Internet Banking News

August 6, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - The Federal Financial Institutions Examination Council issued revised guidance for examiners and financial institutions to use in identifying information security risks and evaluating the adequacy of controls and applicable risk management practices of financial institutions.
Press Release: www.ffiec.gov/press/pr072706.htm
Press Release: www.ots.treas.gov/docs/7/776033.html
Press Release: www.occ.treas.gov/ftp/bulletin/2006-31.txt
Press Release: www.ncua.gov/news/press_releases/2006/FFIEC06-0727.pdf
July 2006 Information Security Handbook: http://www.ffiec.gov/ffiecinfobase/booklets/information_security/information_security.pdf

FYI - System glitches hit two banks' online services - Two of the nation's banks struggled on Tuesday to repair glitches at their Web sites that had prevented customers from fully accessing their accounts for as long as two days. http://news.com.com/2102-1047_3-6098492.html?tag=st.util.print

FYI - Professional Hackers Target World Finance - Professional Hackers and Organised Crime Target World's Largest Financial Institutions - The world's largest financial institutions experienced a surge in the number of security attacks over the past year, specifically from external sources. More than three-quarters (78%, up from 26% in 2005) of respondents confirmed a security breach from outside the organization and almost half (49%, up from 35% in 2005) experienced at least one internal breach. http://www.scoop.co.nz/stories/BU0607/S00302.htm

FYI - More than half-million injured NY workers have personal info compromised - A PC holding the personal information of some 540,000 injured workers in New York state has been lost by a Chicago company contracted to manage the data. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060726/571481/

FYI - Personal information of NYC homeless leaked - The personal information of more than 8,000 of New York City's homeless accidentally was leaked in an email Friday, the New York Daily News reported in its Saturday editions. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060726/571262/

FYI - Beware fake Google Toolbar trojan - Researchers warned PC users this week to be on the lookout for a trojan in the wild disguising itself as Google Toolbar. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20060724/571103/

FYI - Hackers striking databases in record numbers - Databases are under increasing assault from SQL injection attacks - Hackers are striking databases in record numbers, trying to pilfer a rich trove of personal and financial data, a security vendor said Wednesday. SecureWorks, based in Atlanta, is detecting up to 8,000 attacks per day on databases owned by its clients, up from an average 100 to 200 attacks per day in the first three months of this year. http://www.infoworld.com/article/06/07/19/HNsqlattacks_1.html

FYI - Time running out for Sarbanes-Oxley compliance - Like it or not, the clock is ticking for non-US companies that need to be compliant to one of the most talked-about elements of the Sarbanes-Oxley (SOX) Act established in 2002. http://www.silicon.com/financialservices/0,3800010364,39160788,00.htm

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC Authentication in an Internet Banking Environment. (Part 11 of 13)

Non-Hardware-Based One-Time-Password Scratch Card

Scratch cards (something a person has) are less-expensive, "low-tech" versions of the OTP generating tokens discussed previously. The card, similar to a bingo card or map location look-up, usually contains numbers and letters arranged in a row-and-column format, i.e., a grid. The size of the card determines the number of cells in the grid.

Used in a multifactor authentication process, the customer first enters his or her user name and password in the established manner. Assuming the information is input correctly, the customer will then be asked to input, as a second authentication factor, the characters contained in a randomly chosen cell in the grid. The customer will respond by typing in the data contained in the grid cell element that corresponds to the challenge coordinates.

Conventional OTP hardware tokens rely on electronics that can fail through physical abuse or defects, but placing the grid on a wallet-sized plastic card makes it durable and easy to carry. This type of authentication requires no training and, if the card is lost, replacement is relatively easy and inexpensive.

Out-of-Band Authentication

Out-of-band authentication includes any technique that allows the identity of the individual originating a transaction to be verified through a channel different from the one the customer is using to initiate the transaction. This type of layered authentication has been used in the commercial banking/brokerage business for many years. For example, funds transfer requests, purchase authorizations, or other monetary transactions are sent to the financial institution by the customer either by telephone or by fax. After the institution receives the request, a telephone call is usually made to another party within the company (if a business-generated transaction) or back to the originating individual. The telephoned party is asked for a predetermined word, phrase, or number that verifies that the transaction was legitimate and confirms the dollar amount. This layering approach precludes unauthorized transactions and identifies dollar amount errors, such as when a $1,000.00 order was intended but the decimal point was misplaced and the amount came back as $100,000.00.

In today's environment, the methods of origination and authentication are more varied. For example, when a customer initiates an online transaction, a computer or network-based server can generate a telephone call, an e-mail, or a text message. When the proper response (a verbal confirmation or an accepted-transaction affirmation) is received, the transaction is consummated.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - APPLICATION ACCESS (Part 2 of 2)

Institution management should consider a number of issues regarding application-access control. Many of these issues could also apply to oversight of operating system access:

! Implementing a robust authentication method consistent with the criticality and sensitivity of the application. Historically, the majority of applications have relied solely on user IDs and passwords, but increasingly applications are using other forms of authentication. Multi-factor authentication, such as token and PKI-based systems coupled with a robust enrollment process, can reduce the potential for unauthorized access.
! Maintaining consistent processes for assigning new user access, changing existing user access, and promptly removing access to departing employees.
! Communicating and enforcing the responsibilities of programmers (including TSPs and vendors), security administrators, and business line owners for maintaining effective application-access control. Business line managers are responsible for the security and privacy of the information within their units. They are in the best position to judge the legitimate access needs of their area and should be held accountable for doing so. However, they require support in the form of adequate security capabilities provided by the programmers or vendor and adequate direction and support from security administrators.
! Monitoring existing access rights to applications to help ensure that users have the minimum access required for the current business need. Typically, business application owners must assume responsibility for determining the access rights assigned to their staff within the bounds of the AUP. Regardless of the process for assigning access, business application owners should periodically review and approve the application access assigned to their staff.
! Setting time-of-day or terminal limitations for some applications or for the more sensitive functions within an application. The nature of some applications requires limiting the location and number of workstations with access. These restrictions can support the implementation of tighter physical access controls.
! Logging access and events.
! Easing the administrative burden of managing access rights by utilizing software that supports group profiles. Some financial institutions manage access rights individually and it often leads to inappropriate access levels. By grouping employees with similar access requirements under a common access profile (e.g., tellers, loan operations, etc.), business application owners and security administrators can better assign and oversee access rights. For example, a teller performing a two-week rotation as a proof operator does not need year-round access to perform both jobs. With group profiles, security administrators can quickly reassign the employee from a teller profile to a proof operator profile. Note that group profiles are used only to manage access rights; accountability for system use is maintained through individuals being assigned their own unique identifiers and authenticators.

Return to the top of the newsletter

IT SECURITY QUESTION:

D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)

3. Determine whether adequate inspection for, and removal of, unauthorized hardware and software takes place.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

9) Does the institution list the following categories of nonpublic personal information that it collects, as applicable:

a) information from the consumer; [�6(c)(1)(i)]

b) information about the consumer's transactions with the institution or its affiliates; [�6(c)(1)(ii)]

c) information about the consumer's transactions with nonaffiliated third parties; [�6(c)(1)(iii)] and

d) information from a consumer reporting agency? [�6(c)(1)(iv)]

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.