Internet Banking News

July 29, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Employees Pose Biggest Security Risk - Put simply, the end user is the biggest issue when it comes to IT security, says Mark Loveless, white-hat hacker who goes by the handle "Simple Nomad." http://www.darkreading.com/document.asp?doc_id=129122&WT.svl=cmpnews1_1

FYI - M&T Bank fixes glitch that delayed updating account balances - A computer glitch Friday at regional bank M&T Bank Corp. that delayed funds posted to customers' accounts at the close of business Thursday has been fixed. http://www.examiner.com/printa-771582~M&T_Bank_fixes_glitch_that_delayed_updating_account_balances.html?cid=tool-print-top

FYI - Secret Service Busts Four Fraudsters With Ties To T.J. Maxx Attack - The South Florida bust resulted in the recovery of about 200,000 stolen credit card account numbers used in fraud losses roughly calculated to be more than $75 million. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=201001100

FYI - Salary premiums for security certifications increasing, study shows - Foote Partners report data bucks trend seen in other IT areas - For all the continuing debate about the real value of IT certification programs, the premiums that companies are willing to pay for certified information security professionals is actually trending upwards. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9026624

FYI - Security lab may face $3.3m fine for data leak - Classified files, computer storage devices found in trailer-park drug raid - The Energy Department proposed $3.3 million in fines Friday against managers of the Los Alamos nuclear weapons lab because of a security breakdown in which classified documents were found in a trailer-park drug raid. The civil penalties, the bulk of them levied against the University of California, the longtime former manager of the lab, were the largest such fines the department has ever imposed.
http://rss.msnbc.msn.com/id/19752730/
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070718/671826/

FYI - E-health Records Privacy Rules Needed - Patients currently don't have any way to keep their personal information from being shared with third parties. http://www.pcworld.com/article/id,134720/article.html?tk=nl_dnxnws

FYI - Feds scramble to meet data breach deadline - Deadline for federal agencies' policies for dealing with data breaches approaches and it's not yet clear whether everyone will be done in time. With only two months left before government agencies must figure out how to deal with data breaches and data theft, federal bureaucrats are scrambling to meet the looming deadline. http://news.com.com/Feds+scramble+to+meet+data+breach+deadline/2100-7348_3-6197474.html?tag=cd.lede

FYI - Texas state Web site leaks sensitive information - State and local governments are struggling to remove personal information online so it cannot be misused by criminals. http://www.infoworld.com/article/07/07/19/Texas-Web-site-leaks-info_1.html

FYI - iPhone may be disrupting network - Apple Inc.'s flashy new iPhones may be jamming parts of the wireless network at Duke University, where technology officials worked with the company Wednesday to fix problems before classes begin next month. http://www.businessweek.com/ap/financialnews/D8QF8LD00.htm

MISSING COMPUTERS/DATA

FYI - Disney alerts movie-club members to privacy breach - A Wisconsin man is arrested in connection with an attempt to sell credit-card information. Credit-card information for an undisclosed number of Disney Movie Club members worldwide was reportedly offered for sale -- illegally -- by an employee of a sales account-processing company who was then arrested by federal agents. http://www.orlandosentinel.com/business/orl-disneyclub1407jul14,0,7420844,print.story

FYI - MSD worker fired in security breach - The Metropolitan St. Louis Sewer District has fired an employee after executives learned the employee had downloaded Social Security numbers of about 1,600 current or former district employees to a home computer. The Social Security numbers were part of a computer file the district uses to make sure workers get the proper pay. http://www.stltoday.com/stltoday/news/stories.nsf/stlouiscitycounty/story/33EFD47679FB1BAF862573170067720F?OpenDocument

FYI - Google in Colorado safe cracking caper - It's true. Google can help with anything. Minutes before they opened several locked safes at a "family fun center" in Colorado Springs, a team of masked bandits sat down at a nearby PC and Googled "safe-cracking." "They brought up a site called 'How to Open Safes,'" Colorado Springs detective Chuck Ackerman told The Register. http://www.theregister.co.uk/2007/07/10/google_safe_cracking_caper/print.html

FYI - Missing TSA computer drive not protected - The Transportation Security Administration did not follow White House instructions to protect sensitive information on a computer hard drive containing bank and payroll data for 100,000 employees that was discovered missing, the agency acknowledged to Congress. http://www.star-telegram.com/464/story/170815.html

FYI - Former Boeing employee charged in data theft - Seattle police have charged a former Boeing employee with 16 counts of computer trespass for the alleged theft of 320,000 files, as well as leaking them to a Seattle-area daily newspaper. http://www.scmagazine.com/us/news/article/670671/former-boeing-employee-charged-data-theft/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 2 of 3)

Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
Internet-related fraudulent schemes present a substantial risk to the reputation of any financial institution that is impersonated or spoofed. Financial institution customers and potential customers may mistakenly perceive that weak information security resulted in security breaches that allowed someone to obtain confidential information from the financial institution. Potential negative publicity regarding an institution's business practices may cause a decline in the institution's customer base, a loss in confidence or costly litigation.

In addition, customers who fall prey to e-mail and Internet-related fraudulent schemes face real and immediate risk. Criminals will normally act quickly to gain unauthorized access to financial accounts, commit identity theft, or engage in other illegal acts before the victim realizes the fraud has occurred and takes action to stop it.

Educating Financial Institution Customers About E-Mail and Internet-Related Fraudulent Schemes
Financial institutions should consider the merits of educating customers about prevalent e-mail and Internet-related fraudulent schemes, such as phishing, and how to avoid them. This may be accomplished by providing customers with clear and bold statement stuffers and posting notices on Web sites that convey the following messages:

! A financial institution's Web page should never be accessed from a link provided by a third party. It should only be accessed by typing the Web site name, or URL address, into the Web browser or by using a "book mark" that directs the Web browser to the financial institution's Web site.
! A financial institution should not be sending e-mail messages that request confidential information, such as account numbers, passwords, or PINs. Financial institution customers should be reminded to report any such requests to the institution.
! Financial institutions should maintain current Web site certificates and describe how the customer can authenticate the institution's Web pages by checking the properties on a secure Web page.

To explain the red flags and risks of phishing and identity theft, financial institutions can refer customers to or use resources distributed by the Federal Trade Commission (FTC), including the following FTC brochures:

! "How Not to Get Hooked by the 'Phishing' Scam," published in July 2003, which is available at: http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm
! "ID Theft: When Bad Things Happen to Your Good Name," published in September 2002, which is available at: http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

PART I. Risks Associated with Wireless Internal Networks

Financial institutions are evaluating wireless networks as an alternative to the traditional cable to the desktop network. Currently, wireless networks can provide speeds of up to 11Mbps between the workstation and the wireless access device without the need for cabling individual workstations. Wireless networks also offer added mobility allowing users to travel through the facility without losing their network connection. Wireless networks are also being used to provide connectivity between geographically close locations as an alternative to installing dedicated telecommunication lines.

Wireless differs from traditional hard-wired networking in that it provides connectivity to the network by broadcasting radio signals through the airways. Wireless networks operate using a set of FCC licensed frequencies to communicate between workstations and wireless access points. By installing wireless access points, an institution can expand its network to include workstations within broadcast range of the network access point.

The most prevalent class of wireless networks currently available is based on the IEEE 802.11b wireless standard. The standard is supported by a variety of vendors for both network cards and wireless network access points. The wireless transmissions can be encrypted using "Wired Equivalent Privacy" (WEP) encryption. WEP is intended to provide confidentiality and integrity of data and a degree of access control over the network. By design, WEP encrypts traffic between an access point and the client. However, this encryption method has fundamental weaknesses that make it vulnerable. WEP is vulnerable to the following types of decryption attacks:

1) Decrypting information based on statistical analysis;

2) Injecting new traffic from unauthorized mobile stations based on known plain text;

3) Decrypting traffic based on tricking the access point;

4) Dictionary-building attacks that, after analyzing about a day's worth of traffic, allow real-time automated decryption of all traffic (a dictionary-building attack creates a translation table that can be used to convert encrypted information into plain text without executing the decryption routine); and

5) Attacks based on documented weaknesses in the RC4 encryption algorithm that allow an attacker to rapidly determine the encryption key used to encrypt the user's session).

Return to the top of the newsletter

IT SECURITY QUESTION: Image capturing operations:

a. Are there automated journals and audit trails that document access to and modification of images?
b. Are there controls to ensure stored images cannot be altered, erased or lost?
c. Have procedures been established to prevent the destruction of original documents before it is determined that the images are readable?
d. Are there procedures to address traditional controls (such as date stamps, control numbers, and review signatures)?
e. Are there controls to prevent faulty images, improper indexing, and incomplete or forged documents from being entered into the system?
f. Is a backup copy of the image medium stored off-site?
g. Is there a periodic evaluation of legal issues?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Other Matters

Fair Credit Reporting Act

The regulations do not modify, limit, or supersede the operation of the Fair Credit Reporting Act.

State Law

The regulations do not supersede, alter, or affect any state statute, regulation, order, or interpretation, except to the extent that it is inconsistent with the regulations. A state statute, regulation, order, etc. is consistent with the regulations if the protection it affords any consumer is greater than the protection provided under the regulations, as determined by the FTC.

Grandfathered Service Contracts

Contracts that a financial institution has entered into, on or before July 1, 2000, with a nonaffiliated third party to perform services for the financial institution or functions on its behalf, as described in section 13, will satisfy the confidentiality requirements of section 13(a)(1)(ii) until July 1, 2002, even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal information.

Guidelines Regarding Protecting Customer Information

The regulations require a financial institution to disclose its policies and practices for protecting the confidentiality, security, and integrity of nonpublic personal information about consumers (whether or not they are customers). The disclosure need not describe these policies and practices in detail, but instead may describe in general terms who is authorized to have access to the information and whether the institution has security practices and procedures in place to ensure the confidentiality of the information in accordance with the institution's policies.

The four federal bank and thrift regulators have published guidelines, pursuant to section 501(b) of the Gramm-Leach-Bliley Act, that address steps a financial institution should take in order to protect customer information. The guidelines relate only to information about customers, rather than all consumers. Compliance examiners should consider the findings of a 501(b) inspection during the compliance examination of a financial institution for purposes of evaluating the accuracy of the institution's disclosure regarding data security.

Next week we will start covering the examination objectives.