Internet Banking News

November 4, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Document Dump: 40 Boxes of Ameriquest Mortgage Records Found in Dumpster - Police are investigating how the personal files of 1,200 Ameriquest Mortgage customers turned up in a dumpster at an Atlanta apartment complex. http://blogs.abcnews.com/theblotter/2007/10/document-dump-4.html

FYI - Couple swarmed by SWAT team after 911 'hack' - Teenager 'pranks' family two states away, with near-disastrous results - A Washington state teenager is facing 18 years in prison on charges that he used his PC to access the Orange County, Calif., 911 emergency response system and convinced the sheriff's department into storming an area couple's home with a heavily armed SWAT team. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9043098&intsrc=hm_list

FYI - 90 percent of websites vulnerable to attack - Nine out of 10 websites have vulnerabilities open to attack, according to a new report by WhiteHat Security. Cross-site scripting (XSS) is the No. 1 class of vulnerability, impacting three-quarters of websites, according to the company's third WhiteHat Website Security Statistics Report. http://www.scmagazineus.com/WhiteHat-90-percent-of-websites-vulnerable-to-attack/article/58066/

FYI - Phishers (almost) scam grocery giant out of $10 million - Social engineers come close to reeling in a big one - Apparently it's not just unwary individuals that fall victim to online scammers. Even large corporations, it seems, can get suckered into parting with their money by devious phishers. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9043618

FYI - Audit criticizes state agency for lax computer security - Several former employees of the state Department of Revenue Services and other agencies still had access to state computer networks after being fired or voluntarily leaving their jobs, according to a new state audit.
http://www.newsday.com/news/local/wire/connecticut/ny-bc-ct--computertheft-aud1020oct20,0,5265980.story
http://www.newstimes.com/ci_7233577

FYI - Banks still struggling with IT security - Strategy in short supply as banks continue to rely on perimeter - Most banks rely too much on IT for security and are overly confident in how effective security measures can be, according to a survey of IT directors of top tier banks from UK, France, Germany, Italy, Spain, Belgium, Netherlands and Luxembourg. http://www.computerworlduk.com/management/security/cybercrime/news/index.cfm?newsid=5780&print

FYI - Colorado Rockies blame cyberattack for online ticket-sales outage - The Colorado Rockies blamed a cyberattack for knocking their World Series online ticket-sales operation out of the batter's box. http://www.scmagazineus.com/Colorado-Rockies-blame-cyberattack-for-online-ticket-sales-outage/article/58167/

FYI - GAO - VA and DOD Continue to Expand Sharing of Medical Information, but Still Lack Comprehensive Electronic Medical Records.
Report - http://www.gao.gov/cgi-bin/getrpt?GAO-08-207T
Highlights - http://www.gao.gov/highlights/d08207thigh.pdf

MISSING COMPUTERS/DATA

FYI - Theft of Home Depot laptop Puts 10,000 at Risk - Home Depot confirmed a company laptop was stolen that contains personal information about approximately 10,000 employees of the do-it-yourself retailing giant. http://www.pcworld.com/businesscenter/article/138621/theft_of_home_depot_laptop_puts_10000_at_risk.html

FYI - Fasthosts customer? Change your password now - Fasthosts, "the UK's number 1 web host", has fired off emergency emails telling customers to change all their passwords after police were called in to investigate a major data breach. http://www.theregister.co.uk/2007/10/18/fasthost_police_hack_investigation/print.html

FYI - Official gave private details to media in new leak shock - A SENIOR civil servant has resigned after she was found to have improperly accessed and passed on personal records of up to 40 individuals. http://www.independent.ie/national-news/official-gave-private-details-to-media-in-new-leak-shock-1197811.html

FYI - Office of financial aid loses back up info - Iron Mountain Incorporated has notified the Louisiana Office of Student Financial Assistance (LOSFA) that it lost back-up media belonging to LOSFA on September 19, 2007. http://www.katc.com/Global/story.asp?S=7217462

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the FDIC's Supervisory Policy on Identity Theft. (Part 3 of 6)

FDIC Response to Identity Theft

The FDIC's supervisory programs include many steps to address identity theft. The FDIC acts directly, often in conjunction with other Federal regulators, by promulgating standards that financial institutions are expected to meet to protect customers' sensitive information and accounts. The FDIC enforces these standards against the institutions under its supervision and encourages all financial institutions to educate their customers about steps they can take to reduce the chances of becoming an identity theft victim. The FDIC also sponsors and conducts a variety of consumer education efforts to make consumers more aware of the ways they can protect themselves from identity thieves.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

SECURITY MEASURES

Certificate Authorities and Digital Certificates

Certificate authorities and digital certificates are emerging to further address the issues of authentication, non‑repudiation, data privacy, and cryptographic key management. A certificate authority (CA) is a trusted third party that verifies the identity of a party to a transaction . To do this, the CA vouches for the identity of a party by attaching the CA's digital signature to any messages, public keys, etc., which are transmitted. Obviously, the CA must be trusted by the parties involved, and identities must have been proven to the CA beforehand. Digital certificates are messages that are signed with the CA's private key. They identify the CA, the represented party, and could even include the represented party's public key.

The responsibilities of CAs and their position among emerging technologies continue to develop. They are likely to play an important role in key management by issuing, retaining, or distributing public/private key pairs.

Implementation

The implementation and use of encryption technologies, digital signatures, certificate authorities, and digital certificates can vary. The technologies and methods can be used individually, or in combination with one another. Some techniques may merely encrypt data in transit from one location to another. While this keeps the data confidential during transmission, it offers little in regard to authentication and non-repudiation. Other techniques may utilize digital signatures, but still require the encrypted submission of sensitive information, like credit card numbers. Although protected during transmission, additional measures would need to be taken to ensure the sensitive information remains protected once received and stored.

The protection afforded by the above security measures will be governed by the capabilities of the technologies, the appropriateness of the technologies for the intended use, and the administration of the technologies utilized. Care should be taken to ensure the techniques utilized are sufficient to meet the required needs of the institution. All of the technical and implementation differences should be explored when determining the most appropriate package.

Return to the top of the newsletter

IT SECURITY QUESTION: IT Steering Committee responsibilities:

a. Purchase of new computer equipment and software?
b. Reviewing IT examinations reports?
c. Reviewing internal and external IT auditing reports?
d. Hiring IT management personnel?
e. Recommendations to the Board for IT policy changes?
f. Reviewing IT security issues?
g. Reports to the Board of Directors?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

1) Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all customers not later than when the customer relationship is established, other than as allowed in paragraph (e) of section four (4) of the regulation? [§4(a)(1))]?

(Note: no notice is required if nonpublic personal information is disclosed to nonaffiliated third parties only under an exception in Sections 14 and 15, and there is no customer relationship. [§4(b)] With respect to credit relationships, an institution establishes a customer relationship when it originates a consumer loan. If the institution subsequently sells the servicing rights to the loan to another financial institution, the customer relationship transfers with the servicing rights. [§4(c)])