R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

July 27, 2003


FYI - Trojan Horse, Meet The Home Office - In October 2000, a hacker attacked Microsoft using an employee's home computer as a springboard to computers at its Redmond, Wash., headquarters, where the attacker found access to secret software code.  http://www.forbes.com/2003/07/15/cx_ah_0715telecommute.html 

FYI- FTC Targets New Form of Identity Theft - Stealing identities and credit card numbers with bogus e-mail and Web sites that appear to come from legitimate companies is an increasing problem on the Internet, federal officials warned Monday.  http://www.washingtonpost.com/wp-dyn/articles/A23606-2003Jul21.html 

Managing the Risk of ACH Debit Entries - The Federal Reserve Bank of Dallas has issued information regarding ACH business practices that can impact financial institutions and ways to manage the risk associated with ACH debit entries.  http://www.dallasfed.org/htm/pubs/pdfs/notices/2003/03-36.pdf 

FYI- Thwart Insider Abuse - The threat to corporate security and intellectual property from insiders remains one of the biggest challenges facing IT departments today.  http://www.computerworld.com/securitytopics/security/story/0,10801,82922,00.html?nas=-82922 

Wells Fargo Customers Hit With E-Mail Scam - Message included an attachment used to collect passwords from recipients' PCs.  http://www.pcworld.com/news/article/0,aid,111707,tk,dn072303X,00.asp 

Return to the top of the newsletter

INTERNET COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." 


Reputation Risk

Trade Names

If the third party has a name similar to that of the financial institution, there is an increased likelihood of confusion for the customer and increased exposure to reputation risk for the financial institution. For example, if customers access a similarly named broker from the financial institution's website, they may believe that the financial institution is providing the brokerage service or that the broker's products are federally insured.

Website Appearance

The use of frame technology and other similar technologies may confuse customers about which products and services the financial institution provides and which products and services third parties, including affiliates, provide. If frames are used, when customers link to a third-party website through the institution-provided link, the third-party webpages open within the institution's master webpage frame. For example, if a financial institution provides links to a discount broker and the discount broker's webpage opens within the institution's frame, the appearance of the financial institution's logo on the frame may give the impression that the financial institution is providing the brokerage service or that the two entities are affiliated. Customers may believe that their funds are federally insured, creating potential reputation risk to the financial institution in the event the brokerage service should fail or the product loses value.

Compliance Risk

The compliance risk to an institution linking to a third-party's website depends on several factors. These factors include the nature of the products and services provided on the third-party's website, and the nature of the institution's business relationship with the third party. This is particularly true with respect to compensation arrangements for links. For example, a financial institution that receives payment for offering advertisement-related weblinks to a settlement service provider's website should carefully consider the prohibition against kickbacks, unearned fees, and compensated referrals under the Real Estate Settlement Procedures Act (RESPA).

The financial institution has compliance risk as well as reputation risk if linked third parties offer less security and privacy protection than the financial institution. Third-party sites may have less secure encryption policies, or less stringent policies regarding the use and security of their customer's information. The customer may be comfortable with the financial institution's policies for privacy and security, but not with those of the linked third party. If the third-party's policies and procedures create security weaknesses or apply privacy standards that permit the third party to release confidential customer information, customers may blame the financial institution.

FYI CLIENTS - The complete statement on Weblinking: Identifying Risks and Risk Management Techniques can be found at http://www.fdic.gov/news/news/financial/2003/fil0330a.html

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  



Access Rights Administration (5 of 5)

The access rights process also constrains user activities through an acceptable - use policy (AUP). Users who can access internal systems typically are required to agree to an AUP before using a system. An AUP details the permitted system uses and user activities and the consequences of noncompliance. AUPs can be created for all categories of system users, from internal programmers to customers. An AUP is a key control for user awareness and administrative policing of system activities. Examples of AUP elements for internal network and stand - alone users include:

! The specific access devices that can be used to access the network;

! Hardware and software changes the user can make to their access device;

! The purpose and scope of network activity;

! Network services that can be used, and those that cannot be used;

! Information that is allowable and not allowable for transmission using each allowable service;

! Bans on attempting to break into accounts, crack passwords, or disrupt service;

! Responsibilities for secure operation; and

! Consequences of noncompliance.

Depending on the risk associated with the access, authorized internal users should generally receive a copy of the policy and appropriate training, and signify their understanding and agreement with the policy before management grants access to the system.

Customers may be provided with a Web site disclosure as their AUP. Based on the nature of the Web site, the financial institution may require customers to demonstrate knowledge of and agreement to abide by the terms of the AUP. That evidence can be paper based or electronic.

Authorized users may seek to extend their activities beyond what is allowed in the AUP, and unauthorized users may seek to gain access to the system and move within the system. Network security controls provide the protection necessary to guard against those threats.

Return to the top of the newsletter



Evaluate controls that are in place to install new or change existing network infrastructure and to prevent unauthorized connections to the financial institution’s network.

• Review network architecture policies and procedures to establish new, or
change existing, network connections and equipment.

• Identify controls used to prevent unauthorized deployment of network connections and equipment.

• Review the effectiveness and timeliness of controls used to prevent and report unauthorized network connections and equipment.

Return to the top of the newsletter

We continue covering various issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies in May 2001.

Initial Privacy Notice

1)  Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all customers not later than when the customer relationship is established, other than as allowed in paragraph (e) of section four (4) of the regulation? [§4(a)(1))]?

(Note: no notice is required if nonpublic personal information is disclosed to nonaffiliated third parties only under an exception in Sections 14 and 15, and there is no customer relationship. [§4(b)] With respect to credit relationships, an institution establishes a customer relationship when it originates a consumer loan. If the institution subsequently sells the servicing rights to the loan to another financial institution, the customer relationship transfers with the servicing rights. [§4(c)])

Return to the top of the newsletter

PENETRATION TESTS - WEB SITE AUDITS - We offer independent Internet auditing regarding web sites compliance and penetration-vulnerability  testing. 
Visit http://www.bankwebsiteaudits.com for more information about web site audits.  For information regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated