Internet Banking News

June 18, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Mobile devices 'inadequately protected', survey finds - IT managers are failing to protect data on corporate mobile devices by not enforcing PIN codes and passwords to protect the data stored on their laptops, PDAs and mobile phones, according to a new study. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060607/562777/

FYI - Two more organizations report data breaches - Texas Guaranteed, Sacred Heart University disclose separate incidents involving personal data - In yet another large data breach, Texas Guaranteed (TG) a Round Rock, Texas-based nonprofit organization that administers student loans today announced that an outside contractor had lost an unspecified piece of equipment containing the names and Social Security numbers of approximately 1.3 million borrowers. http://computerworld.com/action/article.do?command=viewArticleBasic&articleId=9000878

FYI - FIU Student Records Compromised By Hacker - Thousands of students at Florida International University have received notices in the mail warning that their personal records might have been compromised because of a computer hacker. http://cbs4.com/topstories/local_story_150225136.html

FYI - Hackers gain access to server hosting bank Web sites - Premier Banks, which operates 22 branches, was among more than 100 banks across the nation that were affected when hackers gained access to a server operated by Goldleaf Technologies Inc. of Brentwood, Tenn. Goldleaf is host to Web sites mostly for smaller community banks. http://www.thestate.com/mld/thestate/business/14703801.htm?template=contentModules/printstory.jsp

FYI - Hotels.com credit-card numbers stolen - Names and credit-card numbers of 243,000 Hotels.com customers were on a laptop stolen from an Ernst & Young employee. The names and credit-card numbers of 243,000 Hotels.com customers were on a laptop computer stolen from an employee of accounting firm Ernst & Young, according to sources familiar with the matter.
http://money.cnn.com/2006/06/02/news/companies/hotels.com_theft/index.htm
http://www.theregister.co.uk/2006/06/01/ey_hotels_laptop/print.html

FYI - Circuit City Support-Site Hack Installed Spamming Program - The customer support Web site for Richmond-based Circuit City, a leading supplier of computers and other consumer electronics, was for several weeks serving up an invasive computer virus to any visitor who browsed the site with an unpatched version of Microsoft's Internet Explorer Web browser. http://blog.washingtonpost.com/securityfix/2006/06/circuit_city_support_site_serv.html

FYI - PaineWebber Systems Admin Faces Trial For Computer Sabotage - The trial is scheduled to start Tuesday for a former employee charged with building and planting malicious code that took down two-thirds of the company's network, hindering investment trading for several weeks and racking up $3 million in recovery costs. But the defendant's lawyer says the cops got the wrong man. A former systems administrator for financial giant UBS PaineWebber goes on trial Tuesday for allegedly sabotaging two-thirds of the company's computer network in what prosecutors say was a vengeful attempt to profit from a crashing stock price. http://www.informationweek.com/story/showArticle.jhtml?articleID=188700855

FYI - WestJet apologizes to Air Canada for web snooping - WestJet Airlines says it's sorry that members of its management team covertly accessed a confidential Air Canada website, and has agreed pay $15.5 million. Air Canada claimed WestJet used the still active password of a former employee who had access to the site, and that the information was used by WestJet to plan the airline's flight schedule and expansion. http://www.ctv.ca/servlet/ArticleNews/story/CTVNews/20060529/westjet_apology_060529/20060529?hub=CTVNewsAt11

FYI - Four in ten security staffers write down passwords - Nearly 40 percent of IT professionals store important passwords on paper, according to a new report. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060614/564129/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC Authentication in an Internet Banking Environment. (Part 4 of 13)

Account Origination and Customer Verification

With the growth in electronic banking and commerce, financial institutions should use reliable methods of originating new customer accounts online. Moreover, customer identity verification during account origination is required by section 326 of the USA PATRIOT Act and is important in reducing the risk of identity theft, fraudulent account applications, and unenforceable account agreements or transactions. Potentially significant risks arise when a financial institution accepts new customers through the Internet or other electronic channels because of the absence of the physical cues that financial institutions traditionally use to identify persons.

One method to verify a customer's identity is a physical presentation of a proof of identity credential such as a driver's license. Similarly, to establish the validity of a business and the authority of persons to perform transactions on its behalf, financial institutions typically review articles of incorporation, business credit reports, board resolutions identifying officers and authorized signers, and other business credentials. However, in an Internet banking environment, reliance on these traditional forms of paper-based verification decreases substantially. Accordingly, financial institutions need to use reliable alternative methods.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewall Services and Configuration

Firewalls may provide some additional services:

! Network address translation (NAT) - NAT readdresses outbound packets to mask the internal IP addresses of the network. Untrusted networks see a different host IP address from the actual internal address. NAT allows an institution to hide the topology and address schemes of its trusted network from untrusted networks.

! Dynamic host configuration protocol (DHCP) - DHCP assigns IP addresses to machines that will be subject to the security controls of the firewall.

! Virtual Private Network (VPN) gateways - A VPN gateway provides an encrypted tunnel between a remote external gateway and the internal network. Placing VPN capability on the firewall and the remote gateway protects information from disclosure between the gateways but not from the gateway to the terminating machines. Placement on the firewall, however, allows the firewall to inspect the traffic and perform access control, logging, and malicious code scanning.

One common firewall implementation in financial institutions hosting Internet applications is a DMZ, which is a neutral Internet accessible zone typically separated by two firewalls. One firewall is between the institution's private network and the DMZ and then another firewall is between the DMZ and the outside public network. The DMZ constitutes one logical security domain, the outside public network is another security domain, and the institution's internal network may be composed of one or more additional logical security domains. An adequate and effectively managed firewall can ensure that an institution's computer systems are not directly accessible to any on the Internet.

Financial institutions have a variety of firewall options from which to choose depending on the extent of Internet access and the complexity of their network. Considerations include the ease of firewall administration, degree of firewall monitoring support through automated logging and log analysis, and the capability to provide alerts for abnormal activity.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

10. Determine if vulnerability testing takes place after each configuration change.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

3) Does the institution provide to existing customers, who obtain a new financial product or service, an initial privacy notice that covers the customer's new financial product or service, if the most recent notice provided to the customer was not accurate with respect to the new financial product or service? [�4(d)(1)]

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.