R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

May 18, 2003

CONTENT
INTERNET COMPLIANCE INFORMATION SYSTEMS SECURITY INFORMATION SECURITY QUESTION
INTERNET PRIVACY PENETRATION TESTS - WEB SITE AUDITS


As you can see, I have changed the introduction by adding links to the subject categories.  One of our subscribers email me that the content was getting large and was there someway to find the subject categories easier.  I want to give a special thanks to the subscriber for the comments.  The links only work if you are receiving your emails in html format.  I hope that the links are helpful to all subscribers.  If you have a suggestion, please email me your ideas.   

Thanks for your subscription,  

Kinney

FYI  - The accused students used a sophisticated computer program which is able to detect the keystrokes used in typing in a password and transfer the information to a website, "ispynow.com," so the information could be accessed from a remote site.  http://www.stoughtonnews.com/news.cfm?num=3471 

FYI  - WLAN Insecurity Remains a Threat - AirDefense Inc., a wireless LAN security company, set up one of its sensors on the show floor at last week's Networld+Interop show in Las Vegas, and in just two hours of monitoring found 230 wireless access points, including 92 that were transmitting their traffic in the clear without encryption.  http://www.eweek.com/article2/0,3959,1072266,00.asp 

FYI - First Union Hoax on the Loose - A hoax e-mail purporting to come from First Union Bank and attempting to dupe recipients to visit a malicious Web site is making the rounds on the Internet.  http://www.eweek.com/article2/0,3959,1068224,00.asp 

FYI - Bank Web Site Scam Spreads - Bank of America has warned its customers to be aware of a scam which attempts to get them to log in to a fake Web site which then captures their personal financial details.  http://www.pcworld.com/news/article/0,aid,110725,tk,dn051403X,00.asp 

FYI - 800 Visa cards blocked Credit union responds to data hacking - Someone hacked into a merchant's computer system, compromising information on cards and leaving some bank and credit-union customers without use of cards with the Visa logo.  http://www.timesdispatch.com/business/MGB6S1MMEFD.html 

Return to top of newsletter.  Return to the top of the newsletter

INTERNET COMPLIANCE - Electronic Fund Transfer Act, Regulation E  (Part 2 of 2)

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated on-line. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the OSC, an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated" is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution.

Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required. 


Return to top of newsletter.  Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
We continue our series on the FFIEC interagency Information Security Booklet.  

INFORMATION SECURITY RISK ASSESSMENT

ANALYZE INFORMATION (2 of 2)

Since specific scenarios can become too numerous for financial institutions to address individually, various techniques are used to generalize and extend the scenarios. For instance, one technique starts with a specific scenario and looks at additional damage that could occur if the attacker had different knowledge or motivation. This technique allows the reviewers to see the full extent of risk that exists from a given vulnerability. Another technique aggregates scenarios by high-value system components.

Scenarios should consider attacks against the logical security, physical security, and combinations of logical and physical attacks. In addition, scenarios could consider social engineering, which involves manipulation of human trust by an attacker to obtain access to computer systems. It is often easier for an attacker to obtain access through manipulation of one or more employees than to perform a logical or physical intrusion.

The risk from any given scenario is a function of the probability of the event occurring and the impact on the institution. The probability and impact are directly influenced by the financial institution's business profile, the effectiveness of the financial institution's controls, and the relative strength of controls when compared to other industry targets.

The probability of an event occurring is reflected in one of two ways. If reliable and timely probability data is available, institutions can use it. Since probability data is often limited, institutions can assign a qualitative probability, such as frequent, occasional, remote, and improbable.

Frequently, TSPs perform some or all of the institution's information processing and storage. Reliance on a third party for hosting systems or processing does not remove the institution's responsibility for securing the information. It does change how the financial institution will fulfill its role. Accordingly, risk assessments should evaluate the sensitivity of information accessible to or processed by TSPs, the importance of the processing conducted by TSPs, communications between the TSP's systems and the institution, contractually required controls, and the testing of those controls. Additional vendor management guidance is contained in the FFIEC's statement on "Risk Management of Outsourced Technology Services," dated November 28, 2000.

Return to top of newsletter.  Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

A. AUTHENTICATION AND ACCESS CONTROLS
- Authentication

4. Determine if all authenticators (e.g., passwords, shared secrets) are protected while in storage and during transmission to prevent disclosure.

Identify processes and areas where authentication information may be available in clear text and evaluate the effectiveness of compensating risk management controls.


Identify the encryption used and whether one-way hashes are employed to secure the clear text from anyone, authorized or unauthorized, who accesses the authenticator storage area.


Return to top of newsletter.  Return to the top of the newsletter

INTERNET PRIVACY
-We continue covering various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

Examination Procedures
(Part 3 of 3)

E. Ascertain areas of risk associated with the financial institution's sharing practices (especially those within Section 13 and those that fall outside of the exceptions ) and any weaknesses found within the compliance management program. Keep in mind any outstanding deficiencies identified in the audit for follow-up when completing the modules.

F. Based on the results of the foregoing initial procedures and discussions with management, determine which procedures if any should be completed in the applicable module, focusing on areas of particular risk. The selection of procedures to be employed depends upon the adequacy of the institution's compliance management system and level of risk identified. Each module contains a series of general instruction to verify compliance, cross-referenced to cites within the regulation. 
Additionally, there are cross-references to a more comprehensive checklist, which the examiner may use if needed to evaluate compliance in more detail.

G. Evaluate any additional information or documentation discovered during the course of the examination according to these procedures. Note that this may reveal new or different sharing practices necessitating reapplication of the Decision Trees and completion of additional or different modules.

H. Formulate conclusions.

1)  Summarize all findings.

2)  For violation(s) noted, determine the cause by identifying weaknesses in internal controls, compliance review, training, management oversight, or other areas.

3)  Identify action needed to correct violations and weaknesses in the institution's compliance system, as appropriate.

4)  Discuss findings with management and obtain a commitment for corrective action.

Return to top of newsletter.  Return to the top of the newsletter

PENETRATION TESTS - WEB SITE AUDITS - We offer independent Internet auditing regarding web sites compliance and penetration-vulnerability  testing. 
Visit http://www.bankwebsiteaudits.com for more information about web site audits.  For information regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated