Internet Banking News

September 7, 2014

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Retailers warned to act now to protect against Backoff malware- The Payment Card Industry Security Standards Council on Wednesday issued a bulletin urging retailers to immediately review their security controls to ensure point-of-sale systems are protected against "Backoff," a malware tool that was used in the massive data theft at retailer Target last year. http://www.computerworld.com/article/2599724/data-security/retailers-warned-to-act-now-to-protect-against-backoff-malware.html

FYI - UK Prisons Issued Encrypted Drives to Stop Exposing Data but That Didn’t Work - Accidentally leaked credentials; Insider attack; Misplaced data - The Ministry of Justice was fined about $300,000 for losing a device with prison records, after not realizing one must turn on disk encryption for it to function. http://www.nextgov.com/cybersecurity/threatwatch/2014/08/breach/1439/

FYI - Professor says Google search, not hacking, yielded medical info - Though unnamed in a breach notification and follow-up reports, a professor of ethical hacking at City College San Francisco (CCSF), Sam Bowne, has come forward on the internet to clarify that he did not demonstrate hacking a medical center's server in a class, but rather came across sensitive information during a Google search. http://www.scmagazine.com/professor-says-google-search-not-hacking-yielded-medical-info/article/368909/

FYI - Firm explores attack methods allowing possible Home Depot breach - Hackers could have exploited a vulnerability in Home Depot's payment interface to steal customer payment information, a Bitdefender reseracher said, though it's more likely they broke into the company's storage facilities to steal credentials linked with a potential breach. http://www.scmagazine.com/firm-explores-attack-methods-allowing-possible-home-depot-breach/article/369573/

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - JPMorgan hackers altered, deleted bank records, says report - Investigation into attack on JPMorgan Chase may have expanded to seven of the world's top banks, amid a report that hackers altered records. http://www.cnet.com/news/jpmorgan-hackers-altered-deleted-bank-records-says-report/

FYI - DQ Breach? HQ Says No, But Would it Know? - Sources in the financial industry say they’re seeing signs that Dairy Queen may be the latest retail chain to be victimized by cybercrooks bent on stealing credit and debit card data. http://krebsonsecurity.com/2014/08/dq-breach-hq-says-no-but-would-it-know/

FYI - Data Heist at 50 Oil Companies in Norway - The breach was the largest in the country’s history and might have affected an additional 250 oil and energy firms. http://www.nextgov.com/cybersecurity/threatwatch/2014/08/breach/1448/

FYI - Home Depot investigates possible payment card breach - Home Depot is the latest retailer to begin investigating a possible data breach. http://www.scmagazine.com/home-depot-investigates-possible-payment-card-breach/article/369366/

FYI - FBI, Apple investigate celebrity photo hacking incident - A hacking incident, which reportedly impacted over 100 celebrities whose personal photos, including nude images, were posted online, is now being investigated by the FBI and Apple. http://www.scmagazine.com/fbi-apple-investigate-celebrity-photo-hacking-incident/article/369340/

FYI - Payment card processing systems compromised at five Bartell Hotels locations - Bartell Hotels issued a notification that the payment card processing systems used at five of its San Diego locations were compromised and personal information – including credit card numbers – may be at risk. http://www.scmagazine.com/payment-card-processing-systems-compromised-at-five-bartell-hotels-locations/article/369601/

FYI - Goodwill announces breach, more than 800K payment cards compromised - In a letter to customers dated Tuesday, Jim Gibbons, president and CEO of Goodwill Industries International (GII), announced that payment card data was accessed following a malware attack on a third-party vendor used in about 10 percent of stores. http://www.scmagazine.com/goodwill-announces-breach-more-than-800k-payment-cards-compromised/article/369837/

FYI - More than 10K electronic medical records compromised at Houston health system - A health system employee accessed electronic medical records from Memorial Hermann Health System in Houston. The records were accessed for more than six years.http://www.scmagazine.com/more-than-10k-electronic-medical-records-compromised-at-houston-health-system/article/369842/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Board and Management Oversight - Principle 3: The Board of Directors and senior management should establish a comprehensive and ongoing due diligence and oversight process for managing the bank's outsourcing relationships and other third-party dependencies supporting e-banking.

Increased reliance upon partners and third party service providers to perform critical e-banking functions lessens bank management's direct control. Accordingly, a comprehensive process for managing the risks associated with outsourcing and other third-party dependencies is necessary. This process should encompass the third-party activities of partners and service providers, including the sub-contracting of outsourced activities that may have a material impact on the bank.

Historically, outsourcing was often limited to a single service provider for a given functionality. However, in recent years, banks' outsourcing relationships have increased in scale and complexity as a direct result of advances in information technology and the emergence of e-banking. Adding to the complexity is the fact that outsourced e-banking services can be sub-contracted to additional service providers and/or conducted in a foreign country. Further, as e-banking applications and services have become more technologically advanced and have grown in strategic importance, certain e-banking functional areas are dependent upon a small number of specialized third-party vendors and service providers. These developments may lead to increased risk concentrations that warrant attention both from an individual bank as well as a systemic industry standpoint.

Together, these factors underscore the need for a comprehensive and ongoing evaluation of outsourcing relationships and other external dependencies, including the associated implications for the bank's risk profile and risk management oversight abilities. Board and senior management oversight of outsourcing relationships and third-party dependencies should specifically focus on ensuring that:

1) The bank fully understands the risks associated with entering into an outsourcing or partnership arrangement for its e-banking systems or applications.

2) An appropriate due diligence review of the competency and financial viability of any third-party service provider or partner is conducted prior to entering into any contract for e-banking services.

3) The contractual accountability of all parties to the outsourcing or partnership relationship is clearly defined. For instance, responsibilities for providing information to and receiving information from the service provider should be clearly defined.

4) All outsourced e-banking systems and operations are subject to risk management, security and privacy policies that meet the bank's own standards.

5) Periodic independent internal and/or external audits are conducted of outsourced operations to at least the same scope required if such operations were conducted in-house.

This is the last of three principles regarding Board and Management Oversight. Next week we will begin the series on the principles of security controls, which include Authentication, Non-repudiation, Data and transaction integrity, Segregation of duties, Authorization controls, Maintenance of audit trails, and Confidentiality of key bank information.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - e continue our series on the FFIEC interagency Information Security Booklet.

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION

Source Code Review and Testing

Application and operating system source code can have numerous vulnerabilities due to programming errors or misconfiguration. Where possible, financial institutions should use software that has been subjected to independent security reviews of the source code especially for Internet facing systems. Software can contain erroneous or intentional code that introduces covert channels, backdoors, and other security risks into systems and applications. These hidden access points can often provide unauthorized access to systems or data that circumvents built-in access controls and logging. The source code reviews should be repeated after the creation of potentially significant changes.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Objectives

1. To assess the quality of a financial institution's compliance management policies and procedures for implementing the privacy regulation, specifically ensuring consistency between what the financial institution tells consumers in its notices about its policies and practices and what it actually does.

2. To determine the reliance that can be placed on a financial institution's internal controls and procedures for monitoring the institution's compliance with the privacy regulation.

3. To determine a financial institution's compliance with the privacy regulation, specifically in meeting the following requirements:

a) Providing to customers notices of its privacy policies and practices that are timely, accurate, clear and conspicuous, and delivered so that each customer can reasonably be expected to receive actual notice;
b) Disclosing nonpublic personal information to nonaffiliated third parties, other than under an exception, after first meeting the applicable requirements for giving consumers notice and the right to opt out;
c) Appropriately honoring consumer opt out directions;
d) Lawfully using or disclosing nonpublic personal information received from a nonaffiliated financial institution; and
e) Disclosing account numbers only according to the limits in the regulations.

4. To initiate effective corrective actions when violations of law are identified, or when policies or internal controls are deficient.