Internet Banking News

June 3, 2012

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Banking malware spies on victims by hijacking webcams, microphones, researchers say - A new variant of SpyEye malware allows cybercriminals to monitor potential bank fraud victims by hijacking their webcams and microphones, according to security researchers from antivirus vendor Kaspersky Lab. http://www.computerworld.com/s/article/9227387/Banking_malware_spies_on_victims_by_hijacking_webcams_microphones_researchers_say?taxonomyId=83

FYI - FBI quietly forms secretive Net-surveillance unit - CNET has learned that the FBI has formed a Domestic Communications Assistance Center, which is tasked with developing new electronic surveillance technologies, including intercepting Internet, wireless, and VoIP communications. http://news.cnet.com/8301-1009_3-57439734-83/fbi-quietly-forms-secretive-net-surveillance-unit/

FYI - Invasion of privacy - Gardaí, the Defence Forces, and Revenue Commissioners are accessing record levels of private landline, mobile phone, and internet records. The latest available figures show authorities accessed more than 40 private communications each day in 2010 - compared with 31 per day a year earlier. http://www.irishexaminer.com/ireland/invasion-of-privacy-194939.html

FYI - Hundreds of words to avoid using online if you don't want the government spying on you (and they include 'pork', 'cloud' and 'Mexico') - The Department of Homeland Security has been forced to release a list of keywords and phrases it uses to monitor social networking sites and online media for signs of terrorist or other threats against the U.S. http://www.dailymail.co.uk/news/article-2150281/REVEALED-Hundreds-words-avoid-using-online-dont-want-government-spying-you.html

FYI - Texas school district to track kids through RFID tags - A San Antonio district is so concerned that it can't keep tabs of its kids that it has decided to insert RFID tags into their IDs. This will, apparently, save money, as well as help the counting process. http://news.cnet.com/8301-1009_3-57441651-83/texas-school-district-to-track-kids-through-rfid-tags/

FYI - Clouds don’t need real-time threat reporting tools to win federal stamp of approval - Cloud companies planning to apply in June for certification to sell Web services governmentwide will not be obligated to provide automated threat reports, the government’s purchasing agency told Nextgov. http://www.nextgov.com/cloud-computing/2012/05/clouds-dont-need-real-time-monitoring-win-federal-stamp-approval/55909/?oref=ng-HPriver

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - China arrests suspects as ID theft crackdown continues - Beijing authorities have arrested 160 individuals on charges of stealing personal information, according to the Chinese news site Sina. http://www.bbc.co.uk/news/technology-18189980

FYI - Researchers uncover causes of MilitarySingles.com hack - A common web application vulnerability, poor detection capabilities and a lack of adequate encryption led to the recent hack of MilitarySingles.com, according to research performed by security firm Imperva. http://www.scmagazine.com/researchers-uncover-causes-of-militarysinglescom-hack/article/242746/?DCMP=EMC-SCUS_Newswire

FYI - Hospital agrees to pay $750,000 over data breach allegations - A Massachusetts hospital has agreed to settle in court to the sum of $750,000 over allegations concerning its failure to protect sensitive patient data. http://www.scmagazine.com/hospital-agrees-to-pay-750000-over-data-breach-allegations/article/242920/?DCMP=EMC-SCUS_Newswire

FYI - Information of U.S. federal employees exposed - A computer run by service provider Serco was compromised in July last year - A hack in July last year of a computer used by third-party services provider Serco to support the Thrift Savings Plan run by the U.S. Federal Retirement Thrift Investment Board resulted in unauthorized access to the personal information of about 123,201 TSP participants and payees, FRTIB said Friday. http://www.computerworld.com/s/article/9227519/Information_of_U.S._federal_employees_exposed?taxonomyId=17

FYI - Ex-Nokia Siemens engineer admits eBaying nicked routers - Cash-strapped dad in court for Wi-Fi kit theft - A hard-up ex-engineer at Nokia Siemens swiped wireless routers worth thousands of pounds from his employer to refurbish and flog on eBay. http://www.channelregister.co.uk/2012/05/28/hermann_court_case/

FYI - US mayor and son charged with hacking into opposition site - We'd rather be fending off global cyberwar, sniff Feds - A small town US mayor and his son have been arrested over allegations they hacked into a website calling for his recall. http://www.theregister.co.uk/2012/05/25/us_mayor_hacking_charges/

FYI - Rockefeller questions cybersecurity of gas pipelines - Sen. Jay Rockefeller (D-W.Va.) questioned whether gas pipelines are vulnerable to cyberattacks in a letter on Thursday to the president of a gas trade association. ackers recently attacked computer networks managing several major gas pipelines, although it is unclear how much damage they caused. http://thehill.com/blogs/hillicon-valley/technology/229393-rockefeller-questions-cybersecurity-of-gas-pipelines

FYI - WHMCS Breach May Be Only Tip of the Trouble - A recent breach at billing and support software provider WHMCS that exposed a half million customer usernames, passwords - and in some cases credit cards - may turn out to be the least of the company’s worries. http://krebsonsecurity.com/2012/05/whmcs-breach-may-be-only-tip-of-the-trouble/

FYI - Hackers raid U. of Nebraska database with 654k Social Security nos. - Vandals gained access to a database containing the personal records, including Social Security numbers, of hundreds of thousands of University of Nebraska students, alumni and others connected to the school's four campuses. http://www.scmagazine.com/hackers-raid-u-of-nebraska-database-with-654k-social-security-nos/article/243232/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 2: Banks should use transaction authentication methods that promote non-repudiation and establish accountability for e-banking transactions.

Non-repudiation involves creating proof of the origin or delivery of electronic information to protect the sender against false denial by the recipient that the data has been received, or to protect the recipient against false denial by the sender that the data has been sent. Risk of transaction repudiation is already an issue with conventional transactions such as credit cards or securities transactions. However, e-banking heightens this risk because of the difficulties of positively authenticating the identities and authority of parties initiating transactions, the potential for altering or hijacking electronic transactions, and the potential for e-banking users to claim that transactions were fraudulently altered.

To address these heightened concerns, banks need to make reasonable efforts, commensurate with the materiality and type of the e-banking transaction, to ensure that:

1) E-banking systems are designed to reduce the likelihood that authorized users will initiate unintended transactions and that customers fully understand the risks associated with any transactions they initiate.
2) All parties to the transaction are positively authenticated and control is maintained over the authenticated channel.
3) Financial transaction data are protected from alteration and any alteration is detectable.

Banking organizations have begun to employ various techniques that help establish non-repudiation and ensure confidentiality and integrity of e-banking transactions, such as digital certificates using public key infrastructure (PKI). A bank may issue a digital certificate to a customer or counterparty to allow for their unique identification/authentication and reduce the risk of transaction repudiation. Although in some countries customers' rights to disclaim transactions is provided in specific legal provisions, legislation has been passed in certain national jurisdictions making digital signatures legally enforceable. Wider global legal acceptance of such techniques is likely as technology continues to evolve.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INTRUSION DETECTION AND RESPONSE

Automated Intrusion Detection Systems (IDS) (Part 4 of 4)

Some host-based IDS units address the difficulty of performing intrusion detection on encrypted traffic. Those units position their sensors between the decryption of the IP packet and the execution of any commands by the host. This host-based intrusion detection method is particularly appropriate for Internet banking servers and other servers that communicate over an encrypted channel. LKMs, however, can defeat these host-based IDS units.

Host-based intrusion detection systems are recommended by the NIST for all mission-critical systems, even those that should not allow external access.

The heuristic, or behavior, method creates a statistical profile of normal activity on the host or network. Boundaries for activity are established based on that profile. When current activity exceeds the boundaries, an alert is generated. Weaknesses in this system involve the ability of the system to accurately model activity, the relationship between valid activity in the period being modeled and valid activity in future periods, and the potential for malicious activity to take place while the modeling is performed. This method is best employed in environments with predictable, stable activity.

Both signature-based and heuristic detection methods result in false positives (alerts where no attack exists), and false negatives (no alert when an attack does take place). While false negatives are obviously a concern, false positives can also hinder detection. When security personnel are overwhelmed with the number of false positives, they may look at the IDS reports with less vigor, allowing real attacks to be reported by the IDS but not researched or acted upon. Additionally, they may tune the IDS to reduce the number of false positives, which may increase the number of false negatives. Risk-based testing is necessary to ensure the detection capability is adequate.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

17. Does the institution provide consumers who receive the short-form initial notice with a reasonable means of obtaining the longer initial notice, such as:

a. a toll-free telephone number that the consumer may call to request the notice; [§6(d)(4)(i)] or

b. for the consumer who conducts business in person at the institution's office, having copies available to provide immediately by hand-delivery? [§6(d)(4)(ii)]