Internet Banking News

September 6, 2009

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - The Information Security and Risk Management Conference is being held September 28-30, 2009 in Las Vegas, Nevada. This is a great conference that I highly recommend. For more information and to register, please go to http://www.isaca.org/isrmc.

FYI - FTC Finalizes Rules On Health Care Breach Disclosure - Organizations will be required to notify patients of breaches, even if they are not bound by HIPAA - The Federal Trade Commission yesterday issued a final rule that will require Web-based businesses to notify consumers when the security of their electronic health information has been breached.
http://www.darkreading.com/security/government/showArticle.jhtml?articleID=219400484
http://www.scmagazineus.com/Health-care-breach-notification-mandated/article/146976/?DCMP=EMC-SCUS_Newswire

FYI - USDA unit bans browsers other than Internet Explorer - An Agriculture Department agency has begun enforcing a policy banning the use of Web browsers other than Microsoft's Internet Explorer, to the surprise of employees who rely on other browsers, such as Mozilla's Firefox, to help in developing Web sites for public use. http://www.nextgov.com/nextgov/ng_20090819_3426.php?oref=topstory

FYI - Employers block more social networking sites - Employers are gradually tightening the reins on which websites their staff can view and are increasingly choosing to block access to popular social networking sites. http://www.scmagazineuk.com/Employers-block-more-social-networking-sites-than-shopping-or-pornography/article/146866/

FYI - Besieged by attacks, AT&T dumps celebrity hacker - The perils of being Kevin Mitnick - Over the years, Kevin Mitnick has gotten used to the attacks on his website and cell phone account that routinely result from being a convicted hacker turned security expert. What he finds much harder to stomach is the treatment he's getting from his providers. http://www.theregister.co.uk/2009/08/19/att_dumps_kevin_mitnick/

FYI - West Africa net service restored - The cause of the fault has not been revealed - A cable fault that caused a major blackout of internet services across West Africa has been repaired. The damage was discovered 25km (15 miles) off the coast of Benin on a branch of the SAT-3 cable, which connects Europe to South Africa. http://news.bbc.co.uk/2/hi/technology/8206728.stm

FYI - "Dirtiest" websites host average 18,000 threats - The most dangerous sites on the web are propagating an average of 18,000 different pieces of malware, according to Symantec. http://www.scmagazineus.com/Dirtiest-websites-host-average-18000-threats/article/146919/?DCMP=EMC-SCUS_Newswire

FYI - Do you know where your user IDs and passwords are? - Surprisingly, a majority of enterprises still use IDs and passwords as their only standard authentication criteria. This is true among many industries and companies of all sizes. Unfortunately, there are many reasons why this is no longer adequate in an enterprise environment. http://www.scmagazineus.com/Do-you-know-where-your-user-IDs-and-passwords-are/article/146865/?DCMP=EMC-SCUS_Newswire

FYI - ISP criticised for distributing the same password to all new users with no firm instruction to change it - A European ISP has admitted that all new subscribers are given the same password. The Dutch branch of Tele2 claimed that when a new subscriber signs up, they can choose a login or are assigned one and they are then sent a letter by Tele2 with their login name, password and the date their new DSL connection will be activated. http://www.scmagazineuk.com/ISP-criticised-for-distributing-the-same-password-to-all-new-users-with-no-firm-instruction-to-change-it/article/147136/

FYI - Hackers rest over summer, pounce during Christmas - The summer season could end up with fewer cyberattacks because companies are less likely to be targeted now than other vacation periods, a new survey shows. http://www.scmagazineus.com/Hackers-rest-over-summer-pounce-during-Christmas/article/147268/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Data breach affected 'limited' number of sites, guests - Radisson Hotels revealed that a "limited" number of guests may have had their credit or debit card data stolen, due to a breach of the computer systems at some of the chain's hotels. http://www.computerworld.com/s/article/9136851/Radisson_Hotels_Data_breach_affected_limited_number_of_sites_guests?source=rss_security

FYI - Identity fraud ring busted in New York - Members of an alleged fraud ring have been arraigned in New York, charged with stealing identities and obtaining $22 million of wireless phone equipment and services. http://www.scmagazineus.com/Identity-fraud-ring-busted-in-New-York/article/147170/?DCMP=EMC-SCUS_Newswire

FYI - London hospital recovers from Conficker outbreak - An east London hospital has confirmed its computer systems were infected by the Conficker worm earlier this month. Whipps Cross University Hospital NHS Trust stressed that the outbreak affected only administrative systems, causing minor inconvenience, and did not affect patient care. Systems have since been restored to normal. http://www.theregister.co.uk/2009/08/24/nhs_hospital_conficker/

FYI - Hacker pleads guilty in massive bank fraud case - Hacker Ehud Tenenbaum has pleaded guilty in connection to charges of fraud that netted millions of dollars from banks in Indiana, Florida, Texas and California, according to the U.S. Attorney's office in New York. http://www.scmagazineus.com/Hacker-pleads-guilty-in-massive-bank-fraud-case/article/147363/?DCMP=EMC-SCUS_Newswire

FYI - Bernanke Victimized by Identity Fraud Ring - According to court documents, the Fed chairman and his wife were swindled in 2008 by a skilled team of crooks. http://www.newsweek.com/id/213696

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 2: Banks should use transaction authentication methods that promote non-repudiation and establish accountability for e-banking transactions.

Non-repudiation involves creating proof of the origin or delivery of electronic information to protect the sender against false denial by the recipient that the data has been received, or to protect the recipient against false denial by the sender that the data has been sent. Risk of transaction repudiation is already an issue with conventional transactions such as credit cards or securities transactions. However, e-banking heightens this risk because of the difficulties of positively authenticating the identities and authority of parties initiating transactions, the potential for altering or hijacking electronic transactions, and the potential for e-banking users to claim that transactions were fraudulently altered.

To address these heightened concerns, banks need to make reasonable efforts, commensurate with the materiality and type of the e-banking transaction, to ensure that:

1) E-banking systems are designed to reduce the likelihood that authorized users will initiate unintended transactions and that customers fully understand the risks associated with any transactions they initiate.
2) All parties to the transaction are positively authenticated and control is maintained over the authenticated channel.
3) Financial transaction data are protected from alteration and any alteration is detectable.

Banking organizations have begun to employ various techniques that help establish non-repudiation and ensure confidentiality and integrity of e-banking transactions, such as digital certificates using public key infrastructure (PKI). A bank may issue a digital certificate to a customer or counterparty to allow for their unique identification/authentication and reduce the risk of transaction repudiation. Although in some countries customers' rights to disclaim transactions is provided in specific legal provisions, legislation has been passed in certain national jurisdictions making digital signatures legally enforceable. Wider global legal acceptance of such techniques is likely as technology continues to evolve.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

BUSINESS CONTINUITY CONSIDERATIONS

Events that trigger the implementation of a business continuity plan may have significant security considerations. Depending on the event, some or all of the elements of the security environment may change. Different people may be involved in operations, at a different physical location, using similar but different machines and software which may communicate over different communications lines. Depending on the event, different tradeoffs may exist between availability, integrity, confidentiality, and accountability, with a different appetite for risk on the part of management.

Business continuity plans should be reviewed as an integral part of the security process. Risk assessments should consider the changing risks that appear in business continuity scenarios and the different security posture that may be established. Strategies should consider the different risk environment and the degree of risk mitigation necessary to protect the institution in the event the continuity plans must be implemented. The implementation should consider the training of appropriate personnel in their security roles, and the implementation and updating of technologies and plans for back - up sites and communications networks. Testing these security considerations should be integrated with the testing of business continuity plan implementations.

Return to the top of the newsletter

IT SECURITY QUESTION: SERVICE PROVIDER OVERSIGHT-SECURITY

1. Determine if contracts contain security requirements that at least meet the objectives of the Section 501(b) GLBA security guidelines and contain nondisclosure language regarding specific requirements.

2. Determine whether the institution has assessed the service provider's ability to meet contractual security requirements.

3. Determine whether appropriate controls exist over the substitution of personnel on the institution's projects and services.

4. Determine whether appropriate security testing is required and performed on any code, system, or service delivered under the contract.

5. Determine whether appropriate reporting of security incidents is required under the contract.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

22. Does the institution provide the consumer with at least one of the following reasonable means of opting out, or with another reasonable means:

a. check-off boxes prominently displayed on the relevant forms with the opt out notice; [§7(a)(2)(ii)(A)]

b. a reply form included with the opt out notice; [§7(a)(2)(ii)(B)]

c. an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the institution's web site, if the consumer agrees to the electronic delivery of information; [§7(a)(2)(ii)(C)] or

d. a toll-free telephone number? [§7(a)(2)(ii)(D)]

(Note: the institution may require the consumer to use one specific means, as long as that means is reasonable for that consumer. [§7(a)(iv)])