Internet Banking News

September 30, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Justice says no to private PCs for telework - Because of security concerns, the Justice Department now forbids all employees from using their private PCs or digital assistants to access agency e-mail or other files, the department's top information security officer has said. http://www.fcw.com/article103746-09-13-07-Web&printLayout

FYI - Mobile Phones Help Secure Online Banking - Bank of America's optional SafePass service works with customers' mobile phones to improve security for online banking. Bank of America Corp. customers can now use their mobile phones to make online banking more secure. http://www.pcworld.com/printable/article/id,137057/printable.html

FYI - Expert do's and don'ts for dealing with data breaches - A data breach victim shares his advice for addressing leakage incidents, while another expert highlights the missteps taken by TJX in dealing with its information theft.
http://www.infoworld.com/archives/emailPrint.jsp?R=printThis&A=/article/07/09/11/dos-and-donts-for-dealing-with-data-breaches_1.html
http://www.networkworld.com/news/2007/091007-boston-college-data-breach-recover.html

FYI - Hard times on the HIPAA front - A trio of ugly situations means painful publicity for lazy or sloppy organizations - It's been a week of bad news for lazy or sloppy health care organizations. An employee fired after a security breach of protected health information filed a wrongful termination suit against his former employer, and it may have merit because of poor policies. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9035159&source=NLT_AM&nlid=1

FYI - Stolen Bank Data Fetches Big Bucks Online - Security vendor Symantec says the hacker underground pays best for stolen bank account details. Stolen bank account numbers are commanding the highest price in an underground trade of personal details stolen by hackers, according to a survey released Monday by security vendor Symantec Corp. http://www.pcworld.com/article/id,137244/article.html?tk=nl_dnxnws

FYI - Fears rise over online banking problems - Many of Northern Rock's customers accused the bank of restricting access to its website to slow down the billions of pounds being withdrawn from the bank. Northern Rock's system repeatedly crashed over the weekend. Once customers could get online many found it took repeated attempts to conduct their transactions. http://www.telegraph.co.uk/news/main.jhtml?xml=/news/2007/09/18/nrock918.xml

FYI - Names, contact info on 6M TD Ameritrade customers compromised - But financial information, Social Security numbers are safe - Brokerage firm TD Ameritrade Holding Corp. today disclosed that the names, addresses, phone numbers and "miscellaneous trading" information of potentially all of its more than 6 million retail and institutional customers have been compromised by an intrusion into one of its databases. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9036639&source=rss_topic17

FYI - GAO - Information Security: Sustained Management Commitment and Oversight Are Vital to Resolving Long-standing Weaknesses at the Department of Veterans Affairs.
Report - http://www.gao.gov/cgi-bin/getrpt?GAO-07-1019
Highlights - http://www.gao.gov/highlights/d071019high.pdf

MISSING COMPUTERS/DATA

FYI - Computers stolen from welfare office - Two computers containing the mental health histories of more than 300,000 medical-assistance recipients were stolen from a state Public Welfare Department office last month, a spokesman for Gov. Ed Rendell confirmed.
http://www.pennlive.com/midstate/patriotnews/article121468.ece#story
http://digital50.com/news/items/PR/2007/09/11/DC02749/

FYI - Gander Mountain Announces Possible Theft of Pennsylvania Store Computer; Customers of the PA Store Could Be Affected - Gander Mountain Company announced that computer equipment, containing certain customer transaction information relating to a single store in Pennsylvania, is missing and may have been stolen. http://money.cnn.com/news/newsfeeds/articles/prnewswire/AQM90510092007-1.htm

FYI - Conn. gov decries loss of banking data - A computer tape stolen in Ohio in June contained banking data on Connecticut state agencies, making the security breach more serious than previously thought, Gov. M. Jodi Rell said. http://money.cnn.com/news/newsfeeds/articles/newstex/AFX-0013-19622066.htm

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 8 of 10)

B. RISK MANAGEMENT TECHNIQUES

Implementing Weblinking Relationships

The strategy that financial institutions choose when implementing weblinking relationships should address ways to avoid customer confusion regarding linked third-party products and services. This includes disclaimers and disclosures to limit customer confusion and a customer service plan to address confusion when it occurs.

Disclaimers and Disclosures

Financial institutions should use clear and conspicuous webpage disclosures to explain their limited role and responsibility with respect to products and services offered through linked third-party websites. The level of detail of the disclosure and its prominence should be appropriate to the harm that may ensue from customer confusion inherent in a particular link. The institution might post a disclosure stating it does not provide, and is not responsible for, the product, service, or overall website content available at a third-party site. It might also advise the customer that its privacy polices do not apply to linked websites and that a viewer should consult the privacy disclosures on that site for further information. The conspicuous display of the disclosure, including its placement on the appropriate webpage, by effective use of size, color, and graphic treatment, will help ensure that the information is noticeable to customers. For example, if a financial institution places an otherwise conspicuous disclosure at the bottom of its webpage (requiring a customer to scroll down to read it), prominent visual cues that emphasize the information's importance should point the viewer to the disclosure.

In addition, the technology used to provide disclosures is important. While many institutions may simply place a disclaimer notice on applicable webpages, some institutions use "pop-ups," or intermediate webpages called "speedbumps," to notify customers they are leaving the institution's website. For the reasons described below, financial institutions should use speedbumps rather than pop-ups if they choose to use this type of technology to deliver their online disclaimers.

A "pop up" is a screen generated by mobile code, for example Java or Active X, when the customer clicks on a particular hyperlink. Mobile code is used to send small programs to the user's browser. Frequently, those programs cause unsolicited messages to appear automatically on a user's screen. At times, the programs may be malicious, enabling harmful viruses or allowing unauthorized access to a user's personal information. Consequently, customers may reconfigure their browsers or install software to block disclosures delivered via mobile codes.

In contrast, an intermediate webpage, or "speedbump," alerts the customer to the transition to the third-party website. Like a pop-up, a speedbump is activated when the customer clicks on a particular weblink. However, use of a speedbump avoids the problems of pop-up technology, because the speedbump is not generated externally using mobile code, but is created within the institution's operating system, and cannot be disabled by the customer.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

Logical Access Controls

A primary concern in controlling system access is the safeguarding of user IDs and passwords. The Internet presents numerous issues to consider in this regard. Passwords can be obtained through deceptive "spoofing" techniques such as redirecting users to false Web sites where passwords or user names are entered, or creating shadow copies of Web sites where attackers can monitor all activities of a user. Many "spoofing" techniques are hard to identify and guard against, especially for an average user, making authentication processes an important defense mechanism.

The unauthorized or unsuspected acquisition of data such as passwords, user IDs, e-mail addresses, phone numbers, names, and addresses, can facilitate an attempt at unauthorized access to a system or application. If passwords and user IDs are a derivative of someone's personal information, malicious parties could use the information in software programs specifically designed to generate possible passwords. Default files on a computer, sometimes called "cache" files, can automatically retain images of such data received or sent over the Internet, making them a potential target for a system intruder.

Security Flaws and Bugs / Active Content Languages

Vulnerabilities in software and hardware design also represent an area of concern. Security problems are often identified after the release of a new product, and solutions to correct security flaws commonly contain flaws themselves. Such vulnerabilities are usually widely publicized, and the identification of new bugs is constant. These bugs and flaws are often serious enough to compromise system integrity. Security flaws and exploitation guidelines are also frequently available on hacker Web sites. Furthermore, software marketed to the general public may not contain sufficient security controls for financial institution applications.

Newly developed languages and technologies present similar security concerns, especially when dealing with network software or active content languages which allow computer programs to be attached to Web pages (e.g., Java, ActiveX). Security flaws identified in Web browsers (i.e., application software used to navigate the Internet) have included bugs which, theoretically, may allow the installation of programs on a Web server, which could then be used to back into the bank's system. Even if new technologies are regarded as secure, they must be managed properly. For example, if controls over active content languages are inadequate, potentially hostile and malicious programs could be automatically downloaded from the Internet and executed on a system.

Viruses / Malicious Programs

Viruses and other malicious programs pose a threat to systems or networks that are connected to the Internet, because they may be downloaded directly. Aside from causing destruction or damage to data, these programs could open a communication link with an external network, allowing unauthorized system access, or even initiating the transmission of data.

Return to the top of the newsletter

IT SECURITY QUESTION: Backup operations: (Part 2 of 2)

f. Are duplicate backup tapes kept on premises in a secure location with restricted access?
g. Have the backup tapes been recently tested to ensure that the backup procedures work?
h. Overall, will the backup procedures provide reasonable assurance that the data can be reconstruction of customer data in a timely manner?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 13, and 14 and/or 15 but not outside of these exceptions (Part 2 of 2)

B. Presentation, Content, and Delivery of Privacy Notices

1) Review the financial institution's initial and annual privacy notices. Determine whether or not they:

a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));

b. Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c. Include, and adequately describe, all required items of information and contain examples as applicable (§§6, 13).

2) Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written consumer records where available, determine if the institution has adequate procedures in place to provide notices to consumers, as appropriate. Assess the following:

a. Timeliness of delivery (§4(a)); and

b. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (§9).

c. For customers only, review the timeliness of delivery (§§4(d), 4(e), and 5(a)), means of delivery of annual notice §9(c)), and accessibility of or ability to retain the notice (§9(e)).