Internet Banking News

July 15, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - GAO - Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the Full Extent Is Unknown.
Release - http://www.gao.gov/cgi-bin/getrpt?GAO-07-737
Highlights - http://www.gao.gov/highlights/d07737high.pdf

FYI - Lax and Lazy At Los Alamos - Officials at the nuclear-weapons laboratory, already struggling to calm concerns over security lapses, now have two more breaches to explain. http://www.msnbc.msn.com/id/19418769/site/newsweek/page/0/

FYI - Researchers warn of bogus Microsoft patch spam - Users are being warned of a new phishing scam falsely telling recipients they need to download a Microsoft patch. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070702/667467/

FYI - VA inspector general blames IT specialist for Birmingham data loss - An IT specialist at a U.S. Department of Veterans Affairs (VA) medical center in Birmingham, Ala., who in January lost an external hard drive containing sensitive data belonging to over 1.5 million people failed to take proper measures to protect the data. http://www.computerworld.com/action/article.do?command=printArticleBasic&articleId=9026059

FYI - Microsoft U.K. domain succumbs to SQL injection attack - A hacker successfully attacked a Web page within Microsoft's U.K. domain on Wednesday, resulting in the display of a photograph of a child waving the flag of Saudi Arabia. http://www.networkworld.com/news/2007/062907-microsoftcouk-succumbs-to-sql-injection.html

FYI - Schools Lack Cybersecurity Training As Students Grow Cybersavvy - The School Safety Index indicates that while 95% of districts surveyed are blocking Web sites, only 38% have a closed network that lets them control the content students can access. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=200001143

MISSING COMPUTERS/DATA

FYI - Hackers Make Off With Personal Info On Applicants At UC Davis - Officials are investigating the possible theft and misuse of records containing information on about 1,120 aspiring veterinarians who'd applied to UC Davis School of Veterinary Medicine. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=200001374

FYI - Indentity theft risk: BGSU notifies past, current students about loss of personal information - Bowling Green State University is notifying about 1,800 current and former students of accounting professor W. David Albrecht that his computer flash drive containing important student information has been lost. http://toledoblade.com/apps/pbcs.dll/article?AID=/20070627/NEWS08/70627020

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 5 of 5) Next week we will begin our series on the FFIEC Authentication in an Internet Banking Environment.

PROCEDURES TO ADDRESS SPOOFING - Contact the OCC and Law Enforcement Authorities

If a bank is the target of a spoofing incident, it should promptly notify its OCC supervisory office and report the incident to the FBI and appropriate state and local law enforcement authorities. Banks can also file complaints with the Internet Fraud Complaint Center (see http://www.ifccfbi.gov/), a partnership of the FBI and the National White Collar Crime Center.

In order for law enforcement authorities to respond effectively to spoofing attacks, they must be provided with information necessary to identify and shut down the fraudulent Web site and to investigate and apprehend the persons responsible for the attack. The data discussed under the "Information Gathering" section should meet this need.

In addition to reporting to the bank's supervisory office and law enforcement authorities, there are other less formal mechanisms that a bank can use to report these incidents and help combat fraudulent activities. For example, banks can use "Digital Phishnet" (http://www.digitalphishnet.com/), which is a joint initiative of industry and law enforcement designed to support apprehension of perpetrators of phishing-related crimes, including spoofing. Members of Digital Phishnet include ISPs, online auction services, financial institutions, and financial service providers. The members work closely with the FBI, Secret Service, U.S. Postal Inspection Service, Federal Trade Commission (FTC), and several electronic crimes task forces around the country to assist in identifying persons involved in phishing-type crimes.

Finally, banks can forward suspicious e-mails to the FTC at spam@uce.gov. For more information on how the FTC can assist in combating phishing and spoofing, see http://www.consumer.gov/idtheft.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - Over the next few weeks, we will cover the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Financial institutions are actively evaluating and implementing wireless technology as a means to reach customers and reduce the costs of implementing new networks. In light of this fast-developing trend, the Federal Deposit Insurance Corporation (FDIC) is providing financial institutions with the following information about the risks associated with wireless technology and suggestions on managing those risks. Please share this information with your Chief Information Officer.

Wireless Technology and the Risks of Implementation

Wireless networks are rapidly becoming a cost-effective alternative for providing network connectivity to financial institution information systems. Institutions that are installing new networks are finding the installation costs of wireless networks competitive compared with traditional network wiring. Performance enhancements in wireless technology have also made the adoption of wireless networks attractive to institutions. Wireless networks operate at speeds that are sufficient to meet the needs of many institutions and can be seamlessly integrated into existing networks. Wireless networks can also be used to provide connectivity between geographically close locations without having to install dedicated lines.

Wireless Internet access to banking applications is also becoming attractive to financial institutions. It offers customers the ability to perform routine banking tasks while away from the bank branch, automated teller machines or their own personal computers. Wireless Internet access is a standard feature on many new cellular phones and hand-held computers.

Many of the risks that financial institutions face when implementing wireless technology are risks that exist in any networked environment (see FIL-67-2000, "Security Monitoring of Computer Networks," dated October 3, 2000, and the 1996 FFIEC Information Systems Examination Handbook, Volume 1, Chapter 15). However, wireless technology carries additional risks that financial institutions should consider when designing, implementing and operating a wireless network. Common risks include the potential:

1) Compromise of customer information and transactions over the wireless network;

2) Disruption of wireless service from radio transmissions of other wireless devices;

3) Intrusion into the institution's network through wireless network connections; and

4) Obsolescence of current systems due to rapidly changing standards.

These risks could ultimately compromise the bank's computer system, potentially causing:

1) Financial loss due to the execution of unauthorized transactions;

2) Disclosure of confidential customer information, resulting in - among other things - identity theft (see FIL-39-2001, "Guidance on Identity Theft and Pretext Calling," dated May 9, 2001, and FIL-22-2001, "Guidelines Establishing Standards for Safeguarding Customer Information," dated March 14, 2001);

3) Negative media attention, resulting in harm to the institution's reputation; and

4) Loss of customer confidence.

Return to the top of the newsletter

IT SECURITY QUESTION: Auditing:

Does the institution have an internal auditor?
Does internal auditor audit the IT operations?
Does the institution have an external financial auditor?
Does the institution have an external IT auditor?
Does the auditor report IT auditing activities to the Board of Directors or a committee thereof?
Does the internal auditor have any conflicting duties?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 5 of 6)

Limitations on Disclosure of Account Numbers:

A financial institution must not disclose an account number or similar form of access number or access code for a credit card, deposit, or transaction account to any nonaffiliated third party (other than a consumer reporting agency) for use in telemarketing, direct mail marketing, or other marketing through electronic mail to the consumer.

The disclosure of encrypted account numbers without an accompanying means of decryption, however, is not subject to this prohibition. The regulation also expressly allows disclosures by a financial institution to its agent to market the institution's own products or services (although the financial institution must not authorize the agent to directly initiate charges to the customer's account). Also not barred are disclosures to participants in private-label or affinity card programs, where the participants are identified to the customer when the customer enters the program.