R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

January 18, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - New Scam Targets Citibank Customers - A fake e-mail making the rounds Monday asks clients of Citibank NA's online banking service to verify their e-mail, bank card number, and PIN by clicking on a link in the e-mail.  http://www.pcworld.com/news/article/0,aid,114286,tk,dn011204X,00.asp 

FYI - Auditing Windows Security Cheaply - IT auditors may not be aware of security templates that are built into Microsoft Windows 2000 and XP, the two most-recent versions of the popular operating system.  These templates are not the absolute definition of good security, but they provide a worthwhile guideline to follow, particularly for new IT auditors who are interested in learning about logical security.  http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5485 

FYI  - Australia - Scam targets internet bank accounts - Customers of the Australia's five leading banks are unwittingly having their savings siphoned online, after logging on to official internet banking websites.  http://www.theaustralian.news.com.au/printpage/0,5942,8354034,00.html 

FYI - Citibank warns on new Internet "phishing" scam - Citibank on Monday warned customers not to fall for an e-mail fraud that urges them to log into a bogus Web site to verify that their accounts have not been tampered with.  http://www.forbes.com/business/newswire/2004/01/12/rtr1207254.html 

FYI - Adobe Says It Uses Anti-Counterfeiting Technology - Adobe Systems Inc. acknowledged yesterday it had added technology to its popular Photoshop graphics software at the request of government regulators and bankers to prevent consumers from making copies of the world's major currencies.  http://www.washingtonpost.com/ac2/wp-dyn/A4798-2004Jan9?language=printer 

FYI -
Privacy of Consumer Financial Information - Eight federal regulators are soliciting comment on ways to improve the privacy notices financial institutions provide to consumers under the Gramm-Leach-Bliley Act Comments are due by March 29, 2004. www.fdic.gov/news/news/financial/2004/FIL0804.html

FYI - Australians Warned Off E-Banking In Public - The Australian Hi-Tech Crime Centre has warned Internet users from accessing their online bank accounts using public computers.  http://www.infosecnews.com/sgold/news/2004/01/14_02.htm 

FYI - Spousal Signature Provisions of Regulation B - The FDIC is issuing guidance to assist financial institutions in complying with the complex marital status and spousal signature provisions of Regulation B. Those provisions significantly affect critical steps in the lending process, including underwriting, asset valuation, collateral selection and document preparation. www.fdic.gov/news/news/financial/2004/FIL0604.html 

Return to the top of the newsletter

INTERNET COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." 

B. RISK MANAGEMENT TECHNIQUES

Planning Weblinking Relationships


Due Diligence

A financial institution should conduct sufficient due diligence to determine whether it wishes to be associated with the quality of products, services, and overall content provided by third-party sites. A financial institution should consider more product-focused due diligence if the third parties are providing financial products, services, or other financial website content. In this case, customers may be more likely to assume the institution reviewed and approved such products and services. In addition to reviewing the linked third-party's financial statements and its customer service performance levels, a financial institution should consider a review of the privacy and security policies and procedures of the third party.  Also, the financial institution should consider the character of the linked party by considering its past compliance with laws and regulations and whether the linked advertisements might by viewed as deceptive advertising in violation of Section 5 of the Federal Trade Commission Act.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  


SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS


Stateful Inspection Firewalls

Stateful inspection firewalls are packet filters that monitor the state of the TCP connection.  Each TCP session starts with an initial handshake communicated through TCP flags in the header information. When a connection is established the firewall adds the connection information to a table. The firewall can then compare future packets to the connection or state table. This essentially verifies that inbound traffic is in response to requests initiated from inside the firewall.

Proxy Server Firewalls

Proxy servers act as an intermediary between internal and external IP addresses and block direct access to the internal network. Essentially, they rewrite packet headers to substitute the IP of the proxy server for the IP of the internal machine and forward packets to and from the internal and external machines. Due to that limited capability, proxy servers are commonly employed behind other firewall devices. The primary firewall receives all traffic, determines which application is being targeted, and hands off the traffic to the appropriate proxy server. Common proxy servers are the domain name server (DNS), Web server (HTTP), and mail (SMTP) server. Proxy servers frequently cache requests and responses, providing potential performance benefits. Additionally, proxy servers provide another layer of access control by segregating the flow of Internet traffic to support additional authentication and logging capability, as well as content filtering. Web and e-mail proxy servers, for example, are capable of filtering for potential malicious code and application-specific commands.


Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

8. Determine whether the host-based IDSs identified as necessary in the risk assessment are properly installed and configured, that alerts go to appropriate individuals using an out-of-band communications mechanism, and that alerts are followed up.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

25. Does the institution permit each of the joint consumers in a joint relationship to opt out? [7(d)(2)]

26. Does the opt out notice to joint consumers state that either: 

a. the institution will consider an opt out by a joint consumer as applying to all associated joint consumers; [7(d)(2)(i)] or

b. each joint consumer is permitted to opt out separately? [7(d)(2)(ii)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated