R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

October 12, 2003


FYI -The horseback ride to the Carson National Forest in northern New Mexico was a success.  The weather was great.  You will find pictures of the trip and Gray Ghost, my 16 year old appaloosa, at http://www.yennik.com/pictures/index.htm.  Thank you for letting me take the week off.

FYI- FFIEC Information Technology Examination Handbook - The Federal Financial Institutions Examination Council has issued updated guidance in three booklets on electronic banking, information technology audit, and the FedLine electronic funds transfer application. 
Press Release: www.occ.treas.gov/ftp/bulletin/2003-41.txt
Attachment: www.occ.treas.gov/ftp/bulletin/2003-41a.pdf
Attachment: www.ffiec.gov/ffiecinfobase//index.html
Attachment: www.ffiec.gov/ffiecinfobase/html_pages/it_01.html#ebank

FYI- Publicly traded companies could be required to disclose whether they are doing anything to secure information on their computer systems, U.S. Office of Homeland Security Secretary Tom Ridge said.  http://news.com.com/2100-7350-5089279.html?tag=cd_top 

Thieves nab private data of 120,000 Canadians - Four computers taken from tax department had names, addresses and SIN numbers.  www.nationalpost.com/components/printstory/printstory.asp?id=265166B5-49E3-4256-8C34-434D908C8DC5   

FYI- Online vandals are quickly exploiting flaws, leaving companies with little time to patch their computer systems, according to a report published by Symantec.  http://zdnet.com.com/2102-1105_2-5084992.html?tag=printthis 

FYI- The House passed legislation that would allow banks to clear checks electronically, potentially slashing paperwork in a speedier and less costly process.  http://www.salon.com/news/wire/2003/10/08/checks/index.html 

FYI - Study: Regulations driving security spending - A poll of corporate executives found that companies are increasing spending on security to satisfy legislation--not necessarily because their CEOs have seen the light.  http://news.com.com/2102-7355_3-5083758.html?tag=ni_print 

FYI - Web security executive accused of hacking military - The head of an Internet security company who claimed to have found dangerous loopholes in U.S. military computers pleaded innocent Tuesday to charges that he hacked into government networks for financial gain.  http://www.cnn.com/2003/TECH/internet/09/30/computer.case.ap/index.html 

FYI - US p2p study reveals glaring security holes - A study into p2p apps on government systems has revealed glaring security holes.  http://www.gnutellanews.com/article/8179 

TESTIMONY - Critical Infrastructure Protection: Challenges in Securing Control Systems.
Complete report:  http://www.gao.gov/new.items/d04140t.pdf 
Highlights:  http://www.gao.gov/highlights/d04140thigh.pdf 

Return to the top of the newsletter

INTERNET COMPLIANCEElectronic Fund Transfer Act, Regulation E (Part 2 of 2)

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code.  According to the Official Staff Commentary (OSC,) an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated," is a consumer's authorization via a home banking system.  To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request).  The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability.  A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device.  Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.

Return to the top of the newsletter

- We continue our series on the FFIEC interagency Information Security Booklet.  



Biometrics (Part 2 of 2)

Weaknesses in biometric systems relate to the ability of an attacker to submit false physical characteristics, or to take advantage of system flaws to make the system erroneously report a match between the characteristic submitted and the one stored in the system. In the first situation, an attacker might submit to a thumbprint recognition system a copy of a valid user’s thumbprint. The control against this attack involves ensuring a live thumb was used for the submission. That can be done by physically controlling the thumb reader, for instance having a guard at the reader to make sure no tampering or fake thumbs are used. In remote entry situations, logical liveness tests can be performed to verify that the submitted data is from a live subject.

Attacks that involve making the system falsely deny or accept a request take advantage of either the low degrees of freedom in the characteristic being tested, or improper system tuning. Degrees of freedom relate to measurable differences between biometric readings, with more degrees of freedom indicating a more unique biometric. Facial recognition systems, for instance, may have only nine degrees of freedom while other biometric systems have over one hundred. Similar faces may be used to fool the system into improperly authenticating an individual. Similar irises, however, are difficult to find and even more difficult to fool a system into improperly authenticating.

Attacks against system tuning also exist. Any biometric system has rates at which it will falsely accept a reading and falsely reject a reading. The two rates are inseparable; for any given system improving one worsens the other. Systems that are tuned to maximize user convenience typically have low rates of false rejection and high rates of false acceptance. Those systems may be more open to successful attack.

Return to the top of the newsletter



13. Determine if logs of security-related events are appropriately secured against unauthorized access, change, and deletion for an adequate time period, and that reporting to those logs is adequately protected.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

10)  Does the institution list the following categories of nonpublic personal information that it discloses, as applicable, and a few examples of each, or alternatively state that it reserves the right to disclose all the nonpublic personal information that it collects:

a)  information from the consumer;

b)  information about the consumer's transactions with the institution or its affiliates;

c)  information about the consumer's transactions with nonaffiliated third parties; and

d)  information from a consumer reporting agency? [§6(c)(2)]

Return to the top of the newsletter

INTERNET AUDITING SERVICES - We offer independent Internet auditing regarding web sites compliance and penetration-vulnerability  testing.  Visit http://www.bankwebsiteaudits.com for more information about web site audits.  For information regarding penetration-vulnerability testing visit http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.  We have clients in 37 states and more than 40 years banking and bank examining experience.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated