R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

January 19, 2003

FYI - The Federal Reserve Board announced the availability of a new booklet designed to help consumers protect themselves against identity theft.  You may want to link the "Identity Theft" brochure off your web site.
Press release - http://www.federalreserve.gov/BoardDocs/Press/other/2003/20030116/default.htm
"Identity Theft" Brochure - http://www.bos.frb.org/consumer/identity/idtheft.pdf 

FYI - Old hard drives yield data bonanza - Two Massachusetts Institute of Technology graduate students have uncovered a treasure trove of personal and corporate information on used disk drives.  http://news.com.com/2100-1040-980824.html?tag=fd_top 

FYI -
Money Laundering: A Banker's Guide to Avoiding Problems, December 2002 - This booklet, which updates a 1993 publication, discusses how bankers can identify and manage the risks associated with money laundering and terrorist financing. The revision was prompted by the growing sophistication of money launderers, a growing international response to money laundering, changes to anti-money laundering laws, and recent anti-terrorist financing legislation. www.occ.treas.gov/moneylaundering2002.pdf

FYI -
University falls prey to phone tricksters - Telephone hackers in Saudi Arabia broke into Texas A&M University's phone system and left voice mail messages that enabled them to make international calls charged to the school, an A&M spokesman said.  http://www.cnn.com/2003/US/Southwest/01/10/university.phones.reut/ 


FYI - Complaints mount from TurboTax customers - Software maker Intuit has created an uninstaller program for its TurboTax tax-preparation programs, as customer complaints mount about anti-piracy technology included in the software.  http://news.com.com/2100-1040-980600.html?tag=fd_top 

INTERNET COMPLIANCETruth in Lending Act (Regulation Z)

The commentary to regulation Z was amended recently to clarify that periodic statements for open-end credit accounts may be provided electronically, for example, via remote access devices. The regulations state that financial institutions may permit customers to call for their periodic statements, but may not require them to do so. If the customer wishes to pick up the statement and the plan has a grace period for payment without imposition of finance charges, the statement, including a statement provided by electronic means, must be made available in accordance with the "14-day rule," requiring mailing or delivery of the statement not later than 14 days before the end of the grace period.

Provisions pertaining to advertising of credit products should be carefully applied to an on-line system to ensure compliance with the regulation. Financial institutions advertising open-end or closed-end credit products on-line have options. Financial institutions should ensure that on-line advertising complies with the regulations. For on-line advertisements that may be deemed to contain more than a single page, financial institutions should comply with the regulations, which describe the requirements for multiple-page advertisements.


INTERNET SECURITY
We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

INTRUSION DETECTION SYSTEMS

Vulnerability assessments and penetration analyses help ensure that appropriate security precautions have been implemented and that system security configurations are appropriate. The next step is to monitor the system for intrusions and unusual activities. Intrusion detection systems (IDS) may be useful because they act as a burglar alarm, reporting potential intrusions to appropriate personnel. By analyzing the information generated by the systems being guarded, IDS help determine if necessary safeguards are in place and are protecting the system as intended. In addition, they can be configured to automatically respond to intrusions.

Computer system components or applications can generate detailed, lengthy logs or audit trails that system administrators can manually review for unusual events. IDS automate the review of logs and audit data, which increases the reviews' overall efficiency by reducing costs and the time and level of skill necessary to review the logs.

Typically, there are three components to an IDS. First is an agent, which is the component that actually collects the information. Second is a manager, which processes the information collected by the agents. Third is a console, which allows authorized information systems personnel to remotely install and upgrade agents, define intrusion detection scenarios across agents, and track intrusions as they occur. Depending on the complexity of the IDS, there can be multiple agent and manager components.

Generally, IDS products use three different methods to detect intrusions. First, they can look for identified attack signatures, which are streams or patterns of data previously identified as an attack. Second, they can look for system misuse such as unauthorized attempts to access files or disallowed traffic inside the firewall. Third, they can look for activities that are different from the users or systems normal pattern. These "anomaly-based" products (which use artificial intelligence) are designed to detect subtle changes or new attack patterns, and then notify appropriate personnel that an intrusion may be occurring. Some anomaly-based products are created to update normal use patterns on a regular basis. Poorly designed anomaly-based products can trigger frequent false-positive responses.

Although IDS may be an integral part of an institutions overall system security, they will not protect a system from previously unknown threats or vulnerabilities. They are not self-sufficient and do not compensate for weak authentication procedures (e.g., when an intruder already knows a password to access the system). Also, IDS often have overlapping features with other security products, such as firewalls. IDS provide additional protections by helping to determine if the firewall programs are working properly and by helping to detect internal abuses. Both firewalls and IDS need to be properly configured and updated to combat new types of attacks. In addition, management should be aware that the state of these products is highly dynamic and IDS capabilities are evolving.

IDS tools can generate both technical and management reports, including text, charts, and graphs. The IDS reports can provide background information on the type of attack and recommend courses of action. When an intrusion is detected, the IDS can automatically begin to collect additional information on the attacker, which may be needed later for documentation purposes.

FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

PRIVACY
- At the request of our readers, we begin our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

On November 12, 1999, President Clinton signed into law the Gramm-Leach-Bliley Act (the "Act"). Title V, Subtitle A of the Act governs the treatment of nonpublic personal information about consumers by financial institutions. Section 502 of the Subtitle, subject to certain exceptions, prohibits a financial institution from disclosing nonpublic personal information about a consumer to nonaffiliated third parties, unless the institution satisfies various notice and opt-out requirements, and provided that the consumer has not elected to opt out of the disclosure. Section 503 requires the institution to provide notice of its privacy policies and practices to its customers. Section 504 authorizes the issuance of regulations to implement these provisions.

Accordingly, on June 1, 2000, the four federal bank and thrift regulators published substantively identical regulations implementing provisions of the Act governing the privacy of consumer financial information. The regulations establish rules governing duties of a financial institution to provide particular notices and limitations on its disclosure of nonpublic personal information, as summarized below. 

1)  A financial institution must provide a notice of its privacy policies, and allow the consumer to opt out of the disclosure of the consumer's nonpublic personal information, to a nonaffiliated third party if the disclosure is outside of the exceptions in sections 13, 14 or 15 of the regulations.

2)  Regardless of whether a financial institution shares nonpublic personal information, the institution must provide notices of its privacy policies to its customers.

3)  A financial institution generally may not disclose customer account numbers to any nonaffiliated third party for marketing purposes.

4)  A financial institution must follow reuse and redisclosure limitations on any nonpublic personal information it receives from a nonaffiliated financial institution.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated