Internet Banking News

September 14, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - New Orleans IT departments brace for Gustav - These four organizations survived Katrina and explain how they are more prepared this time - As tropical storm Gustav approaches hurricane strength and heads toward the Gulf Coast, the IT lessons learned from the devastating Hurricanes Katrina and Rita that smashed New Orleans and other areas in 2005 are on the minds of many worried IT managers. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=Disaster+Recovery&articleId=9113880&taxonomyId=151&pageNumber=1

FYI - Internet Traffic Begins to Bypass the U.S. - The era of the American Internet is ending. Invented by American computer scientists during the 1970s, the Internet has been embraced around the globe. During the network's first three decades, most Internet traffic flowed through the United States. In many cases, data sent between two locations within a given country also passed through the United States. http://www.nytimes.com/2008/08/30/business/30pipes.html?_r=3&oref=slogin&adxnnlx=1220288467-RTpZWRCL6wK%2001BeAvKejw&pagewanted=print&oref=slogin

FYI - Cloned US ATM cards: Can they fool Brit self-service checkouts? Updated Cybercrooks are targeting self-service checkout systems in UK supermarkets to cash-out compromised US credit and debit card accounts. http://www.theregister.co.uk/2008/08/29/cloned_us_atm_cards_in_uk/print.html

FYI - IT workers hit hardest by offshore outsourcing, survey finds - Jobs most at risk for offshore outsourcing are computer programming, development - As many as 8% of IT workers have been displaced by offshore outsourcing, either through job loss or an involuntary transfer to a new job by their employer, which is twice the rate of workers in other occupations, according to a study based on data collected from some 10,000 people, which may be the largest survey of its kind. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9113755&intsrc=hm_list

FYI - Public, private sectors at odds over cyber security - The government has largely argued that the private sector is better suited to tackle the problem. But big corporations say it's too big for them to handle. http://www.latimes.com/business/la-fi-security26-2008aug26,0,2021258.story

FYI - FAA Computer Glitch Causes National Flight Delays - The problems began when an Atlanta facility that processes flight plan information went down due to a software malfunction, FAA officials said. An unknown software glitch caused hundreds of flight delays across the United States. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=210200907

FYI - Be safer than NASA: Disable autorun - NASA confirmed this week that a computer on the International Space Station is infected with a virus. The malicious software is called W32.TGammima.AG, and technically it's a worm. The interesting point, other than how NASA could let this happen, is the way the worm spreads--on USB flash drives. http://news.cnet.com/8301-13554_3-10027754-33.html?tag=rsspr.6246142&part=rss&subj=news

FYI - Data Breaches Have Surpassed Level for All of '07, Report Finds - More data breaches have been reported so far this year than in all of 2007, according to a report released yesterday by a nonprofit group that works to prevent fraud. http://www.washingtonpost.com/wp-dyn/content/article/2008/08/25/AR2008082502496.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Bank of NY Mellon data breach now affects 12.5 mln - Bank of New York Mellon Corp said on Thursday that a security breach involving the loss of personal information is much larger than previously reported, affecting about 12.5 million people, up from 4.5 million. http://www.reuters.com/article/domesticNews/idUSN2834717120080828?sp=true

FYI - Government probe launched after details of one million bank customers found on computer sold on eBay - The eBay computer scandal which saw the loss of personal data on a million bank customers is to be investigated by the Information Commissioner. http://www.dailymail.co.uk/news/article-1049121/Government-probe-launched-details-million-bank-customers-sold-eBay.html

FYI - Best Western details hack of German hotel - Digg Del.icio.us Reddit Facebook Email Print The Best Western hotel chain has given details of a hack involving one of its hotels, but downplayed reports that 8 million customers have been affected. http://news.cnet.com/8301-1009_3-10028291-83.html?part=rss&subj=news&tag=2547-1009_3-0-20

FYI - Suspected merchant data breach spurs - WashTrust to notify 1,000 card-holders - The Washington Trust Co. has notified about 1,000 customers that their debit and credit card accounts might have been compromised in a suspected security breach at an unidentified national MasterCard merchant. http://www.pbn.com/stories/34753.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 2 of 10)

A. RISK DISCUSSION

Introduction

Compliance risk arises when the linked third party acts in a manner that does not conform to regulatory requirements. For example, compliance risk could arise from the inappropriate release or use of shared customer information by the linked third party. Compliance risk also arises when the link to a third party creates or affects compliance obligations of the financial institution.

Financial institutions with weblinking relationships are also exposed to other risks associated with the use of technology, as well as certain risks specific to the products and services provided by the linked third parties. The amount of risk exposure depends on several factors, including the nature of the link.

Any link to a third-party website creates some risk exposure for an institution. This guidance applies to links to affiliated, as well as non-affiliated, third parties. A link to a third-party website that provides a customer only with information usually does not create a significant risk exposure if the information being provided is relatively innocuous, for example, weather reports. Alternatively, if the linked third party is providing information or advice related to financial planning, investments, or other more substantial topics, the risks may be greater. Links to websites that enable the customer to interact with the third party, either by eliciting confidential information from the user or allowing the user to purchase a product or service, may expose the insured financial institution to more risk than those that do not have such features.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

TCP/IP Packets

TCP/IP is a packet - based communications system. A packet consists of a header and a data payload. A header is analogous to a mail envelope, containing the information necessary for delivery of the envelope, and the return address. The data payload is the content of the envelope. The IP packet header contains the address of the sender (source address) and the intended recipient (destination address) and other information useful in handling the packet. Under IP, the addresses are unique numbers known as IP addresses. Each machine on an IP network is identified by a unique IP address. The vast majority of IP addresses are publicly accessible. Some IP addresses, however, are reserved for use in internal networks. Those addresses are 10.0.0.0 - 10.255.255.255, 172.16.0.0 - 172.31.255.255, and 192.168.0.0 - 192.168.255.255. Since those internal addresses are not accessible from outside the internal network, a gateway device is used to translate the external IP address to the internal address. The device that translates external and internal IP addresses is called a network address translation (NAT) device. Other IP packet header fields include the protocol field (e.g., 1=ICMP, 6=TCP, 7=UDP), flags that indicate whether routers are allowed to fragment the packet, and other information.

If the IP packet indicates the protocol is TCP, a TCP header will immediately follow the IP header. The TCP header contains the source and destination ports, the sequence number, and other information. The sequence number is used to order packets upon receipt and to verify that all packets in the transmission were received.

Information in headers can be spoofed, or specially constructed to contain misleading information. For instance, the source address can be altered to reflect an IP address different from the true source address, and the protocol field can indicate a different protocol than actually carried. In the former case, an attacker can hide their attacking IP, and cause the financial institution to believe the attack came from a different IP and take action against that erroneous IP. In the latter case, the attacker can craft an attack to pass through a firewall and attack with an otherwise disallowed protocol.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

3. Determine if adequate processes exist to apply host security updates, such as patches and anti - virus signatures, and that such updating takes place.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

49. If the institution uses a Section 14 exception as necessary to effect, administer, or enforce a transaction, is it :

a. required, or is one of the lawful or appropriate methods to enforce the rights of the institution or other persons engaged in carrying out the transaction or providing the product or service; [§14(b)(1)] or

b. required, or is a usual, appropriate, or acceptable method to:[§14(b)(2)]

1. carry out the transaction or the product or service business of which the transaction is a part, including recording, servicing, or maintaining the consumer's account in the ordinary course of business; [§14(b)(2)(i)]
2. administer or service benefits or claims; [§14(b)(2)(ii)]
3. confirm or provide a statement or other record of the transaction or information on the status or value of the financial service or financial product to the consumer or the consumer's agent or broker; [§14(b)(2)(iii)]
4. accrue or recognize incentives or bonuses; [§14(b)(2)(iv)]
5. underwrite insurance or for reinsurance or for certain other purposes related to a consumer's insurance; [§14(b)(2)(v)] or
6. in connection with:
      i. the authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid by using a debit, credit, or other payment card, check, or account number, or by other payment means; [§14(b)(2)(vi)(A)]
      ii. the transfer of receivables, accounts or interests therein; [§14(b)(2)(vi)(B)] or
      iii. the audit of debit, credit, or other payment information? [§14(b)(2)(vi)(C)]