R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

January 5, 2003

FYI - The Future of Retail Electronic Payments Systems: Industry Interviews and Analysis -Electronic payments have become a prominent feature of the U.S. economic landscape, as consumers, businesses, and governments have increasingly used electronic instruments to make retail payments. Survey research by the Federal Reserve published in 2002, for example, indicates that the use of debit and credit cards and automatic deposit and withdrawal (via the automated clearinghouse) grew fivefold from 1979 to 2000 and that the use of paper checks for payments probably peaked in the mid-1990s. www.federalreserve.gov/Pubs/StaffStudies/2000-present/175sum.htm

FYI  - New Version of EDIE -- the Electronic Deposit Insurance Estimator -- for Use by Financial Institution Employees - The FDIC is releasing a new, CD-ROM version of its interactive insurance calculator to help bankers provide accurate information to customers. www.fdic.gov/news/news/financial/2002/FIL02147.html

FYI - Securing Outlook, Part One: Initial Configuration - This article is the first part of a two-part series that will help readers to secure their Outlook email clients. This installment will offer a brief overview of Outlook, as well as a guide to configuring it securely. http://online.securityfocus.com/infocus/1648 

FYI - White House plans wide monitoring of Net
- The White House is proposing an Internet-wide monitoring center to detect and defend against major cyber-attacks, but the Bush administration sought to ease worries it might scrutinize individual users' e-mails along with other data traffic.  http://www.cnn.com/2002/TECH/internet/12/23/cyber.security.ap/index.html 

INTERNET COMPLIANCE Equal Credit Opportunity Act (Regulation B)

The regulations clarifies the rules concerning the taking of credit applications by specifying that application information entered directly into and retained by a computerized system qualifies as a written application under this section. If an institution makes credit application forms available through its on-line system, it must ensure that the forms satisfy the requirements.

The regulations also clarify the regulatory requirements that apply when an institution takes loan applications through electronic media. If an applicant applies through an electronic medium (for example, the Internet or a facsimile) without video capability that allows employees of the institution to see the applicant, the institution may treat the application as if it were received by mail.


INTERNET SECURITY
We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

PENETRATION ANALYSIS (Part 1 of 2)

After the initial risk assessment is completed, management may determine that a penetration analysis (test) should be conducted. For the purpose of this paper, "penetration analysis" is broadly defined. Bank management should determine the scope and objectives of the analysis. The scope can range from a specific test of a particular information systems security or a review of multiple information security processes in an institution.

A penetration analysis usually involves a team of experts who identify an information systems vulnerability to a series of attacks. The evaluators may attempt to circumvent the security features of a system by exploiting the identified vulnerabilities. Similar to running vulnerability scanning tools, the objective of a penetration analysis is to locate system vulnerabilities so that appropriate corrective steps can be taken.

The analysis can apply to any institution with a network, but becomes more important if system access is allowed via an external connection such as the Internet. The analysis should be independent and may be conducted by a trusted third party, qualified internal audit team, or a combination of both. The information security policy should address the frequency and scope of the analysis. In determining the scope of the analysis, items to consider include internal vs. external threats, systems to include in the test, testing methods, and system architectures.

A penetration analysis is a snapshot of the security at a point in time and does not provide a complete guaranty that the system(s) being tested is secure. It can test the effectiveness of security controls and preparedness measures. Depending on the scope of the analysis, the evaluators may work under the same constraints applied to ordinary internal or external users. Conversely, the evaluators may use all system design and implementation documentation. It is common for the evaluators to be given just the IP address of the institution and any other public information, such as a listing of officers that is normally available to outside hackers. The evaluators may use vulnerability assessment tools, and employ some of the attack methods discussed in this paper such as social engineering and war dialing. After completing the agreed-upon analysis, the evaluators should provide the institution a detailed written report. The report should identify vulnerabilities, prioritize weaknesses, and provide recommendations for corrective action.

FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

49.  If the institution uses a Section 14 exception as necessary to effect, administer, or enforce a transaction, is it :

a.  required, or is one of the lawful or appropriate methods to enforce the rights of the institution or other persons engaged in carrying out the transaction or providing the product or service; [14(b)(1)] or

b.  required, or is a usual, appropriate, or acceptable method to:[14(b)(2)]

  1.  carry out the transaction or the product or service business of which the transaction is a part, including recording, servicing, or maintaining the consumer's account in the ordinary course of business; [14(b)(2)(i)]
  2.  administer or service benefits or claims; [14(b)(2)(ii)]
  3.  confirm or provide a statement or other record of the transaction or information on the status or value of the financial service or financial product to the consumer or the consumer's agent or broker; [14(b)(2)(iii)]
  4.  accrue or recognize incentives or bonuses; [14(b)(2)(iv)]
  5.  underwrite insurance or for reinsurance or for certain other purposes related to a consumer's insurance; [14(b)(2)(v)] or
  6.  in connection with:
      i.  the authorization, settlement, billing, processing, clearing, transferring, reconciling, or collection of amounts charged, debited, or otherwise paid by using a debit, credit, or other payment card, check, or account number, or by other payment means; [14(b)(2)(vi)(A)]
      ii.  the transfer of receivables, accounts or interests therein; [14(b)(2)(vi)(B)] or
      iii.  the audit of debit, credit, or other payment information? [14(b)(2)(vi)(C)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated