R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

July 21, 2002

FYI - Creating a "Good Housekeeping" approval seal of sorts, the government is releasing standards and a software program that will help computer users configure their systems for maximum security against hackers and thieves.  http://www.foxnews.com/story/0,2933,57870,00.html 

FYI - Federal agency officials could be held accountable for inadequately securing their information systems under new guidelines issued by the Office of Management and Budget.  
Press release:  http://www.fcw.com/fcw/articles/2002/0715/news-gisra-07-15-02.asp
Regulation:  http://www.whitehouse.gov/omb/memoranda/m02-09.pdf 

FYI - The Office of Thrift Supervision is hosting an inter-agency information technology security conference October 15 - 17, 2002 at the Hilton DFW Lakes Executive Center in Grapevine, Texas.  The conference is offered in cooperation with the Federal Deposit Insurance Corporation Office of the Comptroller of the Currency, Texas Department of Banking and the Federal Reserve Bank of Dallas. www.ots.treas.gov/docs/48906.pdf

Treasury and Federal Financial Regulators Issue Patriot Act Regulations on Customer Identification - The Department of the Treasury and seven federal financial regulators today issued proposed rules that would require certain financial institutions to establish minimum procedures for identifying and verifying the identity of customers seeking to open new financial accounts.
FRB Press Release:  www.federalreserve.gov/boarddocs/press/bcreg/2002/20020717/default.htm  
FDIC Press Release:  www.fdic.gov/news/news/press/2002/pr8502.html  
NCUA Press Release:  www.ncua.gov/news/press_releases/nr02-0717-1.html
OCC Press Release:  www.occ.treas.gov/ftp/release/2002-59.txt
OCC Attachment :  www.occ.treas.gov/ftp/release/2002-59a.pdf
OTS Press Release:  www.ots.treas.gov/docs/77231.html

Weaknesses in the Federal Deposit Insurance Corp.'s IT strategy have left financial information open to attack, a new report says.  The report from the General Accounting Office identified "new weaknesses" in the FDIC's information systems controls that affect its ability to safeguard electronic access to sensitive data.  The complete GAO report can be found at http://www.gao.gov/new.items/d02689.pdf

- Malicious computer hackers could soon face life in prison for some computer crimes.  http://news.bbc.co.uk/hi/english/sci/tech/newsid_2131000/2131773.stm 

Electronic Fund Transfer Act, Regulation E  (Part 1 of 2)

Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

- We continue the series  from the FDIC "Security Risks Associated with the Internet."  While this Financial Institution Letter was published in December 1997, the issues still are relevant.

Logical Access Controls (Part 1 of 2)

If passwords are used for access control or authentication measures, users should be properly educated in password selection. Strong passwords consist of at least six to eight alpha numeric characters, with no resemblance to any personal data. PINs should also be unique, with no resemblance to personal data. Neither passwords nor PINs should ever be reduced to writing or shared with others. 

Other security measures should include the adoption of one-time passwords, or password aging measures that require periodic changes. Encryption technology can also be employed in the entry and transmission of passwords, PINs, user IDs, etc. Any password directories or databases should be properly protected, as well. 

Password guessing programs can be run against a system. Some can run through tens of thousands of password variations based on personal information, such as a user's name or address. It is preferable to test for such vulnerabilities by running this type of program as a preventive measure, before an unauthorized party has the opportunity to do so. Incorporating a brief delay requirement after each incorrect login attempt can be very effective against these types of programs. In cases where a potential attacker is monitoring a network to collect passwords, a system utilizing one-time passwords would render any data collected useless. 

When additional measures are necessary to confirm that passwords or PINs are entered by the user, technologies such as tokens, smart cards, and biometrics can be useful. Utilizing these technologies adds another dimension to the security structure by requiring the user to possess something physical.

PRIVACY EXAMINATION QUESTION - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

22. Does the institution provide the consumer with at least one of the following reasonable means of opting out, or with another reasonable means:

a. check-off boxes prominently displayed on the relevant forms with the opt out notice; [§7(a)(2)(ii)(A)]

b. a reply form included with the opt out notice; [§7(a)(2)(ii)(B)]

c. an electronic means to opt out, such as a form that can be sent via electronic mail or a process at the institution’s web site, if the consumer agrees to the electronic delivery of information; [§7(a)(2)(ii)(C)] or

d. a toll-free telephone number? [§7(a)(2)(ii)(D)]

Note: the institution may require the consumer to use one specific means, as long as that means is reasonable for that consumer. [§7(a)(iv)])


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated