Internet Banking News

July 13, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - More than 10,000 laptops lost each week at airports - They're most often lost at security checkpoints, the Ponemon Institute says - Keep laptops close at airports, because they have a startling tendency to disappear in the blink of an eye, according to a new survey. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9105198&source=rss_topic17

FYI - Bags to help laptops pass air security - For years at airport security checkpoints, passengers have heard the refrain, almost a dirge: "Laptops must be removed from their cases and placed on the belt." http://news.cnet.com/Bags-to-help-laptops-pass-air-security/2100-7348_3-6242924.html?tag=cd.lede

FYI - What Privacy Policy? - Want to know how well a company protects its customers' data? Don't talk to its security and compliance officers. Instead, try its marketing department. A study released by the privacy-focused Ponemon Institute and funded by e-mail marketing firm Strongmail reveals a disturbing disconnect in companies between the executives tasked with protecting customer data and marketing departments, which use the data for advertising purposes or share it with third parties. http://www.forbes.com/2008/06/21/privacy-security-marketing-tech-security-cx_ag_0623privacy_print.html

FYI - Woman accused of hacking Houston organ bank indicted - On Tuesday, the FBI announced the indictment of a former technology director accused of hacking into the system at a Houston organ bank and deleting patient files. http://news.cnet.com/8301-10789_3-9978151-57.html?part=rss&subj=news&tag=2547-1_3-0-20

FYI - Report: Montgomery Ward fails to alert victims of breach - Mongomery Ward, an old-line merchant now operating as an internet retailer, suffered a breach of some 51,000 customer credit card numbers, and failed to report it to customers, according to reports. http://www.scmagazineus.com/Report-Montgomery-Ward-fails-to-alert-victims-of-breach/article/111922/

FYI - Researchers reveal VoIP vulnerabilities - VoIPshield Laboratories has alerted companies that market voice over IP systems of new security vulnerabilities. The VoIP vulnerabilities, if successfully exploited, could affect brand reputation, internal productivity, and competitive advantage, researchers said. http://www.scmagazineus.com/Researchers-reveal-VoIP-vulnerabilities/article/111918/?DCMP=EMC-SCUS_Newswire

FYI - Bowie IT employee resigns amid city network security breach - 'Password sniffer' detected during routine sweep - A computer support specialist has resigned from Bowie city staff after a password recording program that was accessing one of the city's servers was found on his work computer, city officials said. http://www.gazette.net/stories/062608/bowinew173015_32357.shtml

FYI - Deadline arrives for latest PCI standard requirement - The Payment Card Industry Data Security Standard (PCI DSS), as of Monday, states that web application security testing be upgraded from a best practice to a requirement. http://www.scmagazineus.com/Deadline-arrives-for-latest-PCI-standard-requirement/article/111977/?DCMP=EMC-SCUS_Newswire

FYI - Five steps to securing mobile data for HIPAA compliance - Workforce mobility presents new challenges to health care IT groups responsible for HIPAA (Health Insurance Portability and Accountability Act) security compliance. http://www.scmagazineus.com/Five-steps-to-securing-mobile-data-for-HIPAA-compliance/article/112019/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Pacific island knocked off internet by DDoS attack - A Pacific island state has been knocked off the internet by a cyber attack. The attack on the Marshall Islands, which began on Tuesday and is still plaguing the country, took the form of a denial of service attack on the country's sole ISP. http://www.scmagazineuk.com/Pacific-island-knocked-off-internet-by-DDoS-attack/article/111744/

FYI - Hannaford data breach fallout continues - The fall out from the Hannaford data breach that began last year continues. Approximately 7,000 individuals who have Ocean National Bank ATM/Debit Cards are having them replaced because there has been recent illegal activity on them reported. http://www.seacoastonline.com/apps/pbcs.dll/article?AID=/20080630/BIZ/80630032/-1/NEWS19

FYI - Turkish criminal hackers hijack ICANN sites - On Thursday, the domains used by ICANN, the Internet Corporation for Assigned Names and Numbers, and IANA, the Internet Assigned Numbers Authority, were hijacked. A Turkish hacking group known as NetDevilz claimed responsibility. There is no word on how the hijack was accomplished. http://news.cnet.com/8301-10789_3-9980713-57.html?part=rss&subj=news&tag=2547-1_3-0-20

FYI - SSA lists thousands of live persons as dead - The Social Security Administration inadvertently compromised the personal information of more than 20,000 people by listing them in the Death Master File (DMF) while they were still alive, the agency's inspector general has determined. http://www.fcw.com/online/news/152975-1.html?type=pf

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 1 of 5)

BACKGROUND

Web-site spoofing is a method of creating fraudulent Web sites that look similar, if not identical, to an actual site, such as that of a bank. Customers are typically directed to these spoofed Web sites through phishing schemes or pharming techniques. Once at the spoofed Web site, the customers are enticed to enter information such as their Internet banking username and password, credit card information, or other information that could enable a criminal to use the customers' accounts to commit fraud or steal the customers' identities. Spoofing exposes a bank to strategic, operational, and reputational risks; jeopardizes the privacy of bank customers; and exposes banks and their customers to the risk of financial fraud.

PROCEDURES TO ADDRESS SPOOFING

Banks can mitigate the risks of Web-site spoofing by implementing the identification and response procedures discussed in this bulletin. A bank also can help minimize the impact of a spoofing incident by assigning certain bank employees responsibility for responding to such incidents and training them in the steps necessary to respond effectively. If a bank's Internet activities are outsourced, the bank can address spoofing risks by ensuring that its contracts with its technology service providers stipulate appropriate procedures for detecting and reporting spoofing incidents, and that the service provider's process for responding to such incidents is integrated with the bank's own internal procedures.

Banks can improve the effectiveness of their response procedures by establishing contacts with the Federal Bureau of Investigation (FBI) and local law enforcement authorities in advance of any spoofing incident. These contacts should involve the appropriate departments and officials responsible for investigating computer security incidents. Effective procedures should also include appropriate time frames to seek law enforcement involvement, taking note of the nature and type of information and resources that may be available to the bank, as well as the ability of law enforcement authorities to act rapidly to protect the bank and its customers.

Additionally, banks can use customer education programs to mitigate some of the risks associated with spoofing attacks. Education efforts can include statement stuffers and Web-site alerts explaining various Internet-related scams, including the use of fraudulent e-mails and Web-sites in phishing attacks. In addition, because the attacks can exploit vulnerabilities in Web browsers and/or operating systems, banks should consider reminding their customers of the importance of safe computing practices.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

AUTHENTICATION - Biometrics (Part 2 of 2)

Weaknesses in biometric systems relate to the ability of an attacker to submit false physical characteristics, or to take advantage of system flaws to make the system erroneously report a match between the characteristic submitted and the one stored in the system. In the first situation, an attacker might submit to a thumbprint recognition system a copy of a valid user's thumbprint. The control against this attack involves ensuring a live thumb was used for the submission. That can be done by physically controlling the thumb reader, for instance having a guard at the reader to make sure no tampering or fake thumbs are used. In remote entry situations, logical liveness tests can be performed to verify that the submitted data is from a live subject.

Attacks that involve making the system falsely deny or accept a request take advantage of either the low degrees of freedom in the characteristic being tested, or improper system tuning. Degrees of freedom relate to measurable differences between biometric readings, with more degrees of freedom indicating a more unique biometric. Facial recognition systems, for instance, may have only nine degrees of freedom while other biometric systems have over one hundred. Similar faces may be used to fool the system into improperly authenticating an individual. Similar irises, however, are difficult to find and even more difficult to fool a system into improperly authenticating.

Attacks against system tuning also exist. Any biometric system has rates at which it will falsely accept a reading and falsely reject a reading. The two rates are inseparable; for any given system improving one worsens the other. Systems that are tuned to maximize user convenience typically have low rates of false rejection and high rates of false acceptance. Those systems may be more open to successful attack.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

13. Determine if logs of security-related events are appropriately secured against unauthorized access, change, and deletion for an adequate time period, and that reporting to those logs is adequately protected.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

40. Does the institution provide at least one initial, annual, and revised notice, as applicable, to joint consumers? [§9(g)]