Internet Banking News

August 11, 2013

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - U.S. appeals court upholds warrantless collection of phone location data - Court rules that cell site information is business data collected by the service provider - Warrants are not required by the U.S. government to access historical cell site information, an appeals court ruled in an order. http://www.computerworld.com/s/article/9241251/U.S._appeals_court_upholds_warrantless_collection_of_phone_location_data?taxonomyId=17

FYI - The Untested Mobile Security System Defense Just Bought Isn't Functioning at USDA - Technology the Pentagon acquired, without testing, to protect email and Web browsing on military-issued consumer smartphones is not working at the Agriculture Department, according to USDA officials. http://www.nextgov.com/mobile/2013/08/untested-mobile-security-system-defense-just-bought-isnt-functioning-usda/67868/?oref=ng-channelriver

FYI - Wi-Fi routers: More security risks than ever - The research team that discovered significant security holes in more than a dozen home Wi-Fi routers adds more devices to that list at Defcon 21. http://news.cnet.com/8301-1009_3-57596851-83/wi-fi-routers-more-security-risks-than-ever/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

FYI - Chrome-saved passwords in plain text not a flaw, according to Google - Go into the password section in Google Chrome's settings panel and you can see that the popular web browser displays saved passwords in plain text. Many consider this a flaw – but not Google. http://www.scmagazine.com/chrome-saved-passwords-in-plain-text-not-a-flaw-according-to-google/article/306470/?DCMP=EMC-SCUS_Newswire#

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - BGP multiple banking addresses hijacked - On 24 July 2013 a significant number of Internet Protocol (IP) addresses that belong to banks suddenly were routed to somewhere else. https://isc.sans.edu/diary/BGP+multiple+banking+addresses+hijacked/16249

FYI - Syrian Electronic Army Hacks White House Media Team - Hackers fail to take over White House website, and then got their Twitter accounts suspended for boasting about subsequent Thomson Reuters takeover. Three White House social media staffers had their personal Gmail accounts compromised by members of the Syrian Electronic Army (SEA). http://www.informationweek.com/security/attacks/syrian-electronic-army-hacks-white-house/240159156

FYI - Third-party software hole exposes personal info University of Delaware workers - Tens of thousands of employees of the University of Delaware in Newark had their personal information compromised in an attack last month. http://www.scmagazine.com/third-party-software-hole-exposes-personal-info-university-of-delaware-workers/article/305322/?DCMP=EMC-SCUS_Newswire

FYI - High-tech toilet gets hacker warning; nothing is safe - A vulnerability in a toilet-control app leads to an unusual warning about potential bathroom hacking hijinks. http://news.cnet.com/8301-1009_3-57596704-83/high-tech-toilet-gets-hacker-warning-nothing-is-safe/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

FYI - Stolen laptop compromises patients of California medical group - The California-based Retinal Consultants Medical Group website says it offers patients “uncompromising care,” but a compromise of data is exactly what patients got after a laptop containing sensitive client information was stolen. http://www.scmagazine.com/stolen-laptop-compromises-patients-of-california-medical-group/article/306292/?DCMP=EMC-SCUS_Newswire

FYI - $1.5M cyber heist causes escrow firm to close its doors - A defunct escrow firm, which failed to recover lost funds after a $1.5 million cyber heist, serves as a grave reminder to businesses to spot telltale signs left by fraudsters. http://www.scmagazine.com/15m-cyber-heist-causes-escrow-firm-to-close-its-doors/article/306638/?DCMP=EMC-SCUS_Newswire

FYI - Citizens Bank alerts customers of "DDoS disruption" - Citizens Bank is alerting its customers that it is experiencing “intermittent interruption” caused by distributed denial-of-service (DDoS) attacks. http://www.scmagazine.com/citizens-bank-alerts-customers-of-ddos-disruption/article/306645/?DCMP=EMC-SCUS_Newswire

FYI - Employee fired for emailing health data to herself - Emailing protected health information (PHI) to a personal email address cost one Rocky Mountain Spine Clinic employee her job last week. http://www.scmagazine.com/employee-fired-for-emailing-health-data-to-herself/article/306366/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 8 of 10)

B. RISK MANAGEMENT TECHNIQUES

Implementing Weblinking Relationships

The strategy that financial institutions choose when implementing weblinking relationships should address ways to avoid customer confusion regarding linked third-party products and services. This includes disclaimers and disclosures to limit customer confusion and a customer service plan to address confusion when it occurs.

Disclaimers and Disclosures

Financial institutions should use clear and conspicuous webpage disclosures to explain their limited role and responsibility with respect to products and services offered through linked third-party websites. The level of detail of the disclosure and its prominence should be appropriate to the harm that may ensue from customer confusion inherent in a particular link. The institution might post a disclosure stating it does not provide, and is not responsible for, the product, service, or overall website content available at a third-party site. It might also advise the customer that its privacy polices do not apply to linked websites and that a viewer should consult the privacy disclosures on that site for further information. The conspicuous display of the disclosure, including its placement on the appropriate webpage, by effective use of size, color, and graphic treatment, will help ensure that the information is noticeable to customers. For example, if a financial institution places an otherwise conspicuous disclosure at the bottom of its webpage (requiring a customer to scroll down to read it), prominent visual cues that emphasize the information's importance should point the viewer to the disclosure.

In addition, the technology used to provide disclosures is important. While many institutions may simply place a disclaimer notice on applicable webpages, some institutions use "pop-ups," or intermediate webpages called "speedbumps," to notify customers they are leaving the institution's website. For the reasons described below, financial institutions should use speedbumps rather than pop-ups if they choose to use this type of technology to deliver their online disclaimers.

A "pop up" is a screen generated by mobile code, for example Java or Active X, when the customer clicks on a particular hyperlink. Mobile code is used to send small programs to the user's browser. Frequently, those programs cause unsolicited messages to appear automatically on a user's screen. At times, the programs may be malicious, enabling harmful viruses or allowing unauthorized access to a user's personal information. Consequently, customers may reconfigure their browsers or install software to block disclosures delivered via mobile codes.

In contrast, an intermediate webpage, or "speedbump," alerts the customer to the transition to the third-party website. Like a pop-up, a speedbump is activated when the customer clicks on a particular weblink. However, use of a speedbump avoids the problems of pop-up technology, because the speedbump is not generated externally using mobile code, but is created within the institution's operating system, and cannot be disabled by the customer.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INFORMATION SECURITY RISK ASSESSMENT

KEY RISK ASSESSMENT PRACTICES (2 of 2)

4) Accountable Activities - The responsibility for performing risk assessments should reside primarily with members of management in the best position to determine the scope of the assessment, and the effectiveness of risk reduction techniques. For a mid - sized or large institution, that organization will likely be the business unit. The information security officer(s) are responsible for overseeing the performance of each risk assessment and the integration of the risk assessments into a cohesive whole. Senior management is accountable for abiding by the board of directors' guidance for risk acceptance and mitigation decisions.

5) Documentation - Documentation of the risk assessment process and procedures assists in ensuring consistency and completeness, as well as accountability. Documentation of the analysis and results provides a useful starting point for subsequent assessments, potentially reducing the effort required in those assessments. Documentation of risks accepted and risk mitigation decisions is fundamental to achieving accountability for risk decisions.

6) Enhanced Knowledge - Risk assessment increases management's knowledge of the institution's mechanisms for storing, processing, and communicating information, as well as the importance of those mechanisms to the achievement of the institution's objectives. Increased knowledge allows management to respond more rapidly to changes in the environment. Those changes can range from new technologies and threats to regulatory requirements.

7) Regular Updates - Risk assessments should be updated as new information affecting information security risks are identified (e.g., a new threat, vulnerability, adverse test result, hardware change, software change or configuration change). At least once a year, senior management should review the entire risk assessment to ensure relevant information is appropriately considered.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

6) Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices at least annually (that is, at least once in any period of 12 consecutive months) to all customers, throughout the customer relationship? [§5(a)(1)and (2)]
(Note: annual notices are not required for former customers. [§5(b)(1)and (2)])