Internet Banking News

May 6, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - FDIC Makes Available on Its Web Site New Government-Wide Id Theft Home Page - The Federal Deposit Insurance Corporation, a participant in the government-wide Identity Theft Task Force, will provide a direct link to the new, centralized government Web site on identity theft. www.fdic.gov/news/news/press/2007/pr07033.html

FYI - The Federal Reserve Board on Friday requested public comment on proposed amendments to five consumer financial services and fair lending regulations (Regulations B, E, M, Z, and DD) to clarify the requirements for providing consumer disclosures in electronic form. www.federalreserve.gov/boarddocs/press/bcreg/2007/20070420/default.htm

FYI - Auditors cite security problems with IRS wireless networks - The Internal Revenue Service has jeopardized sensitive taxpayer information by failing to lock down its wireless networks, according to an audit report. http://www.govexec.com/dailyfed/0407/041707p1.htm

FYI - Consumers baulk at returning to hacked stores - Consumers are wary about returning to shop at retailers that have been the subject of security breaches, according to a new study. The survey of 1,200 UK consumers revealed that the majority would take their business elsewhere in the event of loss of customer data as a result of a security breach or hack attack. http://www.theregister.co.uk/2007/04/17/data_breach_survey/print.html

FYI - Bottom line impact of data breaches unclear - Despite the fact that unwanted exposure of consumer data has become a hot-button issue in the media and among legislators nationwide, experts admit that it remains unclear just how much damage the events will cause to the finances and reputations of companies that experience major incidents. http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/07/04/13/HNtjxcost_1.html

FYI - U.S. shuts student database to lenders amid concerns - Following reports of abuse, the U.S. government on Tuesday temporarily barred college loan firms from accessing a database containing confidential personal information on millions of student borrowers. http://www.reuters.com/article/newsOne/idUSN1720315120070418

FYI - Disgruntled techie attempts Californian power blackout - A cheesed-off American IT worker was seized by an FBI Joint Terrorism Task Force on Wednesday for attacking the Californian electric power grid. http://www.theregister.co.uk/2007/04/20/terrorists_among_us_flee_flee/print.html

FYI - USDA has data breach - The Agriculture Department announced Friday it has publicly exposed the personal information of up to 63,000 citizens. A USDA loan recipient April 13 notified OMB Watch that her social security and tax identification numbers were intertwined with a longer data set in their fedspending.org database. OMB Watch notified the agency, which pulled down the data that day. http://www.gcn.com/online/vol1_no1/43543-1.html

FYI - Security breach suspected at grocery ATMs - Customers are urged to check statements after card readers are discovered. Authorities and a national grocery-store chain are warning Inland residents about evidence of electronic card readers discovered on at least three ATMs in the Inland area last week. http://www.pe.com/localnews/inland/stories/PE_News_Local_S_scam21.ac606b.html

FYI - System update led to Blackberry outage - BlackBerry maker Research in Motion Ltd. said an insufficiently tested software update at the company's network data center was the cause of a service outage this week that left millions of users without wireless e-mail access. http://www.usatoday.com/tech/news/2007-04-20-blackberry-outage_N.htm?csp=34

MISSING COMPUTERS/DATA

FYI - UCSF computer server with research subject information is stolen - A computer file server containing research subject information related to studies on causes and cures for different types of cancer was stolen from a locked UCSF office on March 30, 2007. http://pub.ucsf.edu/newsservices/releases/200704189/

FYI - Ohio State database compromised - Personal information on some 14,000 employees was exposed - A database intrusion by foreign hackers may have compromised Social Security numbers and other sensitive data belonging to more than 14,000 current and former employees at Ohio State University. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9017042&source=rss_topic17

FYI - Thieves take laptop with Smith photos - The head of Edgewood Studios in Rutland is looking for the return of a stolen laptop containing some valuable information, including unreleased images of Anna Nicole Smith, the star of his most recent film. http://www.rutlandherald.com/apps/pbcs.dll/article?AID=/20070420/NEWS01/704200371/1002/NEWS01

Return to the top of the newsletter

WEB SITE COMPLIANCE - "Member FDIC" Logo - When is it required?

The FDIC believes that every bank's home page is to some extent an advertisement. Accordingly, bank web site home pages should contain the official advertising statement unless the advertisement is subject to exceptions such as advertisements for loans, securities, trust services and/or radio or television advertisements that do not exceed thirty seconds.

Whether subsidiary web pages require the official advertising statement will depend upon the content of the particular page. Subsidiary web pages that advertise deposits must contain the official advertising statement. Conversely, subsidiary web pages that relate to loans do not require the official advertising statement.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INSURANCE (Part 1 of 2)

Insurance coverage is rapidly evolving to meet the growing number of security-related threats. Coverage varies by insurance company, but currently available insurance products may include coverage for the following risks:

! Vandalism of financial institution Web sites,
! Denial - of - service attacks,
! Loss of income,
! Computer extortion associated with threats of attack or disclosure of data,
! Theft of confidential information,
! Privacy violations,
! Litigation (breach of contract),
! Destruction or manipulation of data (including viruses),
! Fraudulent electronic signatures on loan agreements,
! Fraudulent instructions through e - mail,
! Third - party risk from companies responsible for security of financial institution systems or information,
! Insiders who exceed system authorization, and
! Incident response costs related to the use of negotiators, public relations consultants, security and computer forensic consultants, programmers, replacement systems, etc.

Financial institutions can attempt to insure against these risks through existing blanket bond insurance coverage added on to address specific threats. It is important that financial institutions understand the extent of coverage and the requirements governing the reimbursement of claims. For example, financial institutions should understand the extent of coverage available in the event of security breaches at a third - party service provider. In such a case, the institution may want to consider contractual requirements that require service providers to maintain adequate insurance to cover security incidents.

When considering supplemental insurance coverage for security incidents, the institution should assess the specific threats in light of the impact these incidents will have on its financial, operational, and reputation risk profiles. Obviously, when a financial institution contracts for additional coverage, it should ensure that it is aware of and prepared to comply with any required security controls both at inception of the coverage and over the term of the policy.

Return to the top of the newsletter

IT SECURITY QUESTION: ENCRYPTION

1. Review the information security risk assessment and identify those items and areas classified as requiring encryption.

2. Evaluate the appropriateness of the criteria used to select the type of encryption/cryptographic algorithms.

! Consider if cryptographic algorithms are both publicly known and widely accepted (e.g. RSA, SHA, Triple DES, Blowfish, Twofish, etc.) or banking industry standard algorithms.
! Note the basis for choosing key sizes (e.g., 40-bit, 128-bit) and key space.
! Identify management's understanding of cryptography and expectations of how it will be used to protect data.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Definitions and Key Concepts

In discussing the duties and limitations imposed by the regulations, a number of key concepts are used. These concepts include "financial institution"; "nonpublic personal information"; "nonaffiliated third party"; the "opt out" right and the exceptions to that right; and "consumer" and "customer." Each concept is briefly discussed below. A more complete explanation of each appears in the regulations.

Financial Institution:

A "financial institution" is any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities, as determined by section 4(k) of the Bank Holding Company Act of 1956. Financial institutions can include banks, securities brokers and dealers, insurance underwriters and agents, finance companies, mortgage bankers, and travel agents.

Nonaffiliated Third Party:

A "nonaffiliated third party" is any person except a financial institution's affiliate or a person employed jointly by a financial institution and a company that is not the institution's affiliate. An "affiliate" of a financial institution is any company that controls, is controlled by, or is under common control with the financial institution.