Internet Banking News

July 2, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Three of four financial institutions suffered external breach in past year - More than three out of every four of the world's largest financial institutions experienced an external security breach in the past year, a dramatic increase over 2005, a new survey bu Deloitte Touche Tohmatsu has revealed. http://www.scmagazine.com/uk/news/index.cfm?fuseaction=XCK.News.Article&nNewsID=564512

FYI - Bilked woman blames bank advice - When Lina Lapointe's bank manager told her the $5.2-million (U.S.) inheritance she was about to receive from a dead uncle in Africa was legitimate, she figured she'd won the jackpot. http://www.canada.com/montrealgazette/news/story.html?id=0eb816f5-c73d-4007-8e92-338ca71dee05&k=49396

FYI - 'Bankrupt' email hits NAB - NAB's internet banking users have been targeted by new email scam that exploits flaws in two popular web browsers via an email claiming the bank is about to go bust. http://australianit.news.com.au/articles/0,7204,19479613^15331^^nbv^15306-15318,00.html

FYI - Hacker disrupts state disaster site - As Tropical Storm Alberto barreled toward Florida, a computer hacker disrupted public access to the state's emergency Web site for about 20 minutes Tuesday morning, but the glitch did not affect emergency workers, officials said. http://www.tallahassee.com/apps/pbcs.dll/article?AID=/20060614/NEWS01/606140312

FYI - OU has been getting an earful about huge data theft - Ohio University has spent more than $77,000 sending letters to alumni and students affected by a computer security breach. A number of writers, however, expressed anger, frustration and in some cases, a distinct reluctance to donate any more money to OU. http://www.athensnews.com/issue/article.php3?story_id=25220

FYI - Medicare chastises Humana - Patient data left on public computer - A computer file containing Social Security numbers and other personal information on approximately 17,000 people enrolled in Humana Medicare plans was left unsecured in a hotel computer after a Humana employee called up the data, the Louisville insurer disclosed. http://www.courier-journal.com/apps/pbcs.dll/article?AID=/20060603/BUSINESS/606030358/1003

FYI - Three laptops apparently stolen from state auditor's office - St. Paul police are investigating the apparent theft of three computers from the office of State Auditor Patricia Anderson. The missing laptops might contain Social Security numbers and other personal information on some employees and clients of local governments that the auditor oversees. http://www.startribune.com/462/story/490333.html

FYI - ING Financial to Notify Potential Identity Theft Victims - Letters will be mailed out today to about 13,000 District workers and retirees whose personal data -- including Social Security numbers -- were contained in a laptop stolen during a burglary a week ago at the Southeast Washington home of an ING U.S. Financial Services agent. http://www.washingtonpost.com/wp-dyn/content/article/2006/06/18/AR2006061800716_pf.html

FYI - Laptop thefts prompts call for audit - Following two recent thefts of laptop computers from the Minnesota auditor's office, two Democratic state legislators today urged the auditor to seek an independent review of data security practices. http://www.twincities.com/mld/twincities/14826261.htm?template=contentModules/printstory.jsp

FYI - State says taxpayer files may have been compromised - Electronic files containing personal data of up to 2,200 Oregon taxpayers may have been compromised by an ex-employee's unauthorized use of a computer, the Oregon Department of Revenue said Tuesday. http://www.kgw.com/sharedcontent/APStories/stories/D8I7JI4G0.html

FYI - Foreign-Based Third-Party Service Providers Guidance on Managing Risks in These Outsourcing Relationships - The FDIC has prepared the attached guidance to address the risks inherent in outsourcing relationships between U.S. financial institutions and foreign-based third-party service providers. The guidance provides steps that institutions should take to successfully manage such risks. www.fdic.gov/news/news/financial/2006/fil06052.html

FYI - Two More Data Breaches at VA - Earlier incidents come to light; chief information security officer resigns. U.S. lawmakers said Thursday they have learned of two more data breaches at the U.S. Department of Veterans Affairs even as the agency announced that law enforcement agencies had recovered stolen computer hardware containing the personal information of millions of U.S. military veterans. http://www.pcworld.com/news/article/0,aid,126299,tk,nl_dnxnws,00.asp

FYI - 70 percent of IT professionals still rely on passwords alone - More than seven in ten security professionals are still relying on passwords alone to secure their networks, according to a new survey. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060628/566416/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC Authentication in an Internet Banking Environment. (Part 6 of 13)

Customer Awareness

Financial institutions have made, and should continue to make, efforts to educate their customers. Because customer awareness is a key defense against fraud and identity theft, financial institutions should evaluate their consumer education efforts to determine if additional steps are necessary. Management should implement a customer awareness program and periodically evaluate its effectiveness. Methods to evaluate a program's effectiveness include tracking the number of customers who report fraudulent attempts to obtain their authentication credentials (e.g., ID/password), the number of clicks on information security links on Web sites, the number of statement stuffers or other direct mail communications, the dollar amount of losses relating to identity theft, etc.

Financial institutions offering Internet-based products and services should have reliable and secure methods to authenticate their customers. The level of authentication used by the financial institution should be appropriate to the risks associated with those products and services. Financial institutions should conduct a risk assessment to identify the types and levels of risk associated with their Internet banking applications. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks. The agencies consider single-factor authentication, as the only control mechanism, to be inadequate in the case of high-risk transactions involving access to customer information or the movement of funds to other parties.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Firewall Policy (Part 2 of 3)

Firewalls are an essential control for a financial institution with an Internet connection and provide a means of protection against a variety of attacks. Firewalls should not be relied upon, however, to provide full protection from attacks. Institutions should complement firewalls with strong security policies and a range of other controls. In fact, firewalls are potentially vulnerable to attacks including:

! Spoofing trusted IP addresses;
! Denial of service by overloading the firewall with excessive requests or malformed packets;
! Sniffing of data that is being transmitted outside the network;
! Hostile code embedded in legitimate HTTP, SMTP, or other traffic that meet all firewall rules;
! Attacks on unpatched vulnerabilities in the firewall hardware or software;
! Attacks through flaws in the firewall design providing relatively easy access to data or services residing on firewall or proxy servers; and
! Attacks against machines and communications used for remote administration.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

12. Determine whether authoritative copies of host configuration and public server content are maintained off line.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

5) When the subsequent delivery of a privacy notice is permitted, does the institution provide notice after establishing a customer relationship within a reasonable time? [�4(e)]

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.