Yennik, Inc.®
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

July 8, 2007

CONTENT Internet Compliance Information Systems Security
IT Security Question
 		 Internet Privacy
 		 Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - GAO - Opportunities for Improvements in FDIC's Internal Controls and Accounting Procedures. http://www.gao.gov/cgi-bin/getrpt?GAO-07-942R

FYI - Pentagon e-mail system hacked - The Defense Department had to take 1,500 accounts offline - About 1,500 unclassified e-mail users at the Pentagon had their service disrupted yesterday when a hacker infiltrated the e-mail system, forcing the accounts to be taken offline. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025442&source=rss_topic17

FYI - HIPAA audit: The 42 questions HHS might ask - In March, Atlanta's Piedmont Hospital became the first institution in the country to be audited for compliance with the security rules of the Health Insurance Portability and Accountability Act (HIPAA).
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9025253&source=rss_topic17
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=296723&source=rss_topic17

FYI - Banks demand a look inside customer PCs in fraud cases - Customers could be liable for any loss resulting from unauthorised internet banking transactions if their protective software is not up to date-Banks are seeking access to customer PCs used for online banking transactions to verify whether they have enough security protection. http://computerworld.co.nz/news.nsf/news/FDA3CE33D73B5B82CC257302000B0EE8

FYI - Banks Claim Share of Credit Card Security Costs Is Unfair - Contend breaches are fault of retailers, not card issuers, financial companies - A panel of financial services and retail executives this month disagreed on which side bears the brunt of the burden to ensure compliance with the Payment Card Industry (PCI) Data Security Standard. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=security&articleId=297167&taxonomyId=17&intsrc=kc_top

FYI - Bill requires notice of breach in security data - In another step against the growing crime of identity theft, the Oregon Senate passed a bill to require notifying customers when data-security breaches might harm them and to allow them to put security freezes on their credit files. http://www.statesmanjournal.com/apps/pbcs.dll/article?AID=/20070623/LEGISLATURE/706230341/1042

MISSING COMPUTERS/DATA

FYI - Interns carried state data home nightly - A state office had been sending backup data tapes home with interns for two or three years before a tape with sensitive information was stolen from an intern's car last week, The Dispatch has learned. http://www.columbusdispatch.com/dispatch/content/local_news/stories/2007/06/19/BYEDATA.ART_ART_06-19-07_A1_N9728JD.html

FYI - Job website's data bungle - News Digital Media's CareerOne online employment website has launched an internal investigation into how confidential client information accidentally become publicly accessible on the internet. http://www.theage.com.au/news/security/job-website-probes-data-bungle/2007/06/24/1182623749129.html?page=fullpage#

FYI - State reports another theft of personal data - The Ohio Bureau of Workers' Compensation disclosed Monday that a laptop was stolen nearly a month ago containing Social Security numbers and other personal data on 439 injured workers. http://www.middletownjournal.com/hp/content/oh/story/news/state/2007/06/25/ddn062507bwcweb.html

FYI - CHARLES' BANK SECRETS STOLEN - PRINCE Charles's personal bank details have been stolen, it was feared last night. They include his vital account number, sort code and national insurance number. http://www.people.co.uk/news/tm_headline=-pound-15m-charles--bank-secrets-stolen--&method=full&objectid=19347215&siteid=93463-name_page.html

FYI - Bank warns of possible ID theft - Texas First Bank is notifying about 4,000 customers that their personal information could have been compromised when thieves last month stole a laptop computer during a car theft in Dallas. Officials say the laptop owned by S1 Corp., the bank's former online banking vendor, was stolen on May 19. http://www.khou.com/news/local/stories/khou070622_jj_bankid.4056cb0.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 4 of 5)

PROCEDURES TO ADDRESS SPOOFING - Spoofing Incident Response

To respond to spoofing incidents effectively, bank management should establish structured and consistent procedures.  These procedures should be designed to close fraudulent Web sites, obtain identifying information from the spoofed Web site to protect customers, and preserve evidence that may be helpful in connection with any subsequent law enforcement investigations.

Banks can take the following steps to disable a spoofed Web site and recover customer information.  Some of these steps will require the assistance of legal counsel.

*  Communicate promptly, including through written communications, with the Internet service provider (ISP) responsible for hosting the fraudulent Web site and demand that the suspect Web site be shutdown;
*  Contact the domain name registrars promptly, for any domain name involved in the scheme, and demand the disablement of the domain names;
*  Obtain a subpoena from the clerk of a U.S. District Court directing the ISP to identify the owners of the spoofed Web site and to recover customer information in accordance with the Digital Millennium Copyright Act;
*  Work with law enforcement; and
*  Use other existing mechanisms to report suspected spoofing activity.

The following are other actions and types of legal documents that banks can use to respond to a spoofing incident:

*  Banks can write letters to domain name registrars demanding that the incorrect use of their names or trademarks cease immediately;
*  If these demand letters are not effective, companies with registered Internet names can use the Uniform Domain Name Dispute Resolution Process (UDRP) to resolve disputes in which they suspect that their names or trademarks have been illegally infringed upon.  This process allows banks to take action against domain name registrars to stop a spoofing incident.  However, banks must bear in mind that the UDRP can be relatively time-consuming.  For more details on this process see http://www.icann.org/udrp/udrp-policy-24oct99.htm; and
*  Additional remedies may be available under the federal Anti-Cybersquatting Consumer Protection Act (ACCPA) allowing thebank to initiate immediate action in federal district court under section 43(d) of the Lanham Act, 15 USC 1125(d).  Specifically, the ACCPA can provide for rapid injunctive relief without the need to demonstrate a similarity or likelihood of confusion between the goods or services of the parties.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We conclude our series on the FFIEC interagency Information Security Booklet

MONITORING AND UPDATING - UPDATING

Financial institutions should evaluate the information gathered to determine the extent of any required adjustments to the various components of their security program. The institution will need to consider the scope, impact, and urgency of any new threat. Depending on the new threat or vulnerability, the institution will need to reassess the risk and make changes to its security process (e.g., the security strategy, the controls implementation, or the security testing requirements).

Institution management confronts routine security issues and events on a regular basis. In many cases, the issues are relatively isolated and may be addressed through an informal or targeted risk assessment embedded within an existing security control process. For example, the institution might assess the risk of a new operating system vulnerability before testing and installing the patch. More systemic events like mergers, acquisitions, new systems, or system conversions, however, would warrant a more extensive security risk assessment. Regardless of the scope, the potential impact and the urgency of the risk exposure will dictate when and how controls are changed.

Return to the top of the newsletter

IT SECURITY QUESTION:  DATA SECURITY

 4. Determine whether, where appropriate, the system securely links the receipt of information with the originator of the information and other identifying information, such as date, time, address, and other relevant factors.

 Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 4 of 6)

Requirements for Notices (continued)

Notice Content. A privacy notice must contain specific disclosures. However, a financial institution may provide to consumers who are not customers a "short form" initial notice together with an opt out notice stating that the institution's privacy notice is available upon request and explaining a reasonable means for the consumer to obtain it. The following is a list of disclosures regarding nonpublic personal information that institutions must provide in their privacy notices, as applicable:

1)  categories of information collected;

2)  categories of information disclosed;

3)  categories of affiliates and nonaffiliated third parties to whom the institution may disclose information;

4)  policies with respect to the treatment of former customers' information;

5)  information disclosed to service providers and joint marketers (Section 13);

6)  an explanation of the opt out right and methods for opting out;

7)  any opt out notices the institution must provide under the Fair Credit Reporting Act with respect to affiliate information sharing;

8)  policies for protecting the security and confidentiality of information; and

9)  a statement that the institution makes disclosures to other nonaffiliated third parties as permitted by law (Sections 14 and 15).

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated