|
May 5, 2002
FYI
- The vast majority of successful attacks on computer systems
exploit security weaknesses which are well known and for which
patches exist, according to research company Gartner. http://www.pcworld.com/news/article/0,aid,98063,tk,dn050202X,00.asp
FYI - Stolen
Birth Certificate and Death Certificate Forms - The Federal
Bureau of Investigation has asked the Federal Deposit Insurance
Corporation to alert all FDIC-supervised banks to the theft of
official documents from the Denver County (Colorado) Vital
Statistics Office on April 9, 2002.
www.fdic.gov/news/news/financial/2002/fil0241.html
FYI - Specially
Designated Nationals and Blocked Persons - On April 19, 2002, the Department of the Treasury's Office of Foreign
Assets Control amended its listing of Specially Designated Nationals
and Blocked Persons by adding ten names of Specially Designated
Global Terrorists.
www.fdic.gov/news/news/financial/2002/fil0240.html
FYI - Circulation
of Fictitious IRS Forms and Bank Letters - The Federal Deposit
Insurance Corporation (FDIC) is alerting you that some of your
customers may be the unwitting subjects of a new fraud scheme that
uses fictitious Internal Revenue Service (IRS) forms and fraudulent
bank correspondence.
www.fdic.gov/news/news/financial/2002/fil0239.html
INTERNET COMPLIANCE - Electronic
Fund Transfer Act, Regulation E (Part 1 of 2)
Generally, when online banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction
involving stored value products is covered by Regulation E when the
transaction accesses a consumer's account (such as when value is
"loaded" onto the card from the consumer's deposit account
at an electronic terminal or personal computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule
was issued on March 20, 1998 that allows depository institutions to
satisfy the requirement to deliver by electronic communication any
of these disclosures and other information required by the act and
regulations, as long as the consumer agrees to such method of
delivery.
Financial institutions must ensure that consumers who sign up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not specifically mentioned in the commentary, this
applies to all new banking services including electronic financial
services.
The Federal Reserve Board Official Staff Commentary (OSC) also
clarifies that terminal receipts are unnecessary for transfers
initiated online. Specifically, OSC regulations provides that,
because the term "electronic terminal" excludes a
telephone operated by a consumer, financial institutions need not
provide a terminal receipt when a consumer initiates a transfer by a
means analogous in function to a telephone, such as by a personal
computer or a facsimile machine.
INTERNET SECURITY - We continue the series
from the FDIC "Security Risks Associated with the Internet."
While this Financial Institution Letter was published in
December 1997, the issues still are relevant.
System Architecture and
Design
The Internet can facilitate unchecked and/or undesired access to
internal systems, unless systems are appropriately designed and
controlled. Unwelcome system access could be achieved through IP
spoofing techniques, where an intruder may impersonate a local or
internal system and be granted access without a password. If access
to the system is based only on an IP address, any user could gain
access by masquerading as a legitimate, authorized user by
"spoofing" the user's address. Not only could any user of
that system gain access to the targeted system, but so could any
system that it trusts.
Improper access can also result from other technically permissible
activities that have not been properly restricted or secured. For
example, application layer protocols are the standard sets of rules
that determine how computers communicate across the Internet.
Numerous application layer protocols, each with different functions
and a wide array of data exchange capabilities, are utilized on the
Internet. The most familiar, Hyper Text Transfer Protocol (HTTP),
facilitates the movement of text and images. But other types of
protocols, such as File Transfer Protocol (FTP), permit the
transfer, copying, and deleting of files between computers. Telnet
protocol actually enables one computer to log in to another.
Protocols such as FTP and Telnet exemplify activities which may be
improper for a given system, even though the activities are within
the scope of the protocol architecture.
The open architecture of the Internet also makes it easy for system
attacks to be launched against
systems from anywhere in the world. Systems can even be accessed and
then used to launch attacks against other systems. A typical attack
would be a denial of service attack, which is intended to bring down
a server, system, or application. This might be done by overwhelming
a system with so many requests that it shuts down. Or, an attack
could be as simple as accessing and altering a Web site, such as
changing advertised rates on certificates of deposit.
Security Scanning Products
A number of software programs exist which run automated security
scans against Web servers, firewalls, and internal networks. These
programs are generally very effective at identifying weaknesses that
may allow unauthorized system access or other attacks against the
system. Although these products are marketed as security tools to
system administrators and information systems personnel, they are
available to anyone and may be used with malicious intent. In some
cases, the products are freely available on the Internet.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
Content of Privacy Notice
11. Does the institution list the following categories
of affiliates and nonaffiliated third parties to whom it discloses
information, as applicable, and a few examples to illustrate the
types of the third parties in each category:
a. financial service providers; [§6(c)(3)(i)]
b. non-financial companies; [§6(c)(3)(ii)] and
c. others? [§6(c)(3)(iii)] |
