Internet Banking News

December 28, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - DHS seeks to ease privacy fears - Homeland Security Department officials say they hope their new privacy protection principles for research projects will address concerns some privacy advocates have raised about the programs. http://www.fcw.com/print/22_39/news/154665-1.html?topic=homeland_security

FYI - Browsers fail password protection tests - A beta version of Google Chrome has tied with Safari for last place in tests of how the browsers dealt with password security. http://www.theregister.co.uk/2008/12/15/browser_password_security_tests/

FYI - Brazilian hackers blamed for aiding Amazon deforestation - Malicious hackers have been charged with all manner of misdeeds, from mounting the biggest military hack ever to sending Viagra to Bill Gates to crashing sewerage systems. Greenpeace has accused cybercrooks of conspiring to allow actions that threaten the balance of nature by helping to destroy the Amazon rainforest. http://www.theregister.co.uk/2008/12/12/brazil_hackers_deforestation/

FYI - Google releases browser security handbook - Google posted on Wednesday a handbook for Web developers that highlights the key security features and quirks of major Web browsers. The document, dubbed the Browser Security Handbook, has three parts that tackle the security features in browsers and browser-specific issues that could lead to security weaknesses. http://www.securityfocus.com/brief/870

FYI - The five myths of two-factor authentication - Every day, people find new reasons to go online to access goods and services. Shopping online is convenient and offers broad selection that local businesses often just can't touch. http://www.scmagazineus.com/The-five-myths-of-two-factor-authentication/article/122876/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Credit Card Numbers Stolen From Movie Theater Computer - Merrimack Police Say Numerous People Report Credit Card Problems - Hackers broke into a Merrimack movie theater's servers and stole customers' credit card information. http://www.wmur.com/news/18247613/detail.html#

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the Federal Financial Institutions Examination Council Guidance on Electronic Financial Services and Consumer Compliance.

Electronic Fund Transfer Act, Regulation E (Part 1 of 2)

Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - REMOTE ACCESS

Many financial institutions use modems, remote - access servers (RAS), and VPNs to provide remote access into their systems or to allow remote access out of their systems. Remote access can support mobile users through wireless, Internet, or dial-in capabilities. In some cases, modem access is required periodically by vendors to make emergency program fixes or to support a system.

Remote access to a financial institution's systems provides an attacker with the opportunity to remotely attack the systems either individually or in groups. Accordingly, management should establish policies restricting remote access and be aware of all remote access devices attached to their systems. These devices should be strictly controlled. Good controls for remote access include the following actions:

! Disallow remote access by policy and practice unless a compelling business justification exists.
! Disable remote access at the operating system level if a business need for such access does not exist.
! Require management approval for remote access.
! Require an operator to leave the modems unplugged or disabled by default, to enable modems only for specific, authorized external requests, and disable the modem immediately when the requested purpose is completed.
! Configure modems not to answer inbound calls, if modems are for outbound use only.
! Use automated callback features so the modems only call one number (although this is subject to call forwarding schemes).
! Install a modem bank where the outside number to the modems uses a different prefix than internal numbers and does not respond to incoming calls.
! Log and monitor the date, time, user, user location, duration, and purpose for all remote access.
! Require a two-factor authentication process for all remote access (e.g., PIN-based token card with a one-time random password generator).
! Implement controls consistent with the sensitivity of remote use (e.g., remote system administration requires strict controls and oversight including encrypting the authentication and log-in process).
! Appropriately patch and maintain all remote access software.
! Use trusted, secure access devices.
! Use remote-access servers (RAS) to centralize modem and Internet access, to provide a consistent authentication process, and to subject the inbound and outbound network traffic to firewalls.

Return to the top of the newsletter

IT SECURITY QUESTION:

D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)

4. Determine whether adequate policies and procedures exist to address the loss of equipment, including laptops and other mobile devices. Such plans should encompass the potential loss of customer data and authentication devices.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Other Matters

Fair Credit Reporting Act

The regulations do not modify, limit, or supersede the operation of the Fair Credit Reporting Act.

State Law

The regulations do not supersede, alter, or affect any state statute, regulation, order, or interpretation, except to the extent that it is inconsistent with the regulations. A state statute, regulation, order, etc. is consistent with the regulations if the protection it affords any consumer is greater than the protection provided under the regulations, as determined by the FTC.

Grandfathered Service Contracts

Contracts that a financial institution has entered into, on or before July 1, 2000, with a nonaffiliated third party to perform services for the financial institution or functions on its behalf, as described in section 13, will satisfy the confidentiality requirements of section 13(a)(1)(ii) until July 1, 2002, even if the contract does not include a requirement that the third party maintain the confidentiality of nonpublic personal information.

Guidelines Regarding Protecting Customer Information

The regulations require a financial institution to disclose its policies and practices for protecting the confidentiality, security, and integrity of nonpublic personal information about consumers (whether or not they are customers). The disclosure need not describe these policies and practices in detail, but instead may describe in general terms who is authorized to have access to the information and whether the institution has security practices and procedures in place to ensure the confidentiality of the information in accordance with the institution's policies.

The four federal bank and thrift regulators have published guidelines, pursuant to section 501(b) of the Gramm-Leach-Bliley Act, that address steps a financial institution should take in order to protect customer information. The guidelines relate only to information about customers, rather than all consumers. Compliance examiners should consider the findings of a 501(b) inspection during the compliance examination of a financial institution for purposes of evaluating the accuracy of the institution's disclosure regarding data security.

Next week we will start covering the examination objectives.