R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

February 9, 2003

FYI - Net attacks on businesses down - Attacks on corporate networks by online vandals fell in the second half of last year, according to report released Monday.  http://news.com.com/2100-1001-983154.html?part=dht&tag=ntop 

FYI- GAO - Electronic Government: Progress in Promoting Adoption of Smart Card Technology.    http://www.gao.gov/new.items/d03144.pdf 

FYI - Crooks harvest bank details from Net kiosk - Crooks, operating in the Birmingham, area, are preying on people using public access terminals for Internet banking.  http://www.theregister.co.uk/content/6/29054.html 

FYI - The Sapphire worm, widely known as SQL Slammer, infected more than 90 percent of vulnerable computers within 10 minutes, opening a new era of fast-spreading viruses on the Internet, according to a US think tank.  http://news.zdnet.co.uk/story/0,,t269-s2129785,00.html 

FYI - Not only could companies have easily slammed the door on the Slammer worm if they had installed the patch released by Microsoft Corp. six months ago, but they could also have uncovered the vulnerability exploited by the worm using a free benchmark developed jointly by the government and private sector.

FYI - Bush Approves Cybersecurity Strategy - President Bush has approved the White House's long-awaited national cybersecurity strategy, a landmark document intended to guide government and industry efforts to protect the nation's most critical information systems from cyberattack.    http://www.washingtonpost.com/wp-dyn/articles/A6320-2003Jan31.html 

FYI - Security Spending Swells - We'll soon spend $45 billion worldwide on security services and products, analysts predict.  http://www.pcworld.com/news/article/0,aid,109221,tk,dn020403X,00.asp 

FYI - From a reader - The Open Web Application Security Project, a collaborative security education site, has released a list of the top 10 vulnerabilities in Web applications.  http://www.eweek.com/article2/0,3959,857317,00.asp 

FYI - OCC - FFIEC Information Security Booklet - The Federal Financial Institutions Examination Council (FFIEC) has released updated information security guidance in the form of a new Information Security Booklet.
Press Release: www.occ.treas.gov/ftp/bulletin/2003-4.txt
Attachment: www.ffiec.gov/ffiecinfobase/index.html
Attachment: www.ffiec.gov/ffiecinfobase/html_pages/it_01.html

Lifting of Moratorium on FinCEN 314(a) Information Requests - On November 26, 2002, the Financial Crimes Enforcement Network of the U.S. Treasury Department and law enforcement agencies imposed a moratorium on requests covered by Section 314(a)of the USA PATRIOT Act. www.occ.treas.gov/ftp/alert/2003-2.txt


Financial institutions that advertise deposit products and services on-line must verify that proper advertising disclosures are made in accordance with all provisions of the regulations. Institutions should note that the disclosure exemption for electronic media does not specifically address commercial messages made through an institution's web site or other on-line banking system. Accordingly, adherence to all of the advertising disclosure requirements is required.

Advertisements should be monitored for recency, accuracy, and compliance. Financial institutions should also refer to OSC regulations if the institution's deposit rates appear on third party web sites or as part of a rate sheet summary. These types of messages are not considered advertisements unless the depository institution, or a deposit broker offering accounts at the institution, pays a fee for or otherwise controls the publication.

Disclosures generally are required to be in writing and in a form that the consumer can keep. Until the regulation has been reviewed and changed, if necessary, to allow electronic delivery of disclosures, an institution that wishes to deliver disclosures electronically to consumers, would supplement electronic disclosures with paper disclosures.

- We continue our coverage of the FDIC's "
Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Risk Mitigation

Security should not be compromised when offering wireless financial services to customers or deploying wireless internal networks. Financial institutions should carefully consider the risks of wireless technology and take appropriate steps to mitigate those risks before deploying either wireless networks or applications. As wireless technologies evolve, the security and control features available to financial institutions will make the process of risk mitigation easier. Steps that can be taken immediately in wireless implementation include:

1)  Establishing a minimum set of security requirements for wireless networks and applications;

2)  Adopting proven security policies and procedures to address the security weaknesses of the wireless environment;

3)  Adopting strong encryption methods that encompass end-to-end encryption of information as it passes throughout the wireless network;

4)  Adopting authentication protocols for customers using wireless applications that are separate and distinct from those provided by the wireless network operator;

5)  Ensuring that the wireless software includes appropriate audit capabilities (for such things as recording dropped transactions);

6)  Providing appropriate training to IT personnel on network, application and security controls so that they understand and can respond to potential risks; and

9)  Performing independent security testing of wireless network and application implementations.

- We continue our coverage of the various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Opt Out Right and Exceptions:

The Right

Consumers must be given the right to "opt out" of, or prevent, a financial institution from disclosing nonpublic personal information about them to a nonaffiliated third party, unless an exception to that right applies. The exceptions are detailed in sections 13, 14, and 15 of the regulations and described below.

As part of the opt out right, consumers must be given a reasonable opportunity and a reasonable means to opt out. What constitutes a reasonable opportunity to opt out depends on the circumstances surrounding the consumer's transaction, but a consumer must be provided a reasonable amount of time to exercise the opt out right. For example, it would be reasonable if the financial institution allows 30 days from the date of mailing a notice or 30 days after customer acknowledgement of an electronic notice for an opt out direction to be returned. What constitutes a reasonable means to opt out may include check-off boxes, a reply form, or a toll-free telephone number, again depending on the circumstances surrounding the consumer's transaction. It is not reasonable to require a consumer to write his or her own letter as the only means to opt out.

MORE INFORMATION - Vulnerability-penetration studies at http://www.internetbankingaudits.com/ and web site audits at http://www.bankwebsiteaudits.com/


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated