Internet Banking News

June 13, 2010

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Are you ready for your IT examination? The Weekly IT Security Review provides a checklist of the IT security issues covered in the FFIEC IT Examination Handbook, which will prepare you for the IT examination. For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - Business continuity, not data breaches, among top concerns for tech firms - Data security and breach prevention ranks low as a risk factor for most big technical companies, according to new research that identifies the most widespread concerns among the 100 largest U.S. public technology companies. http://www.computerworld.com/s/article/9177262/Business_continuity_not_data_breaches_among_top_concerns_for_tech_firms?source=rss_news

FYI - SANS One Touch Disaster Recovery Solution for Continuity of Operations - http://www.sans.org/reading_room/whitepapers/recovery/touch-disaster-recovery-solution-continuity-operations_33373

FYI - Comparing the Gulf oil spill with a massive data breach - Few would argue that BP has been less than forthcoming with information related to the oil spill in the Gulf of Mexico. http://www.scmagazineus.com/comparing-the-gulf-oil-spill-with-a-massive-data-breach/article/171185/?DCMP=EMC-SCUS_Newswire

FYI - Branch office security: What are the real problems? - When it comes to IT security, almost all businesses using IP networks to transmit data will know that they have to protect themselves, and they will have systems in place to keep their data secure. http://www.scmagazineus.com/branch-office-security-what-are-the-real-problems/article/171131/?DCMP=EMC-SCUS_Newswire

FYI - ISPs with fewer than 400,000 subscribers will not be initally covered by the draft Ofcom code of conduct on online copyright infringement - The draft code of practice aimed to reduce online copyright infringement has been published by Ofcom. http://www.scmagazineuk.com/isps-with-fewer-than-400000-subscribers-will-not-be-initally-covered-by-the-draft-ofcom-code-of-conduct-on-online-copyright-infringement/article/171229/

FYI - U.S. Indicts Ohio Man and Two Foreign Residents in Alleged Ukraine-Based "Scareware" Fraud Scheme That Caused $100 Million in Losses to Internet Victims Worldwide - An international cybercrime scheme caused Internet users in more than 60 countries to purchase more than one million bogus software products, causing victims to lose more than $100 million, according to a federal indictment returned here against a Cincinnati area man and two other men believed to be living abroad. http://chicago.fbi.gov/dojpressrel/pressrel10/cg052710.htm

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Five indicted in cybertheft of city's bank accounts - Thieves used spyware to steal login credentials and illegally transfer $450K from Carson, Calif.'s coffers in 2007 - Five people were indicted this week on wire fraud and other criminal charges stemming from a 2007 cybertheft in which nearly $450,000 was stolen from the bank accounts of the city of Carson, Calif. http://www.computerworld.com/s/article/9177409/Five_indicted_in_cybertheft_of_city_s_bank_accounts?taxonomyId=17

FYI - Second man jailed over Scientology DDoS attacks - Alert Print Post commentA year and $20,000 down - A second US man has been jailed over controversial denial of service attacks against the Church of Scientology two years ago. http://www.theregister.co.uk/2010/05/25/second_scientology_ddoser_jailed/

FYI - 44 million stolen gaming credentials discovered - Symantec researchers have discovered a database server hosting the stolen credentials of 44 million accounts belonging to at least 18 gaming websites.
http://www.scmagazineus.com/44-million-stolen-gaming-credentials-discovered/article/171128/?DCMP=EMC-SCUS_Newswire
http://www.theregister.co.uk/2010/05/28/symantec_gaming_hack_cache/

FYI - Charlotte, N.C. notifies thousands of city workers of data loss - The city of Charlotte, N.C. recently notified thousands of current and former city employees that their personal information went missing in the mail. http://www.scmagazineus.com/charlotte-nc-notifies-thousands-of-city-workers-of-data-loss/article/171144/?DCMP=EMC-SCUS_Newswire

FYI - Cyber Thieves Rob Treasury Credit Union - Organized cyber thieves stole more than $100,000 from a small credit union in Salt Lake City last week, in a brazen online robbery that involved dozens of co-conspirators, KrebsOnSecurity has learned. http://krebsonsecurity.com/2010/05/cyber-thieves-rob-treasury-credit-union/

FYI - Bank, customer settle suit over $800,000 cybertheft - PlainsCapital Bank sued Hillary Machinery after the latter's account was depleted by online thieves - An unusual legal dispute between a Texas bank and a business customer over the online theft of more than $800,000 from the latter's account at the bank has been quietly settled. http://www.computerworld.com/s/article/9177322/Bank_customer_settle_suit_over_800_000_cybertheft?taxonomyId=82

Return to the top of the newsletter

WEB SITE COMPLIANCE -

We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 3 of 10)

A. RISK DISCUSSION

Reputation Risk

Customers may be confused about whether the financial institution or a third party is supplying the product, service, or other website content available through the link. The risk of customer confusion can be affected by a number of factors:

nature of the third-party product or service;
trade name of the third party; and
website appearance.

Nature of Product or Service

When a financial institution provides links to third parties that sell financial products or services, or provide information relevant to these financial products and services, the risk is generally greater than if third parties sell non-financial products and services due to the greater potential for customer confusion. For example, a link from a financial institution's website to a mortgage bank may expose the financial institution to greater reputation risk than a link from the financial institution to an online clothing store.

The risk of customer confusion with respect to links to firms selling financial products is greater for two reasons. First, customers are more likely to assume that the linking financial institution is providing or endorsing financial products rather than non-financial products. Second, products and services from certain financial institutions often have special regulatory features and protections, such as federal deposit insurance for qualifying deposits. Customers may assume that these features and protections also apply to products that are acquired through links to third-party providers, particularly when the products are financial in nature.

When a financial institution links to a third party that is providing financial products or services, management should consider taking extra precautions to prevent customer confusion. For example, a financial institution linked to a third party that offers nondeposit investment products should take steps to prevent customer confusion specifically with respect to whether the institution or the third party is offering the products and services and whether the products and services are federally insured or guaranteed by the financial institution.

Financial institutions should recognize, even in the case of non-financial products and services, that customers may have expectations about an institution's due diligence and its selection of third parties to which the financial institution links its website. Should customers experience dissatisfaction as a result of poor quality products or services, or loss as a result of their transactions with those companies, they may consider the financial institution responsible for the perceived deficiencies of the seller.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review the last of a three part series regarding controls to prevent and detect intrusions.

8) Encryption. Encryption is a means of securing data. Data can by encrypted when it is transmitted, and when it is stored. Because networks are not impervious to penetration, management should evaluate the need to secure their data as well as their network. Management's use of encryption should be based on an internal risk assessment and a classification of data. The strength of encryption should be proportional to the risk and impact if the data were revealed.

9) Employee and Contractor Background Checks. Management should ensure that information technology staff, contractors, and others who can make changes to information systems have passed background checks. Management also should revalidate periodically access lists and logon IDs.

10) Accurate and Complete Records of Uses and Activities. Accurate and complete records of users and activities are essential for analysis, recovery, and development of additional security measures, as well as possible legal action. Information of primary importance includes the methods used to gain access, the extent of the intruder's access to systems and data, and the intruder's past and current activities. To ensure that adequate records exist, management should consider collecting information about users and user activities, systems, networks, file systems, and applications. Consideration should be given to protecting and securing this information by locating it in a physical location separate from the devices generating the records, writing the data to a tamperproof device, and encrypting the information both in transit and in storage. The OCC expects banks to limit the use of personally identifiable information collected in this manner for security purposes, and to otherwise comply with applicable law and regulations regarding the privacy of personally identifiable information.

11) Vendor Management. Banks rely on service providers, software vendors, and consultants to manage networks and operations. In outsourcing situations, management should ensure that contractual agreements are comprehensive and clear with regard to the vendor's responsibility for network security, including its monitoring and reporting obligations. Management should monitor the vendor's performance under the contract, as well as assess the vendor's financial condition at least annually.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 1 of 3)

A. Through discussions with management and review of available information, identify the institution's information sharing practices (and changes to those practices) with affiliates and nonaffiliated third parties; how it treats nonpublic personal information; and how it administers opt-outs. Consider the following as appropriate:

1) Notices (initial, annual, revised, opt out, short-form, and simplified);

2) Institutional privacy policies and procedures, including those to:
     a) process requests for nonpublic personal information, including requests for aggregated data;
     b) deliver notices to consumers; manage consumer opt out directions (e.g., designating files, allowing a reasonable time to opt out, providing new opt out and privacy notices when necessary, receiving opt out directions, handling joint account holders);
     c) prevent the unlawful disclosure and use of the information received from nonaffiliated financial institutions; and
     d) prevent the unlawful disclosure of account numbers;

3) Information sharing agreements between the institution and affiliates and service agreements or contracts between the institution and nonaffiliated third parties either to obtain or provide information or services;

4) Complaint logs, telemarketing scripts, and any other information obtained from nonaffiliated third parties (Note: review telemarketing scripts to determine whether the contractual terms set forth under section 13 are met and whether the institution is disclosing account number information in violation of section 12);

5) Categories of nonpublic personal information collected from or about consumers in obtaining a financial product or service (e.g., in the application process for deposit, loan, or investment products; for an over-the-counter purchase of a bank check; from E-banking products or services, including the data collected electronically through Internet cookies; or through ATM transactions);

6) Categories of nonpublic personal information shared with, or received from, each nonaffiliated third party; and

7) Consumer complaints regarding the treatment of nonpublic personal information, including those received electronically.

8) Records that reflect the bank's categorization of its information sharing practices under Sections 13, 14, 15, and outside of these exceptions.

9) Results of a 501(b) inspection (used to determine the accuracy of the institution's privacy disclosures regarding data security).

IT Security Checklist
A weekly email that provides an effective
method to prepare for your IT examination.