May 12, 2002
- Mail processed in a secure facility outside the
Federal Reserve Board buildings has tested positive for traces of anthrax
INTERNET COMPLIANCE - Electronic
Fund Transfer Act, Regulation E (Part 2 of 2)
Additionally, the regulations clarifies that a written authorization for
preauthorized transfers from a consumer's account includes an electronic
authorization that is not signed, but similarly authenticated by the
consumer, such as through the use of a security code.
According to the OSC, an example of a consumer's authorization that
is not in the form of a signed writing but is, instead, "similarly
authenticated," is a consumer's authorization via a home banking
system. To satisfy the
regulatory requirements, the institution must have some means to identify
the consumer (such as a security code) and make a paper copy of the
authorization available (automatically or upon request).
The text of the electronic authorization must be displayed on a
computer screen or other visual display that enables the consumer to read
the communication from the institution. Only the consumer may authorize
the transfer and not, for example, a third-party merchant on behalf of the
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a consumer's
liability. A financial
institution may receive correspondence through an electronic medium
concerning an unauthorized transaction, loss, or theft of an access
device. Therefore, the
institution should ensure that controls are in place to review these
notifications and also to ensure that an investigation is initiated as
INTERNET SECURITY - We continue the
series from the FDIC
"Security Risks Associated with the Internet."
While this Financial Institution Letter was published in December
1997, the issues still are relevant.
Logical Access Controls
primary concern in controlling system access is the safeguarding of user
IDs and passwords. The
Internet presents numerous issues to consider in this regard. Passwords
can be obtained through deceptive "spoofing" techniques such as
redirecting users to false Web sites where passwords or user names are
entered, or creating shadow copies of Web sites where attackers can
monitor all activities of a user. Many "spoofing" techniques are
hard to identify and guard against, especially for an average user, making
authentication processes an important defense mechanism.
The unauthorized or unsuspected acquisition of data such as passwords,
user IDs, e-mail addresses, phone numbers, names, and addresses, can
facilitate an attempt at unauthorized access to a system or application.
If passwords and user IDs are a derivative of someone's personal
information, malicious parties could use the information in software
programs specifically designed to generate possible passwords. Default
files on a computer, sometimes called "cache" files, can
automatically retain images of such data received or sent over the
Internet, making them a potential target for a system intruder.
Security Flaws and Bugs / Active Content Languages
in software and hardware design also represent an area of concern.
Security problems are often identified after the release of a new product,
and solutions to correct security flaws commonly contain flaws themselves.
Such vulnerabilities are usually widely publicized, and the identification
of new bugs is constant. These bugs and flaws are often serious enough to
compromise system integrity. Security flaws and exploitation guidelines
are also frequently available on hacker Web sites. Furthermore, software
marketed to the general public may not contain sufficient security
controls for financial institution applications.
Newly developed languages and technologies present similar security
concerns, especially when dealing with network software or active content
languages which allow computer programs to be attached to Web pages (e.g.,
Java, ActiveX). Security flaws identified in Web browsers (i.e.,
application software used to navigate the Internet) have included bugs
which, theoretically, may allow the installation of programs on a Web
server, which could then be used to back into the bank's system. Even if
new technologies are regarded as secure, they must be managed properly.
For example, if controls over active content languages are inadequate,
potentially hostile and malicious programs could be automatically
downloaded from the Internet and executed on a system.
Viruses / Malicious Programs
Viruses and other malicious programs pose a threat to systems or networks
that are connected to the Internet, because they may be downloaded
directly. Aside from causing destruction or damage to data, these programs
could open a communication link with an external network, allowing
unauthorized system access, or even initiating the transmission of data.
PRIVACY EXAMINATION QUESTION - We continue our series
listing the regulatory-privacy examination questions. When you
answer the question each week, you will help ensure compliance with the
Content of Privacy Notice
12. Does the institution make the following disclosures regarding service
providers and joint marketers to whom it discloses nonpublic personal
information under §13:
a. as applicable, the same
categories and examples of nonpublic personal information disclosed as
described in paragraphs (a)(2) and (c)(2) of section six (6) (see
questions 8b and 10); and [§6(c)(4)(i)]
b. that the third party is a service provider that performs marketing on
the institution’s behalf or on behalf of the institution and another
financial institution; [§6(c)(4)(ii)(A)] or
c. that the third party is a financial institution with which the
institution has a joint marketing agreement? [§6(c)(4)(ii)(B)]