R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

February 2, 2003

VERY IMPORTANT FOR IS MANAGERS - Federal Financial Regulators Release Information Security Booklet, First In A Series - The Federal Financial Institutions Examination Council today issued revised guidance for examiners and financial institutions to use in identifying information security risks and evaluating the adequacy of controls and applicable risk management practices of financial institutions. www.ffiec.gov/press/pr012903.htm
OTS:  www.ots.treas.gov/docs/77303.html

FYI - A massive Internet outage that swept across Asia and slowed down service in the United States and northern Europe subsided Sunday, caused by a so-called "Slammer" message worm that could easily have been avoided, experts said.   See IN CLOSING below.
Article:  http://www.washtimes.com/upi-breaking/20030126-043023-3604r.htm 
Another article:  http://www.washingtonpost.com/wp-dyn/articles/A43267-2003Jan25.html 

FYI- University of Kansas officials discovered that a computer hacker downloaded personal information gathered on 1,450 of its international students.  http://www.thekansascitychannel.com/education/1930636/detail.html 

FYI- A devastating firestorm raged through Canberra and its outskirts.  More than four hundred homes, and multiple business were destroyed, along with the historic Mt Stromlo Observatory, which was established in the 1920s.
Millions of units of data collected as part of its research over the years, has been salvaged thanks to a
comprehensive disaster recovery plan implemented by the Australian National University's (ANU) division of information.  http://www.zdnet.com.au/newstech/enterprise/story/0,2000025001,20271482,00.htm 

FYI - FTC sees surge in identity theft - Complaints about identity theft have risen 73 percent from a year ago, according to a new report from the Federal Trade Commission.   http://zdnet.com.com/2100-1105-981489.html 

FYI - Rampant cordless keyboard strikes again - Hewlett-Packard Norway will no longer guarantee their cordless keyboards for security after yet another report that they transmit keystrokes far afield.  http://www.aftenposten.no/english/local/article.jhtml?articleID=474623 

INTERNET COMPLIANCERecord Retention

Record retention provisions apply to electronic delivery of disclosures to the same extent required for non-electronic delivery of information. For example, if the web site contains an advertisement, the same record retention provisions that apply to paper-based or other types of advertisements apply. Copies of such advertisements should be retained for the time period set out in the relevant regulation. Retention of electronic copies is acceptable.


INTERNET SECURITY
- Over the next few weeks, we will cover the FDIC's "
Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Financial institutions are actively evaluating and implementing wireless technology as a means to reach customers and reduce the costs of implementing new networks. In light of this fast-developing trend, the Federal Deposit Insurance Corporation (FDIC) is providing financial institutions with the following information about the risks associated with wireless technology and suggestions on managing those risks. Please share this information with your Chief Information Officer.

Wireless Technology and the Risks of Implementation

Wireless networks are rapidly becoming a cost-effective alternative for providing network connectivity to financial institution information systems. Institutions that are installing new networks are finding the installation costs of wireless networks competitive compared with traditional network wiring. Performance enhancements in wireless technology have also made the adoption of wireless networks attractive to institutions. Wireless networks operate at speeds that are sufficient to meet the needs of many institutions and can be seamlessly integrated into existing networks. Wireless networks can also be used to provide connectivity between geographically close locations without having to install dedicated lines.

Wireless Internet access to banking applications is also becoming attractive to financial institutions. It offers customers the ability to perform routine banking tasks while away from the bank branch, automated teller machines or their own personal computers. Wireless Internet access is a standard feature on many new cellular phones and hand-held computers.

Many of the risks that financial institutions face when implementing wireless technology are risks that exist in any networked environment (see FIL-67-2000, "Security Monitoring of Computer Networks," dated October 3, 2000, and the 1996 FFIEC Information Systems Examination Handbook, Volume 1, Chapter 15). However, wireless technology carries additional risks that financial institutions should consider when designing, implementing and operating a wireless network. Common risks include the potential:

1)  Compromise of customer information and transactions over the wireless network;

2)  Disruption of wireless service from radio transmissions of other wireless devices;

3)  Intrusion into the institution's network through wireless network connections; and

4)  Obsolescence of current systems due to rapidly changing standards.

These risks could ultimately compromise the bank's computer system, potentially causing:

1)  Financial loss due to the execution of unauthorized transactions;

2)  Disclosure of confidential customer information, resulting in - among other things - identity theft (see FIL-39-2001, "Guidance on Identity Theft and Pretext Calling," dated May 9, 2001, and FIL-22-2001, "Guidelines Establishing Standards for Safeguarding Customer Information," dated March 14, 2001);

3)  Negative media attention, resulting in harm to the institution's reputation; and

4)  Loss of customer confidence.

PRIVACY
- We continue our coverage of the various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Nonpublic Personal Information:

"Nonpublic personal information" generally is any information that is not publicly available and that:

1)  a consumer provides to a financial institution to obtain a financial product or service from the institution;

2)  results from a transaction between the consumer and the institution involving a financial product or service; or

3)  a financial institution otherwise obtains about a consumer in connection with providing a financial product or service.

Information is publicly available if an institution has a reasonable basis to believe that the information is lawfully made available to the general public from government records, widely distributed media, or legally required disclosures to the general public. Examples include information in a telephone book or a publicly recorded document, such as a mortgage or securities filing.

Nonpublic personal information may include individual items of information as well as lists of information. For example, nonpublic personal information may include names, addresses, phone numbers, social security numbers, income, credit score, and information obtained through Internet collection devices (i.e., cookies).

There are special rules regarding lists. Publicly available information would be treated as nonpublic if it were included on a list of consumers derived from nonpublic personal information. For example, a list of the names and addresses of a financial institution's depositors would be nonpublic personal information even though the names and addresses might be published in local telephone directories because the list is derived from the fact that a person has a deposit account with an institution, which is not publicly available information.

However, if the financial institution has a reasonable basis to believe that certain customer relationships are a matter of public record, then any list of these relationships would be considered publicly available information. For instance, a list of mortgage customers where the mortgages are recorded in public records would be considered publicly available information. The institution could provide a list of such customers, and include on that list any other publicly available information it has about the customers on that list without having to provide notice or opt out.

IN CLOSING - Last weekend, the massive Internet outage that swept across Asia and slowed down service in the United States and northern Europe was caused by a so-called "Slammer" message worm that could easily have been avoided.   This self-propagating worm is attacking vulnerabilities in MS-SQL Server and is not detected by Anti-Virus software. Our vulnerability-penetration study has had detection signatures and links to verified remedies since July 2002 for the MS-SQL vulnerabilities that are exploited by the Worm.   For more information our vulnerability-penetration testing, visit http://www.internetbankingaudits.com/.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated