R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

May 5, 2002

FYI - The vast majority of successful attacks on computer systems exploit security weaknesses which are well known and for which patches exist, according to research company Gartner.  http://www.pcworld.com/news/article/0,aid,98063,tk,dn050202X,00.asp 

FYI
Stolen Birth Certificate and Death Certificate Forms - The Federal Bureau of Investigation has asked the Federal Deposit Insurance Corporation to alert all FDIC-supervised banks to the theft of official documents from the Denver County (Colorado) Vital Statistics Office on April 9, 2002.
www.fdic.gov/news/news/financial/2002/fil0241.html

FYI - Specially Designated Nationals and Blocked Persons - On April 19, 2002, the Department of the Treasury's Office of Foreign Assets Control amended its listing of Specially Designated Nationals and Blocked Persons by adding ten names of Specially Designated Global Terrorists.
www.fdic.gov/news/news/financial/2002/fil0240.html

FYI - Circulation of Fictitious IRS Forms and Bank Letters - The Federal Deposit Insurance Corporation (FDIC) is alerting you that some of your customers may be the unwitting subjects of a new fraud scheme that uses fictitious Internal Revenue Service (IRS) forms and fraudulent bank correspondence.
www.fdic.gov/news/news/financial/2002/fil0239.html


INTERNET COMPLIANCE
Electronic Fund Transfer Act, Regulation E (Part 1 of 2)

Generally, when online banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply.  A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep.  An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures.  Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated online. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

INTERNET SECURITY - We continue the series  from the FDIC "Security Risks Associated with the Internet."  While this Financial Institution Letter was published in December 1997, the issues still are relevant.

System Architecture and Design

The Internet can facilitate unchecked and/or undesired access to internal systems, unless systems are appropriately designed and controlled. Unwelcome system access could be achieved through IP spoofing techniques, where an intruder may impersonate a local or internal system and be granted access without a password. If access to the system is based only on an IP address, any user could gain access by masquerading as a legitimate, authorized user by "spoofing" the user's address. Not only could any user of that system gain access to the targeted system, but so could any system that it trusts. 

Improper access can also result from other technically permissible activities that have not been properly restricted or secured. For example, application layer protocols are the standard sets of rules that determine how computers communicate across the Internet. Numerous application layer protocols, each with different functions and a wide array of data exchange capabilities, are utilized on the Internet. The most familiar, Hyper Text Transfer Protocol (HTTP), facilitates the movement of text and images. But other types of protocols, such as File Transfer Protocol (FTP), permit the transfer, copying, and deleting of files between computers. Telnet protocol actually enables one computer to log in to another. Protocols such as FTP and Telnet exemplify activities which may be improper for a given system, even though the activities are within the scope of the protocol architecture. 

The open architecture of the Internet also makes it easy for system attacks to be launched  against systems from anywhere in the world. Systems can even be accessed and then used to launch attacks against other systems. A typical attack would be a denial of service attack, which is intended to bring down a server, system, or application. This might be done by overwhelming a system with so many requests that it shuts down. Or, an attack could be as simple as accessing and altering a Web site, such as changing advertised rates on certificates of deposit. 


Security Scanning Products 


A number of software programs exist which run automated security scans against Web servers, firewalls, and internal networks. These programs are generally very effective at identifying weaknesses that may allow unauthorized system access or other attacks against the system. Although these products are marketed as security tools to system administrators and information systems personnel, they are available to anyone and may be used with malicious intent. In some cases, the products are freely available on the Internet.


PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

11. Does the institution list the following categories of affiliates and nonaffiliated third parties to whom it discloses information, as applicable, and a few examples to illustrate the types of the third parties in each category:

a. financial service providers; [6(c)(3)(i)]

b. non-financial companies; [6(c)(3)(ii)] and

c. others? [6(c)(3)(iii)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated