|
October 13, 2002
FYI
- U.S. companies worried about hackers stealing their
trade secrets should be even more afraid of former employees, competitors
and contractors, according to a new study. http://www.pcworld.com/news/article/0,aid,105528,tk,dn100202X,00.asp
FYI - With
an eye toward taking the ease out of hacking, the FBI and a prestigious
computer-security research group have announced the 20 most serious
security vulnerabilities affecting both Windows and Unix systems. http://news.com.com/2100-1001-960574.html?tag=cd_mh
FYI - Web Site
Defacements Hit All-Time High - More than 9000 attacks were recorded in
September, with U.S. sites the prime targets, researcher says. http://www.pcworld.com/news/article/0,aid,105498,tk,dn093002X,00.asp
FYI - New
Examination Procedures for Assessing Information Technology Risk - Over
the last several years, many financial institutions have moved away from
traditional mainframe-oriented computer processing environments and
increased their reliance on newer technologies, such as networks, the
Internet and enterprise-wide processing. As a result, the Federal Deposit
Insurance Corporation is launching a new program for assessing information
technology risk at FDIC-supervised financial institutions. www.fdic.gov/news/news/financial/2002/FIL02118.html
FYI - Advisory Letter 2002-10, U.S.
Department of Treasury FinCEN Advisories 17A, 18A, and 26A 10/09/2002 -
This issuance revises the list of countries provided in Advisory Letter
2002-5, "U.S. Department of Treasury FinCEN Advisories 28 through
32," dated June 6, 2002 (see also AL 2002-2, AL 2001-7, and AL
2000-8). FinCEN had identified 15 countries with serious deficiencies in
their counter-money-laundering systems. www.occ.treas.gov/ftp/advisory/2002-7.txt
FYI - In the fine print of the Bush
administration's recently
released cybersecurity strategy is the stark admission that three
critical components of the Internet's infrastructure are highly vulnerable
to a variety of attacks. http://www.nwfusion.com/news/2002/1007security.html
FYI
- A Russian hacker, lured to the United States by
the FBI under the ruse of a job interview in a case that prompted a sharp
rebuke from Moscow, was sentenced on Friday to three years in prison for
computer crime. http://www.msnbc.com/news/817266.asp?0dm=T22AT
FYI
- California State again target of hacking - Five
months after investigators found a computer hacker had gained access to
sensitive personal data on thousands of state employees, officials are
warning hundreds of agencies of new assaults on a state computer server
nicknamed "Godzilla." http://www.sacbee.com/content/news/story/4631373p-5649680c.html
FYI - British
police on Tuesday said they uncovered a fake Internet bank used to con at
least two people out of nearly $100,000. http://news.com.com/2110-1017-959644.html?tag=cdshrt
FYI - Washington
Mutual's Web site crashed on Tuesday, marking the second site outage for
the financial services company in two days. http://news.com.com/2100-1017-960346.html?tag=fd_top
INTERNET
COMPLIANCE - Electronic
Fund Transfer Act, Regulation E (Part 2 of 2)
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the
Official Staff Commentary (OSC,) an example of a consumer's
authorization that is not in the form of a signed writing but is,
instead, "similarly authenticated," is a consumer's
authorization via a home banking system.
To satisfy the regulatory requirements, the institution must
have some means to identify the consumer (such as a security code)
and make a paper copy of the authorization available (automatically
or upon request). The
text of the electronic authorization must be displayed on a computer
screen or other visual display that enables the consumer to read the
communication from the institution. Only the consumer may authorize
the transfer and not, for example, a third-party merchant on behalf
of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A
financial institution may receive correspondence through an
electronic medium concerning an unauthorized transaction, loss, or
theft of an access device. Therefore,
the institution should ensure that controls are in place to review
these notifications and also to ensure that an investigation is
initiated as required.
INTERNET SECURITY - We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review
Testing.
Management should ensure that information system networks are tested
regularly. The nature, extent, and frequency of tests should be
proportionate to the risks of intrusions from external and internal
sources. Management should select qualified and reputable
individuals to perform the tests and ensure that tests do not
inadvertently damage information systems or reveal confidential
information to unauthorized individuals. Management should oversee
the tests, review test results, and respond to deficiencies in a
timely manner. In accordance with OCC's "Technology Risk
Management: PC Banking," management should ensure that an
objective, qualified source conducts a penetration test of Internet
banking systems at least once a year or more frequently when
appropriate.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
37. For annual notices only, if the institution does not
employ one of the methods described in question 36, does the
institution employ one of the following reasonable means of
delivering the notice such as:
a. for the customer who uses the institution's web site to access
products and services electronically and who agrees to receive
notices at the web site, continuously posting the current privacy
notice on the web site in a clear and conspicuous manner; [§9(c)(1)]
or
b. for the customer who has requested the institution refrain from
sending any information about the customer relationship, making
copies of the current privacy notice available upon customer
request? [§9(c)(2)]
IN CLOSING - My horseback ride to the Carson National Forest
in northern New Mexico was cold, snowing, and 50 mile an hour
winds. But other than that, we had a great time. You will find pictures of
trip and
Gray Ghost, my appaloosa horse, at http://www.yennik.com/pictures/index.htm.
Thanks for letting me take a week off.
|
