Internet Banking News

July 20, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - New Texas Law Limits Computer Repair To Licensed Private Investigators - Institute for Justice Texas Chapter Opens in Austin with Challenge to Statute - The Institute for Justice - the nation's leading litigators for entrepreneurs who find their rights violated by the government - opens its new Texas Chapter today by filing a lawsuit against the Texas Private Security Board, a state agency, on behalf of computer repair shops that are being told they need a private investigator's license to continue solving their customers' computer problems. http://www.ij.org/first_amendment/tx_computer_repair/6_26_08pr.html

FYI - Trio jailed in U. Hospital med records theft, but I.D. data thought safe - Now that the billing records of 1.5 million University of Utah Hospital patients have been recovered, police and U. officials are downplaying the possibility that the information will ever be used to commit identity fraud. http://www.sltrib.com/news/ci_9765160

FYI - Lawyer suspended for e-mail snooping - A Charleston lawyer has been suspended from the State Bar for two years after he admitted snooping in another law firm's e-mails because he suspected his wife was having an affair with her client. http://sundaygazettemail.com/News/200807020721

FYI - ICANN downplays site hacks - Hackers compromised a pair of mirror sites for the Internet Corporation of Assigned Names and Numbers (ICANN) and redirected users to a page taunting the company and claiming "we control the domains." http://www.scmagazineus.com/ICANN-downplays-site-hacks/article/112139/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers crack cash machine PIN codes to steal millions - Millions of bank customers face a new threat to their money after it emerged yesterday that hackers had cracked PIN codes used in cash machines. http://business.timesonline.co.uk/tol/business/money/consumer_affairs/article4259009.ece

FYI - Freedom Credit Union warns customers of data breach - Freedom Credit Union is warning customers of a security breach whereby debit card data was electronically captured by individuals who may have used it in a counterfeit scheme. http://www.masslive.com/news/index.ssf/2008/07/freedom_credit_union_warns_cus.html?category=Business+category=Chicopee+category=Crime+category=Franklin%20County+category=Northampton+category=Springfield

FYI - NHS manager is suspended after losing computer - A senior hospital manager has been suspended after a laptop containing the unencrypted personal data of more than 20,000 patients was stolen, a health trust admitted yesterday. http://www.theherald.co.uk/news/news/display.var.2371758.0.NHS_manager_is_suspended_after_losing_computer.php

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 2 of 5)

PROCEDURES TO ADDRESS SPOOFING - Detection

Banks can improve their ability to detect spoofing by monitoring appropriate information available inside the bank and by searching the Internet for illegal or unauthorized use of bank names and trademarks. The following is a list of possible indicators of Web-site spoofing:

* E-mail messages returned to bank mail servers that were not originally sent by the bank. In some cases, these e-mails may contain links to spoofed Web sites;
* Reviews of Web-server logs can reveal links to suspect Web addresses indicating that the bank's Web site is being copied or that other malicious activity is taking place;
* An increase in customer calls to call centers or other bank personnel, or direct communications from consumer reporting spoofing activity.

Banks can also detect spoofing by searching the Internet for identifiers associated with the bank such as the name of a company or bank. Banks can use available search engines and other tools to monitor Web sites, bulletin boards, news reports, chat rooms, newsgroups, and other forums to identify usage of a specific company or bank name. The searches may uncover recent registrations of domain names similar to the bank's domain name before they are used to spoof the bank's Web site. Banks can conduct this monitoring in-house or can contract with third parties who provide monitoring services.

Banks can encourage customers and consumers to assist in the identification process by providing prominent links on their Web pages or telephone contact numbers through which customers and consumers can report phishing or other fraudulent activities.

Banks can also train customer-service personnel to identify and report customer calls that may stem from potential Web-site attacks.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

AUTHENTICATION - Single Sign - On

Several single sign - on protocols are in use. Those protocols allow clients to authenticate themselves once to obtain access to a range of services. An advantage of single sign - on systems is that users do not have to remember or possess multiple authentication mechanisms, potentially allowing for more complex authentication methods and fewer user - created weaknesses. Disadvantages include the broad system authorizations potentially tied to any given successful authentication, the centralization of authenticators in the single sign - on server, and potential weaknesses in the single sign - on technologies.

When single sign - on systems allow access for a single login to multiple instances of sensitive data or systems, financial institutions should employ robust authentication techniques, such as multi - factor, PKI, and biometric techniques. Financial institutions should also employ additional controls to protect the authentication server and detect attacks against the server and server communications.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

14. Determine whether appropriate filtering occurs for spoofed addresses, both within the network and at external connections, covering network ingress and egress.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

41. Does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as permitted under §§13-15, unless:

a. it has provided the consumer with an initial notice; [§10(a)(1)(i)]

b. it has provided the consumer with an opt out notice; [§10(a)(1)(ii)]

c. it has given the consumer a reasonable opportunity to opt out before the disclosure; [§10(a)(1)(iii)] and

d. the consumer has not opted out? [§10(a)(1)(iv)]

(Note: this disclosure limitation applies to consumers as well as to customers [§10(b)(1)], and to all nonpublic personal information regardless of whether collected before or after receiving an opt out direction. [§10(b)(2)])