Internet Banking News

May 28, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - FTC settles data security case - Settlement calls for real-estate firm NHC to improve its information security practices and submit to audits - Nations Holding Co. (NHC), a real-estate firm operating in 44 U.S. states, has settled a data security case after the U.S. Federal Trade Commission (FTC) accused it of allowing a common Web attack to compromise customer data, the FTC announced. http://ww6.infoworld.com/products/print_friendly.jsp?link=/article/06/05/10/78177_HNftcsettlescase_1.html

FYI - Lloyds TSB admits chip and Pin flawed - A MAJOR bank has finally conceded that serious flaws in the new chip and PIN system has opened it up to fraud. Lloyds TSB admitted a surge in thefts by gangs who clone debit and credit cards then plunder accounts at ATMs overseas. http://www.thisismoney.co.uk/saving-and-banking/article.html?in_article_id=408976&in_page_id=2&ito=1565

FYI - FTC launches ID theft prevention program - The Federal Trade Commission (FTC) has launched an identity theft education campaign to coincide with President Bush's creation of a task force designed to tackle America's fastest growing crime. http://www.scmagazine.com/us/news/article/558745/?n=us

FYI - SCADA (Supervisory Control and Data Acquisition) on thin ice - Industrial control systems pose little-noticed security threat - The electronic control systems that act as the nervous system for all critical infrastructures are insecure and pose disastrous risks to national security, cybersecurity experts warn. http://www.fcw.com/article94273-05-08-06-Print

FYI - Execs tell regulators Sarbanes-Oxley costs exceed benefits - Faced with a tidal wave of complaints about high costs and implementation difficulties, federal regulators say they will consider modifying rules and auditing standards related to the Sarbanes-Oxley Act. http://www.networkworld.com/news/2006/051106-sox-costs.html

FYI - Florida theater chain hit by virus attack - It made buying tickets a 'Mission Impossible' for would-be movie-goers - Buying tickets online for Tom Cruise's latest movie became a Mission: Impossible for some theater goers last weekend thanks to a computer virus that gummed up ticket-buying in the Southeastern U.S. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000400&taxonomyId=85

FYI - Search engines point to malicious Web sites - Around 285M clicks each month go terribly wrong - Search engines deliver links to dangerous Web sites that download spyware and adware to visitors' PCs, exploit security vulnerabilities and attempt to scam users and include them in spam lists, a new study has found. U.S. users land on malicious Web sites about 285 million times per month by clicking on search results from the five major search engines, according to the study, conducted by McAfee Inc.'s SiteAdvisor unit. Google Inc., Yahoo Inc., Microsoft Corp.'s MSN unit, IAC/InterActiveCorp's Ask.com and Time Warner Inc.'s AOL LLC comprise the top search engines. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000421&taxonomyId=85

FYI - Indian IT firms look for data security chief - The Indian IT industry is setting up an organisation to police data security among firms handling outsourcing contracts from countries such as the UK. http://www.theregister.co.uk/2006/05/12/indian_security/print.html

FYI - Personal data on millions of US veterans stolen - Personal information on 26.5 million U.S. veterans was stolen from an employee of the Department of Veterans Affairs who took the data home without authorization, exposing them to possible identity theft, the department said.
http://news.yahoo.com/s/nm/20060522/us_nm/crime_veterans_dc
http://www.usatoday.com/tech/news/2006-05-22-vadisk_x.htm

FYI - University server in hackers' hands for a year - An unprecedented string of electronic intrusions has prompted Ohio University to place at least one technician on paid administrative leave and begin a sweeping reorganization of the university's computer services department. http://news.com.com/2102-7349_3-6074739.html?tag=st.util.print

Return to the top of the newsletter

WEB SITE COMPLIANCE - While we normally try not to repeat articles within a year, some readers have asked us if we would cover again authentication for Internet banking since financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006. This is an important subject; therefore, in response to reader request, we begin our 13 part series on the FFIEC Authentication in an Internet Banking Environment.

Purpose

On August 8, 2001, the FFIEC agencies (agencies) issued guidance entitled Authentication in an Electronic Banking Environment (2001 Guidance). The 2001 Guidance focused on risk management controls necessary to authenticate the identity of retail and commercial customers accessing Internet-based financial services. Since 2001, there have been significant legal and technological changes with respect to the protection of customer information; increasing incidents of fraud, including identity theft; and the introduction of improved authentication technologies. This updated guidance replaces the 2001 Guidance and specifically addresses why financial institutions regulated by the agencies should conduct risk-based assessments, evaluate customer awareness programs, and develop security measures to reliably authenticate customers remotely accessing their Internet-based financial services.
This guidance applies to both retail and commercial customers and does not endorse any particular technology. Financial institutions should use this guidance when evaluating and implementing authentication systems and practices whether they are provided internally or by a service provider. Although this guidance is focused on the risks and risk management techniques associated with the Internet delivery channel, the principles are applicable to all forms of electronic banking activities.

Summary of Key Points

The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

Consistent with the FFIEC Information Technology Examination Handbook, Information Security Booklet, December 2002, financial institutions should periodically:

• Ensure that their information security program:
- Identifies and assesses the risks associated with Internet-based products and services,
- Identifies risk mitigation actions, including appropriate authentication strength, and
- Measures and evaluates customer awareness efforts;

• Adjust, as appropriate, their information security program in light of any relevant changes in technology, the sensitivity of its customer information, and internal or external threats to information; and

• Implement appropriate risk mitigation strategies.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Packet Filter Firewalls

Basic packet filtering was described in the router section and does not include stateful inspection. Packet filter firewalls evaluate the headers of each incoming and outgoing packet to ensure it has a valid internal address, originates from a permitted external address, connects to an authorized protocol or service, and contains valid basic header instructions. If the packet does not match the pre-defined policy for allowed traffic, then the firewall drops the packet. Packet filters generally do not analyze the packet contents beyond the header information. Dynamic packet filtering incorporates stateful inspection primarily for performance benefits. Before re-examining every packet, the firewall checks each packet as it arrives to determine whether it is part of an existing connection. If it verifies that the packet belongs to an established connection, then it forwards the packet without subjecting it to the firewall ruleset.

Weaknesses associated with packet filtering firewalls include the following:

! The system is unable to prevent attacks that employ application specific vulnerabilities and functions because the packet filter cannot examine packet contents.

! Logging functionality is limited to the same information used to make access control decisions.

! Most do not support advanced user authentication schemes.

! Firewalls are generally vulnerable to attacks and exploitation that take advantage of problems in the TCP/IP specification.

! The firewalls are easy to misconfigure, which allows traffic to pass that should be blocked.

Packet filtering offers less security, but faster performance than application-level firewalls. The former are appropriate in high - speed environments where logging and user authentication with network resources are not important. Packet filter firewalls are also commonly used in small office/home office (SOHO) systems and default operating system firewalls.

Institutions internally hosting Internet-accessible services should consider implementing additional firewall components that include application-level screening.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

7. Determine whether access to utilities on the host are appropriately restricted and monitored.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Account number sharing

A. If available, review a sample of telemarketer scripts used when making sales calls to determine whether the scripts indicate that the telemarketers have the account numbers of the institution's consumers (§12).

B. Obtain and review a sample of contracts with agents or service providers to whom the financial institution discloses account numbers for use in connection with marketing the institution's own products or services. Determine whether the institution shares account numbers with nonaffiliated third parties only to perform marketing for the institution's own products and services. Ensure that the contracts do not authorize these nonaffiliated third parties to directly initiate charges to customer's accounts (§12(b)(1)).

C. Obtain a sample of materials and information provided to the consumer upon entering a private label or affinity credit card program. Determine if the participants in each program are identified to the customer when the customer enters into the program (§12(b)(2)).

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.