|
R. Kinney Williams
& Associates
|
Internet Banking
News
|
|
November 12, 2006
|
Does
Your Financial Institution need an affordable Internet security
penetration-vulnerability test?
Our clients in 41 states rely on
VISTA
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
compliance with
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
http://www.internetbankingaudits.com/. |
FYI - Hacking
contactless credit cards made easy - US security researchers have
demonstrated how easy it might be for crooks to read sensitive
personal information from RFID-based credit and debit cards.
http://www.theregister.co.uk/2006/10/24/rfid_credit_card_hack/print.html
FYI - GAO - Coordination
of Federal Cyber Security Research and Development.
Report:
http://www.gao.gov/cgi-bin/getrpt?GAO-06-811
Highlights:
http://www.gao.gov/highlights/d06811high.pdf
FYI - It's possible
hackers got Children's Hospital data on 230,000 patients, families,
12,000 donors - Hackers broke into Akron Children's Hospital
computer files over Labor Day weekend, potentially accessing names,
addresses, birth dates, and Social Security numbers of about 230,000
patients and their families, as well as a database containing the
bank-account information of about 12,000 donors.
http://www.centredaily.com/mld/centredaily/news/nation/15871658.htm
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20061101/601539/
FYI - Identity-theft
computer scheme uncovered in apartment search - An identity-theft
scheme that could affect thousands of Americans has been uncovered
in Denver, the district attorney's office warned in a consumer alert
Friday. "The potential harm to people is huge," said Lynn Kimbrough,
spokeswoman for the prosecutor's office. "The potential is there
that could affect thousands through the incredible misuse of tax
records and banking information."
http://test.denverpost.com/nuggets/ci_4564807
MISSING COMPUTERS
FYI - Another possible
data security breach at Los Alamos - Another possible breach at Los
Alamos National Laboratory in New Mexico is raising new questions
about data security at the troubled nuclear weapons facility.
http://federaltimes.com/index.php?S=2313329
FYI - Computer With Info
On Colo. Human Services Dept. Clients Stolen - A computer containing
personal information of some clients of the Colorado Department of
Human Services was stolen from a Dallas-based firm that operates the
Family Registry.
http://www.thedenverchannel.com/news/10162004/detail.html
FYI - Security officials
say computer drive lost at Portland airport - Federal Homeland
Security officials say a computer storage device that may have held
personal information on current and former employees has been lost.
http://www.oregonlive.com/newsflash/regional/index.ssf?/base/news-17/116179555334230.xml&storylist=orlocal
FYI - Operator of 12
hospitals informs of lost data - CD contained personal data for more
than a quarter-million patients - The operator of 12 hospitals in
Indiana and Illinois is notifying more than a quarter-million
patients that compact discs containing their Social Security numbers
and other personal information were lost for three days over the
summer.
http://www.msnbc.msn.com/id/15403873/
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Electronic Fund Transfer Act, Regulation E (Part 2 of 2)
The Federal Reserve Board Official Staff Commentary
(OSC) also clarifies that terminal receipts are unnecessary for
transfers initiated on-line. Specifically, OSC regulations provides
that, because the term "electronic terminal" excludes a
telephone operated by a consumer, financial institutions need not
provide a terminal receipt when a consumer initiates a transfer by a
means analogous in function to a telephone, such as by a personal
computer or a facsimile machine.
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the OSC, an example of a consumer's authorization
that is not in the form of a signed writing but is, instead,
"similarly authenticated" is a consumer's authorization
via a home banking system. To satisfy the regulatory requirements,
the institution must have some means to identify the consumer (such
as a security code) and make a paper copy of the authorization
available (automatically or upon request). The text of the
electronic authorization must be displayed on a computer screen or
other visual display that enables the consumer to read the
communication from the institution.
Only the consumer may authorize the transfer and not, for example, a
third-party merchant on behalf of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A financial institution may receive
correspondence through an electronic medium concerning an
unauthorized transaction, loss, or theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
Return to
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - e
continue our series on the FFIEC interagency Information Security
Booklet.
SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE -
SOFTWARE DEVELOPMENT AND ACQUISITION
Security Controls in Application Software
Application development should incorporate appropriate security
controls, audit trails, and activity logs. Typical application
access controls are addressed in earlier sections. Application
security controls should also include validation controls for data
entry and data processing. Data entry validation controls include
access controls over entry and changes to data, error checks, review
of suspicious or unusual data, and dual entry or additional review
and authorization for highly sensitive transactions or data. Data
processing controls include: batch control totals; hash totals of
data for comparison after processing; identification of any changes
made to data outside the application (e.g., data-altering
utilities); and job control checks to ensure programs run in correct
sequence (see the booklet "Computer Operations" for additional
considerations).
Some applications will require the integration of additional
authentication and encryption controls to ensure integrity and
confidentiality of the data. As customers and merchants originate an
increasing number of transactions, authentication and encryption
become increasingly important to ensure non-repudiation of
transactions.
Return to the top of the
newsletter
IT SECURITY
QUESTION:
F. PERSONNEL SECURITY
6. Determine if an appropriate disciplinary process for
security violations exists and is functioning.
Return to the top of
the newsletter
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
23. If the institution delivers the
opt out notice after the initial notice, does the institution
provide the initial notice once again with the opt out notice? [§7(c)]
24. Does the institution provide an opt out notice, explaining how
the institution will treat opt out directions by the joint
consumers, to at least one party in a joint consumer relationship? [§7(d)(1)]
NETWORK SECURITY TESTING - IT
examination guidelines require financial institutions to annually
conduct an independent internal-network penetration test.
With the Gramm-Leach-Bliley and the regulator's IT security
concerns, it is imperative to take a professional auditor's approach
to annually testing your internal connections to your network.
For more information about our independent-internal testing,
please visit
http://www.internetbankingaudits.com/internal_testing.htm. |
|
| PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at examiner@yennik.com if we
can be of assistance. |
|