R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

March 2, 2003

FYI - How to get an ATM PIN in 15 guesses - Cambridge researchers have documented a worrying PIN cracking technique against the hardware security modules commonly used by bank ATMs.  http://www.theregister.co.uk/content/55/29425.html 

FYI - Introduction to Information Security and Risk Management - http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=543 

FYI- A former network administrator for a Los Angeles airport transportation company was arrested on charges that he hacked into his ex-employer's computers and wiped out critical data -- allegedly as revenge for his termination from the company.  http://www.securityfocus.com/news/2567 

FYI- A series of recent court battles have highlighted the importance of clear policies governing the use of an organizationís information systems. While the majority of media coverage has focused on the use of email to send lurid or offensive messages, the ramifications go far beyond the need for 'acceptable use' policies and show a weakness in an organizationís information security and monitoring at work efforts.  http://www.infosecnews.com/opinion/2003/02/26_01.htm 

FYI - FBI Called in as Credit Card Hack Escalates - The Visa/Mastercard hack reported by CNN last week appears to be a lot bigger than first thought and is possibly the largest credit card systems hack in history. Media reports from around the world suggest that significant numbers of American Express and Discover card account details were accessed, with at least 100,000 card accounts in Canada and several hundred in Korea affected.  http://www.infosecnews.com/sgold/news/2003/02/24_01.htm 

FYI - Credit card hack traced to outsider - Break-in at Nebraska company exposes millions of accounts.  A hacker who gained access to millions of credit card numbers apparently did it by breaking into a computer system at a company that handles transactions for catalog companies and other direct marketers. http://www.msnbc.com/news/874907.asp?0si=-&cp1=1 

Treasury's Office of Foreign Assets Control has amended its list of Specially Designated Nationals and Blocked Persons. - On February 12, 2003, the Department of the Treasury's Office of Foreign Assets Control (OFAC) amended its list of Specially Designated Nationals and Blocked Persons by adding OBURSATILES S.A.  www.fdic.gov/news/news/financial/2003/fil0314.html

FYI - PNC cancels 16,000 cards after hacking theft incident - PNC Bank was forced to deactivate some 16,000 ATM/debit/check cards that carry the Visa logo after being notified by Visa that the cards were compromised by a computer hacker.  http://www.post-gazette.com/businessnews/20030220pnc0220p4.asp 

INTERNET COMPLIANCE Electronic Fund Transfer Act, Regulation E (Part 1 of 2)

Generally, when online banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply.  A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep.  An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures.  Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated online. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

- We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Part II. Risks Associated with Wireless Internet Devices

As wireless Internet devices become more prevalent in the marketplace, financial institutions are adopting wireless application technologies as a channel for reaching their customers. Wireless Internet services are becoming available in major cities across the United States. Through wireless banking applications, a financial institution customer could access account information and perform routine non-cash transactions without having to visit a branch or ATM.

The wireless Internet devices available today present attractive methods for offering and using financial services. Customers have access to financial information from anywhere they can receive wireless Internet access. Many of the wireless devices have built-in encryption through industry-standard encryption methods. This encryption has its limits based on the processing capabilities of the device and the underlying network architecture.

A popular standard for offering wireless applications is through the use of the Wireless Application Protocol (WAP). WAP is designed to bring Internet application capabilities to some of the simplest user interfaces. Unlike the Web browser that is available on most personal computer workstations, the browser in a wireless device (such as a cell phone) has a limited display that in many cases can provide little, if any, graphical capabilities. The interface is also limited in the amount of information that can be displayed easily on the screen. Further, the user is limited by the keying capabilities of the device and often must resort to many key presses for simple words.

The limited processing capabilities of these devices restrict the robustness of the encryption network transmissions. Effective encryption is, by nature, processing-intensive and often requires complex calculations. The time required to complete the encryption calculations on a device with limited processing capabilities may result in unreasonable delays for the device's user. Therefore, simpler encryption algorithms and smaller keys may be used to speed the process of obtaining access.

WAP is an evolving protocol. The most recent specification of WAP (WAP 2.0 - July 2001) offers the capability of encrypting network conversations all the way from the WAP server (at the financial institution) to the WAP client (the financial institution customer). Unfortunately, WAP 2.0 has not yet been fully adopted by vendors that provide the building blocks for WAP applications. Previous versions of WAP provide encryption between the WAP client and a WAP gateway (owned by the Wireless Provider). The WAP gateway then must re-encrypt the information before it is sent across the Internet to the financial institution. Therefore, sensitive information is available at the wireless provider in an unencrypted form. This limits the financial institution's ability to provide appropriate security over customer information.

- We continue our coverage of the various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Consumer and Customer:

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.

For example, a customer relationship may be established when a consumer engages in one of the following activities with a financial institution:

1)  maintains a deposit or investment account; 

2)  obtains a loan; 

3)  enters into a lease of personal property; or 

4)  obtains financial, investment, or economic advisory services for a fee.

Customers are entitled to initial and annual privacy notices regardless of the information disclosure practices of their financial institution.

There is a special rule for loans. When a financial institution sells the servicing rights to a loan to another financial institution, the customer relationship transfers with the servicing rights. However, any information on the borrower retained by the institution that sells the servicing rights must be accorded the protections due any consumer.

Note that isolated transactions alone will not cause a consumer to be treated as a customer. For example, if an individual purchases a bank check from a financial institution where the person has no account, the individual will be a consumer but not a customer of that institution because he or she has not established a customer relationship. Likewise, if an individual uses the ATM of a financial institution where the individual has no account, even repeatedly, the individual will be a consumer, but not a customer of that institution.

IN CLOSING - Would you like an affordable means of advertising to your Internet customers?  Then Savvy Thoughts is what you are looking for.  We do all the work such as write the e-newsletter, email the e-newsletter, collect the subscribers, etc.  Visit http://www.savvythoughts.com/ for more information.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated