Internet Banking News

November 4, 2012

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - The Federal Financial Institutions Examination Council today issued a revised Supervision of Technology Service Providers booklet, which is part of the FFIEC Information Technology Examination Handbook. www.ffiec.gov/press/pr103112.htm

FYI - Innocent Megaupload user asks court to release secret raid documents - EFF argues he needs the documents to vindicate his Fourth Amendment rights. The Ohio videographer who was chosen by the Electronic Frontier Foundation as a representative of innocent Megaupload users, has asked a Virginia federal judge to unseal search warrants and other documents related to the January raid on Megaupload's Virginia servers. http://arstechnica.com/tech-policy/2012/10/innocent-megaupload-user-asks-court-to-release-secret-raid-documents/

FYI - Largest U.S. energy marketing agency used outdated security patches - The government's largest renewable power transmission agency used a default password to protect its electricity scheduling database and regularly failed to update security software, an Energy Department inspector general found. http://www.nextgov.com/cybersecurity/2012/10/largest-us-energy-marketing-agency-used-outdated-security-patches/59058/

FYI - TSA fails again with adjustable boarding passes - Lets passengers pick their own security rating - The reputation of possibly America's least-favorite fondlers, the Transportation Security Administration (TSA), has taken yet another hit with the discovery that its shoddy security allows passengers in its PreCheck system to pick their own security status. http://www.theregister.co.uk/2012/10/26/tsa_barcode_boarding_pass/

FYI - FBI rolls out round-the-clock cyber crime team - The FBI has introduced a team of specialists, which will be on call 24/7, to investigate cyber threats affecting businesses, critical industries and domestic security -- and possibly determine who's behind on them. http://www.scmagazine.com/fbi-rolls-out-round-the-clock-cyber-crime-team/article/265894/?DCMP=EMC-SCUS_Newswire

FYI - Hurricane Sandy could cause big mess in cyber space too - With Hurricane Sandy on a collision course with the Northeast, cyber crooks are likely to take advantage of the historic storm to make a quick buck or steal personal information from the unsuspecting. http://www.scmagazine.com/hurricane-sandy-could-cause-big-mess-in-cyber-space-too/article/265773/?DCMP=EMC-SCUS_Newswire

FYI - Feds charge 14 with making ATM cashouts appear like one - Fourteen people have been charged with stealing more than $1 million from Citibank ATMs in several Southern California and Nevada casinos. http://www.scmagazine.com/feds-charge-14-with-making-atm-cashouts-appear-like-one/article/266066/?DCMP=EMC-SCUS_Newswire

FYI - Hurricane Sandy tests business continuity, disaster recovery - In the aftermath of Hurricane Sandy, which disrupted power, internet, phone and numerous other technical services for millions along the East Coast, organizations are in an ideal mode to check the efficiency or shortcomings of their “in-case-of-disaster” plans. http://www.scmagazine.com/hurricane-sandy-tests-business-continuity-disaster-recovery/article/266289/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Judge dismisses brunt of Sony breach lawsuit - A U.S. District Court judge in California has absolved Sony of several charges levied against the electronics giant in a class-action suit that followed the 2011 breach of its PlayStation Network (PSN) and on-demand entertainment service Qriocity. http://www.scmagazine.com/judge-dismisses-brunt-of-sony-breach-lawsuit/article/265026/

FYI - Barnes & Noble halts use of PIN pad devices after data breach - Payment terminals at 63 stores in eight states compromised; unknown number of customers affected - Barnes & Noble has removed PIN pad devices from all of its nearly 700 stores nationwide as a precaution after detecting evidence of tampering with the devices at 63 of its stores in eight states. http://www.computerworld.com/s/article/9232837/Barnes_Noble_halts_use_of_PIN_pad_devices_after_data_breach?taxonomyId=82

FYI - Monster breach hits South Carolina taxpayers - The state of South Carolina is engaged in an "unprecedented response" following a massive breach in which hackers stole 3.6 million Social Security numbers and 387,000 credit and debit card numbers, officials said Friday. http://www.scmagazine.com/monster-breach-hits-south-carolina-taxpayers/article/265639/?DCMP=EMC-SCUS_Newswire

FYI - Vermont credit union discards unencrypted data of 85,000 - Two unencrypted backup tapes from Vermont's largest credit union, the Montpelier-based Vermont State Employees Credit Union, are believed to have been accidentally thrown away. http://www.scmagazine.com/vermont-credit-union-discards-unencrypted-data-of-85000/article/265522/?DCMP=EMC-SCUS_Newswire

FYI - South Carolina breach exposes 3.6M SSNs - Another 387,000 credit and debit cards also exposed in Department of Revenue intrusion, but most were encrypted - In the biggest data compromise of the year, Social Security Numbers (SSN) belonging to about 3.6 million residents in South Carolina have been exposed in an intrusion into a computer at the state's Department of Revenue. http://www.computerworld.com/s/article/9232965/South_Carolina_breach_exposes_3.6M_SSNs?taxonomyId=17

FYI - Hackers crack Texan bank, Experian credit records come flooding out - Names, numbers, finances, EVERYTHING... and they weren't even customers - Hackers managed to get login credentials for Experian's credit scoring reports after they broke into the systems of Abilene Telco Federal Credit Union last year, it has emerged. http://www.theregister.co.uk/2012/10/29/credit_report_data_breach_worries/

FYI - Surrey shuts down electronic sign after hackers have their say - Pranksters have been amusing and confusing Surrey drivers by hacking into and changing the wording on electronic messaging boards. http://www.theprovince.com/news/Surrey+shuts+down+electronic+sign+after+hackers+have+their/7465999/story.html

FYI - Israel police disconnect from Internet after cyber attack - The police service of Israel goes offline after discovering malware infection apparently designed to harvest information - Israeli police disconnected their IT systems from the Internet last week, after an apparent cyber attack designed to steal information, the Times of Israel has reported. http://www.information-age.com/channels/security-and-continuity/news/2130078/israel-police-disconnect-from-internet-after-cyber-attack.thtml

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (5 of 12)

Notification Procedures

An institution should notify its primary Federal regulator as soon as it becomes aware of the unauthorized access to or misuse of sensitive customer information or customer information systems. Notifying the regulatory agency will help it determine the potential for broader ramifications of the incident, especially if the incident involves a service provider, as well as assess the effectiveness of the institution's IRP.

Institutions should develop procedures for notifying law enforcement agencies and filing SARs in accordance with their primary Federal regulator's requirements. Law enforcement agencies may serve as an additional resource in handling and documenting the incident. Institutions should also establish procedures for filing SARs in a timely manner because regulations impose relatively quick filing deadlines. The SAR form itself may serve as a resource in the reporting process, as it contains specific instructions and thresholds for when to file a report. The SAR form instructions also clarify what constitutes a "computer intrusion" for filing purposes. Defining procedures for notifying law enforcement agencies and filing SARs can streamline these notification and reporting requirements.

Institutions should also address customer notification procedures in their IRP. When an institution becomes aware of an incident involving unauthorized access to sensitive customer information, the institution should conduct a reasonable investigation to determine the likelihood that such information has been or will be misused. If the institution determines that sensitive customer information has been misused or that misuse of such information is reasonably possible, it should notify the affected customer(s) as soon as possible. Developing standardized procedures for notifying customers will assist in making timely and thorough notification. As a resource in developing these procedures, institutions should reference the April 2005 interpretive guidance, which specifically addresses when customer notification is necessary, the recommended content of the notification, and the acceptable forms of notification.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Risk Mitigation Components - Wireless Internet Devices

For wireless customer access, the financial institution should institute policies and standards requiring that information and transactions be encrypted throughout the link between the customer and the institution. Financial institutions should carefully consider the impact of implementing technologies requiring that a third party have control over unencrypted customer information and transactions.

As wireless application technologies evolve, new security and control weaknesses will likely be identified in the wireless software and security protocols. Financial institutions should actively monitor security alert organizations for notices related to their wireless application services. They should also consider informing customers when wireless Internet devices that require the use of communications protocols deemed insecure will no longer be supported by the institution.

The financial institution should consider having regular independent security testing performed on its wireless customer access application. Specific testing goals would include the verification of appropriate security settings, the effectiveness of the wireless application security implementation and conformity to the institution's stated standards. The security testing should be performed by an organization that is technically qualified to perform wireless testing and demonstrates appropriate ethical behavior.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

43. Does the institution allow the consumer to select certain nonpublic personal information or certain nonaffiliated third parties with respect to which the consumer wishes to opt out? [§10(c)]

(Note: an institution may allow partial opt outs in addition to, but may not allow them instead of, a comprehensive opt out.)