Internet Banking News

August 24, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Unencrypted traveler data laptop disappears then reappears - The missing laptop has now been found - in the office from which it was apparently stolen. http://www.theregister.co.uk/2008/08/05/missing_laptop/print.html

FYI - Kaminsky (finally) reveals gaping hole in internet - Black Hat After a four-week orgy of speculation, recrimination and warnings, Dan Kaminsky's domain-name system vulnerability has finally gone public. And boy, are we glad the net's overlords paid attention. http://www.theregister.co.uk/2008/08/06/kaminsky_black_hat/print.html

FYI - Gov't charges alleged TJX credit-card thieves - The U.S. government may have closed the book on the TJX Companies credit-card breach and at least eight other recent thefts of financial data. " So far as we know, this is the single largest and most complex identity theft case ever charged in this country. " http://www.securityfocus.com/news/11530?ref=rss

FYI - Webcam hacker-ogler jailed for four years - A middle-aged Cypriot has been jailed for four years after he was convicted of hacking into internet webcams in order to spy on teenage girls. The unnamed 47-year-old computer technician used Trojan horse spyware to gain remote control of a webcam and take illicit pictures of least one young woman in her bedroom. http://www.theregister.co.uk/2008/08/05/webcam_hacker_jailed/print.html

FYI - More UCLA Medical Center employees peeked at celebrities' records, state says - A total of 127 workers, nearly double the initial reported number, have been implicated by the California Department of Public Health in the growing scandal. http://www.latimes.com/features/health/medicine/la-me-health5-2008aug05,0,7094124.story

FYI - Vista ineffective against browser attacks - The memory protections in Windows Vista are largely ineffective at preventing browser exploitation. This was the position taken by two researchers presenting at the Black Hat conference in Las Vegas. http://www.scmagazineus.com/BLACK-HAT-Vista-ineffective-against-browser-attacks/article/113577/?DCMP=EMC-SCUS_Newswire

FYI - Georgia hit by war hackers - As its conflict with Russia continues, Georgia's government and commercial websites have been hit by multiple cyberattacks. http://www.scmagazineus.com/Georgia-hit-by-war-hackers/article/113663/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hundreds of credit card owners hit by online scam - HUNDREDS of bank customers have had their credit cards cancelled following the latest international scam to hit the financial services sector. Personal banking details of hundreds of customers were compromised after thieves hacked into the online database of one of the country's leading retailers. http://www.irishexaminer.com/irishexaminer/pages/story.aspx-qqqg=ireland-qqqm=ireland-qqqa=ireland-qqqid=69351-qqqx=1.asp

FYI - Wells Fargo code used to illegally access consumer data - Latest in a string of incidents reported by Wells Fargo over the past five years - Wells Fargo Bank NA is in the process of notifying some 7,000 individuals that a thief may have accessed their Social Security numbers and other personal information by illegally using the financial services firm's access codes. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9112359&source=rss_topic17

FYI - BBC confirms personal details stolen - The BBC has confirmed that is has lost the personal details of its staff's children. The corporation said that a laptop and several memory sticks that contained the names, addresses and mobile phone numbers of children had been stolen from a staff vehicle. The BBC has informed the parents of those affected and is currently reviewing internal security procedures across its programmes. http://www.scmagazineuk.com/BBC-confirms-personal-details-stolen/article/113625/

FYI - Records loss may violate U.S. law - 'Total files' of patients, many with HIV and AIDS, missing - Share Print Email Del.icio.usDiggTechnoratiYahoo! BuzzA low-level Harris County Hospital District administrator probably violated federal law when she downloaded medical and financial records for 1,200 patients with HIV, AIDS and other medical conditions onto a flash drive that later was lost or stolen, legal experts said. http://www.chron.com/disp/story.mpl/metropolitan/5931497.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 2 of 3)

Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
Internet-related fraudulent schemes present a substantial risk to the reputation of any financial institution that is impersonated or spoofed. Financial institution customers and potential customers may mistakenly perceive that weak information security resulted in security breaches that allowed someone to obtain confidential information from the financial institution. Potential negative publicity regarding an institution's business practices may cause a decline in the institution's customer base, a loss in confidence or costly litigation.

In addition, customers who fall prey to e-mail and Internet-related fraudulent schemes face real and immediate risk. Criminals will normally act quickly to gain unauthorized access to financial accounts, commit identity theft, or engage in other illegal acts before the victim realizes the fraud has occurred and takes action to stop it.

Educating Financial Institution Customers About E-Mail and Internet-Related Fraudulent Schemes
Financial institutions should consider the merits of educating customers about prevalent e-mail and Internet-related fraudulent schemes, such as phishing, and how to avoid them. This may be accomplished by providing customers with clear and bold statement stuffers and posting notices on Web sites that convey the following messages:

! A financial institution's Web page should never be accessed from a link provided by a third party. It should only be accessed by typing the Web site name, or URL address, into the Web browser or by using a "book mark" that directs the Web browser to the financial institution's Web site.
! A financial institution should not be sending e-mail messages that request confidential information, such as account numbers, passwords, or PINs. Financial institution customers should be reminded to report any such requests to the institution.
! Financial institutions should maintain current Web site certificates and describe how the customer can authenticate the institution's Web pages by checking the properties on a secure Web page.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Protocols and Ports (Part 1 of 3)

Network communications rely on software protocols to ensure the proper flow of information. A protocol is a set of rules that allows communication between two points in a telecommunications connection. Different types of networks use different protocols. The Internet and most intranets and extranets, however, are based on the TCP/IP layered model of protocols. That model has four layers, and different protocols within each layer. The layers, from bottom to top, are the network access layer, the Internet layer, the host-to-host layer, and the application layer. Vulnerabilities and corresponding attack strategies exist at each layer. This becomes an important consideration in evaluating the necessary controls. Hardware and software can use the protocols to restrict network access. Likewise, attackers can use weaknesses in the protocols to attack networks.

The primary TCP/IP protocols are the Internet protocol (IP) and the transmission control protocol (TCP). IP is used to route messages between devices on a network, and operates at the Internet layer. TCP operates at the host-to-host layer, and provides a connection-oriented, full - duplex, virtual circuit between hosts. Different protocols support different services for the network. The different services often introduce additional vulnerabilities. For example, a third protocol, the user datagram protocol (UDP) is also used at the host-to-host layer. Unlike TCP, UDP is not connection - oriented, which makes it faster and a better protocol for supporting broadcast and streaming services. Since UDP is not connection-oriented, however, firewalls often do not effectively filter it. To provide additional safeguards, it is often blocked entirely from inbound traffic or additional controls are added to verify and authenticate inbound UDP packets as coming from a trusted host.

Return to the top of the newsletter

IT SECURITY QUESTION:

B. NETWORK SECURITY

19. Evaluate the appropriateness of techniques that prevent the spread of malicious code across the network.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

46. Does the institution refrain from disclosing, directly or through affiliates, account numbers or similar forms of access numbers or access codes for a consumer's credit card account, deposit account, or transaction account to any nonaffiliated third party (other than to a consumer reporting agency) for telemarketing, direct mail or electronic mail marketing to the consumer, except:

a. to the institution's agents or service providers solely to market the institution's own products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; ['12(b)(1)] or

b. to a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program? ['12(b)(2)]

(Note: an "account number or similar form of access number or access code" does not include numbers in encrypted form, so long as the institution does not provide the recipient with a means of decryption. ['12(c)(1)] A transaction account does not include an account to which third parties cannot initiate charges. ['12(c)(2)])