calls that may stem from potential Web-site attacks.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

TCP/IP Packets

TCP/IP is a packet - based communications system. A packet consists of a header and a data payload. A header is analogous to a mail envelope, containing the information necessary for delivery of the envelope, and the return address. The data payload is the content of the envelope. The IP packet header contains the address of the sender (source address) and the intended recipient (destination address) and other information useful in handling the packet. Under IP, the addresses are unique numbers known as IP addresses. Each machine on an IP network is identified by a unique IP address. The vast majority of IP addresses are publicly accessible. Some IP addresses, however, are reserved for use in internal networks. Those addresses are 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, and 192.168.0.0 - 192.168.255.255. Since those internal addresses are not accessible from outside the internal network, a gateway device is used to translate the external IP address to the internal address. The device that translates external and internal IP addresses is called a network address translation (NAT) device. Other IP packet header fields include the protocol field (e.g., 1=ICMP, 6=TCP, 7=UDP), flags that indicate whether routers are allowed to fragment the packet, and other information.

If the IP packet indicates the protocol is TCP, a TCP header will immediately follow the IP header. The TCP header contains the source and destination ports, the sequence number, and other information. The sequence number is used to order packets upon receipt and to verify that all packets in the transmission were received.

Information in headers can be spoofed, or specially constructed to contain misleading information. For instance, the source address can be altered to reflect an IP address different from the true source address, and the protocol field can indicate a different protocol than actually carried. In the former case, an attacker can hide their attacking IP, and cause the financial institution to believe the attack came from a different IP and take action against that erroneous IP. In the latter case, the attacker can craft an attack to pass through a firewall and attack with an otherwise disallowed protocol.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

3. Determine if adequate processes exist to apply host security updates, such as patches and anti - virus signatures, and that such updating takes place.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 13, and 14 and/or 15 but not outside of these exceptions (Part 2 of 2)

B. Presentation, Content, and Delivery of Privacy Notices

1) Review the financial institution's initial and annual privacy notices. Determine whether or not they:

a. Are clear and conspicuous (��3(b), 4(a), 5(a)(1));

b. Accurately reflect the policies and practices used by the institution (��4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c. Include, and adequately describe, all required items of information and contain examples as applicable (��6, 13).

2) Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:

a. Timeliness of delivery (�4(a)); and

b. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (�9).

c. For customers only, review the timeliness of delivery (��4(d), 4(e), and 5(a)), means of delivery of annual notice �9(c)), and accessibility of or ability to retain the notice (�9(e)).

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.