R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

October 13, 2002

FYI - U.S. companies worried about hackers stealing their trade secrets should be even more afraid of former employees, competitors and contractors, according to a new study.  http://www.pcworld.com/news/article/0,aid,105528,tk,dn100202X,00.asp 

FYI - With an eye toward taking the ease out of hacking, the FBI and a prestigious computer-security research group have announced the 20 most serious security vulnerabilities affecting both Windows and Unix systems.  http://news.com.com/2100-1001-960574.html?tag=cd_mh 

Web Site Defacements Hit All-Time High - More than 9000 attacks were recorded in September, with U.S. sites the prime targets, researcher says.  http://www.pcworld.com/news/article/0,aid,105498,tk,dn093002X,00.asp 

FYI  - New Examination Procedures for Assessing Information Technology Risk - Over the last several years, many financial institutions have moved away from traditional mainframe-oriented computer processing environments and increased their reliance on newer technologies, such as networks, the Internet and enterprise-wide processing. As a result, the Federal Deposit Insurance Corporation is launching a new program for assessing information technology risk at FDIC-supervised financial institutions. www.fdic.gov/news/news/financial/2002/FIL02118.html

FYI - Advisory Letter 2002-10, U.S. Department of Treasury FinCEN Advisories 17A, 18A, and 26A 10/09/2002 - This issuance revises the list of countries provided in Advisory Letter 2002-5, "U.S. Department of Treasury FinCEN Advisories 28 through 32," dated June 6, 2002 (see also AL 2002-2, AL 2001-7, and AL 2000-8). FinCEN had identified 15 countries with serious deficiencies in their counter-money-laundering systems. www.occ.treas.gov/ftp/advisory/2002-7.txt

FYI - In the fine print of the Bush administration's recently released cybersecurity strategy is the stark admission that three critical components of the Internet's infrastructure are highly vulnerable to a variety of attacks. http://www.nwfusion.com/news/2002/1007security.html 

- A Russian hacker, lured to the United States by the FBI under the ruse of a job interview in a case that prompted a sharp rebuke from Moscow, was sentenced on Friday to three years in prison for computer crime.  http://www.msnbc.com/news/817266.asp?0dm=T22AT 

FYI - California State again target of hacking - Five months after investigators found a computer hacker had gained access to sensitive personal data on thousands of state employees, officials are warning hundreds of agencies of new assaults on a state computer server nicknamed "Godzilla."   http://www.sacbee.com/content/news/story/4631373p-5649680c.html 

FYI - British police on Tuesday said they uncovered a fake Internet bank used to con at least two people out of nearly $100,000.  http://news.com.com/2110-1017-959644.html?tag=cdshrt 

FYI - Washington Mutual's Web site crashed on Tuesday, marking the second site outage for the financial services company in two days.  http://news.com.com/2100-1017-960346.html?tag=fd_top 

INTERNET COMPLIANCEElectronic Fund Transfer Act, Regulation E (Part 2 of 2)

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code.  According to the Official Staff Commentary (OSC,) an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated," is a consumer's authorization via a home banking system.  To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request).  The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability.  A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device.  Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.

We continue our review of the OCC Bulletin about Infrastructure Threats and Intrusion Risks. This week we review Testing.

Management should ensure that information system networks are tested regularly. The nature, extent, and frequency of tests should be proportionate to the risks of intrusions from external and internal sources. Management should select qualified and reputable individuals to perform the tests and ensure that tests do not inadvertently damage information systems or reveal confidential information to unauthorized individuals. Management should oversee the tests, review test results, and respond to deficiencies in a timely manner. In accordance with OCC's "Technology Risk Management: PC Banking," management should ensure that an objective, qualified source conducts a penetration test of Internet banking systems at least once a year or more frequently when appropriate.

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

37.  For annual notices only, if the institution does not employ one of the methods described in question 36, does the institution employ one of the following reasonable means of delivering the notice such as:

a. for the customer who uses the institution's web site to access products and services electronically and who agrees to receive notices at the web site, continuously posting the current privacy notice on the web site in a clear and conspicuous manner; [9(c)(1)] or

b. for the customer who has requested the institution refrain from sending any information about the customer relationship, making copies of the current privacy notice available upon customer request? [9(c)(2)]

IN CLOSING - My horseback ride to the Carson National Forest in northern New Mexico was cold, snowing, and 50 mile an hour winds.  But other than that, we had a great time.  You will find pictures of trip and Gray Ghost, my appaloosa horse, at http://www.yennik.com/pictures/index.htm.  Thanks for letting me take a week off.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated