Internet Banking News

September 7, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - This week, I am attending the Network Security Conference sponsored by the Information Systems Audit and Control Association (ISACA) being held at Caesars Place in Las Vegas. I look forward to meeting any of you that will also be in attendance.

FYI - Data breaches already surpass 2007 total - The number of reported data breaches has already surpassed 2007's total, according to a report from Identity Theft Resource Center. http://www.scmagazineus.com/Data-breaches-already-surpass-2007-total/article/115920/?DCMP=EMC-SCUS_Newswire

FYI - Medical identity thefts on the rise - Medical identity theft is increasing, in part because of the wealth of personal information available in medical records, experts say. And much of this identity theft is coming from within the medical community. http://www.scmagazineus.com/Medical-identity-thefts-on-the-rise/article/115880/?DCMP=EMC-SCUS_Newswire

FYI - UK gov loses 29 million personal records - UK government departments have managed to leak a total of 29 million personal records over a single year. http://www.theregister.co.uk/2008/08/20/uk_gov_lost_records/print.html

FYI - TV news anchor admits to hacking, leaking colleague's e-mail - Philadelphia's Mendte pleads guilty to accessing a protected computer - A Philadelphia TV news anchor pleaded guilty today to breaking into his co-anchor's e-mail accounts more than 500 times and feeding information he found there to a local newspaper. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9113283&source=rss_topic17

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Thousands hit by bank card scam in Galway - GARDAÍ HAVE uncovered a large-scale international ATM and credit card cloning operation involving thousands of cards used recently in the Galway area. Gardaí believe it is more serious than the card fraud which came to light earlier this week in the east of the country. http://www.irishtimes.com/newspaper/ireland/2008/0821/1219243766638.html

FYI - Personal data of a million bank customers found on computer sold on eBay for Ł35 - Personal details of more than a million bank customers have been found on a computer sold on eBay. http://www.dailymail.co.uk/news/article-1049121/Personal-data-million-bank-customers-sold-eBay-35.html

FYI - Every prisoner in UK victim of data breach - The personal information on thousands of criminals in England and Wales has been lost on a USB drive. Although the data had been encrypted in a database, it was not encrypted when moved to the mobile storage device. http://www.scmagazineus.com/Every-prisoner-in-UK-victim-of-data-breach/article/115796/?DCMP=EMC-SCUS_Newswire

FYI - Hackers breach Best Western in data heist - Eight million account details stolen - Hackers have broken into the corporate databases for best Western Hotels and may have stolen the names, addresses and credit card information of every customer who stayed with the international group since 2007. http://www.vnunet.com/vnunet/news/2224615/hackers-breach-best-western

FYI - Red Hat admits breach of its servers, Fedora - Infrastructure servers compromised by hackers company says - Red Hat confirmed Friday that hackers compromised infrastructure servers belonging to the company and the Fedora Project, including systems used to sign Fedora packages. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9113299&source=rss_topic17

FYI - Bank of NY Mellon data breach now affects 12.5 mln - Bank of New York Mellon Corp said on Thursday that a security breach involving the loss of personal information is much larger than previously reported, affecting about 12.5 million people, up from 4.5 million. http://www.reuters.com/article/rbssFinancialServicesAndRealEstateNews/idUSN2834717120080828?feedType=RSS&feedName=rbssFinancialServicesAndRealEstateNews&rpc=22&sp=true

Return to the top of the newsletter

WEB SITE COMPLIANCE - We begin this week reviewing the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 1 of 10)

A. RISK DISCUSSION

Introduction

A significant number of financial institutions regulated by the financial institution regulatory agencies (Agencies) maintain sites on the World Wide Web. Many of these websites contain weblinks to other sites not under direct control of the financial institution. The use of weblinks can create certain risks to the financial institution. Management should be aware of these risks and take appropriate steps to address them. The purpose of this guidance is to discuss the most significant risks of weblinking and how financial institutions can mitigate these risks.

When financial institutions use weblinks to connect to third-party websites, the resulting association is called a "weblinking relationship." Financial institutions with weblinking relationships are exposed to several risks associated with the use of this technology. The most significant risks are reputation risk and compliance risk.

Generally, reputation risk arises when a linked third party adversely affects the financial institution's customer and, in turn, the financial institution, because the customer blames the financial institution for problems experienced. The customer may be under a misimpression that the institution is providing the product or service, or that the institution recommends or endorses the third-party provider. More specifically, reputation risk could arise in any of the following ways:

customer confusion in distinguishing whether the financial institution or the linked third party is offering products and services;
customer dissatisfaction with the quality of products or services obtained from a third party; and
customer confusion as to whether certain regulatory protections apply to third-party products or services.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Protocols and Ports (Part 3 of 3)

Applications are built in conformance with the protocols to provide services from hosts to clients. Because clients must have a standard way of accessing the services, the services are assigned to standard host ports. Ports are logical not physical locations that are either assigned or available for specific network services. Under TCP/IP, 65536 ports are available, and the first 1024 ports are commercially accepted as being assigned to certain services. For instance, Web servers listen for requests on port 80, and secure socket layer Web servers listen on port 443. A complete list of the commercially accepted port assignments is available at www.iana.org. Ports above 1024 are known as high ports, and are user - assignable. However, users and administrators have the freedom to assign any port to any service, and to use one port for more than one service. Additionally, the service listening on one port may only proxy a connection for a separate service. For example, a Trojan horse keystroke - monitoring program can use the Web browser to send captured keystroke information to port 80 of an attacker's machine. In that case, monitoring of the packet headers from the compromised machine would only show a Web request to port 80 of a certain IP address.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

2. Determine if the configuration minimizes the functionality of programs, scripts, and plug - ins to what is necessary and justifiable.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

48. If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in §4(a)(2), opt out in §§7 and 10, revised notice in §8, and for service providers and joint marketing in §13, not apply because the information is disclosed as necessary to effect, administer, or enforce a transaction that the consumer requests or authorizes, or in connection with:

a. servicing or processing a financial product or service requested or authorized by the consumer; [§14(a)(1)]

b. maintaining or servicing the consumer's account with the institution or with another entity as part of a private label credit card program or other credit extension on behalf of the entity; or [§14(a)(2)]

c. a proposed or actual securitization, secondary market sale (including sale of servicing rights) or other similar transaction related to a transaction of the consumer? [§14(a)(3)]