Internet Banking News

December 9, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Why high-level HMRC staff have lessons to learn - At least nine HMRC people knew of the full 25 million record extract - Concerning the disastrous leakage of 25 million people's identity information at least nine HMRC staff knew of the full (25 million record) data extract and its transfer to the National Audit Office (NAO) in March.
http://www.techworld.com/storage/features/index.cfm?featureid=3833&pagtype=samechan
http://www.scmagazineus.com/British-data-breach-affects-25-million/article/99176/

FYI - Gordon Brown orders data security spot checks - The government has agreed to data security spot checks across all departments by the Information Commissioner following the loss of 25 million records of child benefit recipients by HM Revenue & Customs (HMRC). http://software.silicon.com/security/0,39024888,39169238,00.htm

FYI - State hires new data firm after student records are lost - Just more than a month after a massive loss of college student records was revealed, Louisiana's student financial aid office is hiring a new data security company and considering litigation against the previous one. http://www.ktbs.com/news/State-hires-new-data-firm-after-student-records-are-lost-6686/

FYI - Bank execs targeted by fake Department of Justice phishing emails - Corporate executives again are being targeted in a new round of spear phishing attacks that attempt to dupe them into downloading a malicious attachment. http://www.scmagazineus.com/Bank-execs-targeted-by-fake-Department-of-Justice-phishing-emails/article/99171/

MISSING COMPUTERS/DATA

FYI - N.L. police probe security breach of patient information - Officials in Newfoundland and Labrador are investigating a computer security breach involving sensitive patient information that may have been accessed through the internet. http://www.cbc.ca/canada/newfoundland-labrador/story/2007/11/24/security-breach.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 2 of 2)

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated on-line. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the OSC, an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated" is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution.

Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

Logical Access Controls (Part 1 of 2)

If passwords are used for access control or authentication measures, users should be properly educated in password selection. Strong passwords consist of at least six to eight alpha numeric characters, with no resemblance to any personal data. PINs should also be unique, with no resemblance to personal data. Neither passwords nor PINs should ever be reduced to writing or shared with others.

Other security measures should include the adoption of one-time passwords, or password aging measures that require periodic changes. Encryption technology can also be employed in the entry and transmission of passwords, PINs, user IDs, etc. Any password directories or databases should be properly protected, as well.

Password guessing programs can be run against a system. Some can run through tens of thousands of password variations based on personal information, such as a user's name or address. It is preferable to test for such vulnerabilities by running this type of program as a preventive measure, before an unauthorized party has the opportunity to do so. Incorporating a brief delay requirement after each incorrect login attempt can be very effective against these types of programs. In cases where a potential attacker is monitoring a network to collect passwords, a system utilizing one-time passwords would render any data collected useless.

When additional measures are necessary to confirm that passwords or PINs are entered by the user, technologies such as tokens, smart cards, and biometrics can be useful. Utilizing these technologies adds another dimension to the security structure by requiring the user to possess something physical.

Return to the top of the newsletter

IT SECURITY QUESTION: Network user access controls: (Part 1 of 2)

g. Can the same password be used again within 12 months?
h. Is the user locked out after three unsuccessful attempts to enter the correct password?
i. How long is the user locked out after entering an incorrect password?
j. Automatic timeout if left unattended? If so, how long?
k. Automatic lockout by time of day and day of week?
l. Is user access restricted by workstation?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

6) Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices at least annually (that is, at least once in any period of 12 consecutive months) to all customers, throughout the customer relationship? [§5(a)(1)and (2)]
(Note: annual notices are not required for former customers. [§5(b)(1)and (2)])