|
VACATION
- The Internet Banking News
will not be published next weekend October 5. I am going on my
annual horseback ride in the Carson National Forest, which is in
northern New Mexico. Our camp site is at 10,000 feet;
therefore, I will be out of communication next week. The Internet
Banking News will return the weekend of October 12. You
will find pictures of previous trips and Gray Ghost, my appaloosa,
at http://www.yennik.com/pictures/index.htm.
I will post new pictures when I return.
FYI - Computers
containing customers' banking info listed on EBay - Two computers
originally owned by the Bank of Montreal and containing thousands of
customer files ended up on EBay.
http://www.cbc.ca/cgi-bin/templates/print.cgi?/2003/09/15/Consumers/bmo_computers030915
The
Bank of Montreal says it's contacting customers whose information
was contained on two servers that wound up for sale on EBay. The
bank wants to reassure them that their personal information was
never compromised. http://www.cbc.ca/cgi-bin/templates/print.cgi?/2003/09/18/Consumers/bmo_computers030918
Return to the top of the
newsletter
INTERNET
COMPLIANCE - Electronic
Fund Transfer Act, Regulation E (Part 1 of 2)
Generally, when online banking systems include electronic fund
transfers that debit or credit a consumer's account, the
requirements of the Electronic Fund Transfer Act and Regulation E
apply. A transaction
involving stored value products is covered by Regulation E when the
transaction accesses a consumer's account (such as when value is
"loaded" onto the card from the consumer's deposit account
at an electronic terminal or personal computer).
Financial institutions must provide disclosures that are clear and
readily understandable, in writing, and in a form the consumer may
keep. An Interim rule
was issued on March 20, 1998 that allows depository institutions to
satisfy the requirement to deliver by electronic communication any
of these disclosures and other information required by the act and
regulations, as long as the consumer agrees to such method of
delivery.
Financial institutions must ensure that consumers who sign up for a
new banking service are provided with disclosures for the new
service if the service is subject to terms and conditions different
from those described in the initial disclosures. Although not specifically mentioned in the commentary, this
applies to all new banking services including electronic financial
services.
The Federal Reserve Board Official Staff Commentary (OSC) also
clarifies that terminal receipts are unnecessary for transfers
initiated online. Specifically, OSC regulations provides that,
because the term "electronic terminal" excludes a
telephone operated by a consumer, financial institutions need not
provide a terminal receipt when a consumer initiates a transfer by a
means analogous in function to a telephone, such as by a personal
computer or a facsimile machine.
Return to the top of the
newsletter
INFORMATION SYSTEMS SECURITY
- We
continue our series on the FFIEC interagency Information Security
Booklet.
SECURITY
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
AUTHENTICATION
-
Biometrics (Part 1 of 2)
Biometrics can be implemented in many forms, including tokens.
Biometrics verifies the identity of the user by reference to unique
physical or behavioral characteristics. A physical characteristic
can be a thumbprint or iris pattern. A behavioral characteristic is
the unique pattern of key depression strength and pauses made on a
keyboard when a user types a phrase. The strength of biometrics is
related to the uniqueness of the physical characteristic selected
for verification. Biometric technologies assign data values to the
particular characteristics associated with a certain feature. For
example, the iris typically provides many more characteristics to
store and compare, making it more unique than facial
characteristics. Unlike other authentication mechanisms, a biometric
authenticator does not rely on a user’s memory or possession of a
token to be effective. Additional strengths are that biometrics do
not rely on people to keep their biometric secret or physically
secure their biometric. Biometrics is the only authentication
methodology with these advantages.
Enrollment is a critical process for the use of biometric
authentication. The user’s physical characteristics must be
reliably recorded. Reliability may require several samples of the
characteristic and a recording device free of lint, dirt, or other
interference. The enrollment device must be physically secure from
tampering and unauthorized use.
When enrolled, the user’s biometric is stored as a template.
Subsequent authentication is accomplished by comparing a submitted
biometric against the template, with results based on probability
and statistical confidence levels. Practical usage of biometric
solutions requires consideration of how precise systems must be for
positive identification and authentication. More precise solutions
increase the chances a person is falsely rejected. Conversely, less
precise solutions can result in the wrong person being identified or
authenticated as a valid user (i.e., false acceptance rate). The
equal error rate (EER) is a composite rating that considers the
false rejection and false acceptance rates. Lower EERs mean more
consistent operations. However, EER is typically based upon
laboratory testing and may not be indicative of actual results due
to factors that can include the consistency of biometric readers to
capture data over time, variations in how a user presents their
biometric sample (e.g., occasionally pressing harder on a finger
scanner), and environmental factors.
Return to the top of the
newsletter
INFORMATION SECURITY
QUESTION:
B. NETWORK
SECURITY
12. Determine whether logs of security-related
events are sufficient to affix accountability for network
activities, as well as support intrusion forensics and IDS.
Additionally, determine that adequate clock synchronization takes
place.
Return to the top of the
newsletter
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
9) Does the institution list the following categories of
nonpublic personal information that it collects, as applicable:
a) information from the consumer; [§6(c)(1)(i)]
b) information about the consumer's transactions with the
institution or its affiliates; [§6(c)(1)(ii)]
c) information about the consumer's transactions with
nonaffiliated third parties; [§6(c)(1)(iii)] and
d) information from a consumer reporting agency? [§6(c)(1)(iv)]
Return to the top of the
newsletter
INTERNET AUDITING SERVICES - We
offer independent Internet auditing regarding web sites compliance and
penetration-vulnerability testing. Visit http://www.bankwebsiteaudits.com
for more information about web site audits. For information
regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/
or email Kinney Williams at examiner@yennik.com.
We have clients in 37 states and more than 40 years banking and bank
examining experience.
|
