R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

November 2, 2003

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Internet Auditing Services


FYI  - Security is one of the major issues facing organizations that purchase software services from application service providers (ASP).  Security issues exist at two key points in the ASP-client relationship: transmission and access.  Organizations must protect the data moving between themselves and the ASP and secure the data that is stored on the ASP's servers.  http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5462 

FYI
 - European Union develops cyber crime forensics standards - The IT industry has teamed up with academics and the European Union researchers to develop standards for the investigation of cybercrime.  http://www.theregister.co.uk/content/55/33615.html 

FYI -
FFIEC Information Technology Examination Handbook - The Federal Financial Institutions Examination Council has issued three booklets with guidance on: evaluating electronic banking activities; IT audits; and the FedLine electronic funds transfer application.  www.fdic.gov/news/news/financial/2003/fil0383.html

FYI - New law would require computer security audits, status reports - New legislation being drafted in the U.S. House of Representatives, which could be introduced as early as next week, would require all publicly traded companies to conduct independent computer security assessments and report the results yearly in their annual reports.  http://www.computerworld.com/printthis/2003/0,4814,86455,00.html 

FYI -
Check Clearing for the 21st Century Act - The Check Clearing for the 21st Century Act was signed into law on October 28, 2003, and will become effective on October 28, 2004.  Check 21 is designed to foster innovation in the payments system and to enhance its efficiency by reducing some of the legal impediments to check truncation. www.federalreserve.gov/paymentsystems/truncation/default.htm

FYI -
Citibank Customers Hit With E-Mail Scam - Fake e-mail, spoof site used to gain personal information.  http://www.pcworld.com/news/article/0,aid,113118,tk,dn102703X,00.asp 

Return to the top of the newsletter

INTERNET COMPLIANCE"Member FDIC" Logo - When is it required?

The FDIC believes that every bank's home page is to some extent an advertisement. Accordingly, bank web site home pages should contain the official advertising statement unless the advertisement is subject to exceptions such as advertisements for loans, securities, trust services and/or radio or television advertisements that do not exceed thirty seconds. 

Whether subsidiary web pages require the official advertising statement will depend upon the content of the particular page.  Subsidiary web pages that advertise deposits must contain the official advertising statement.  Conversely, subsidiary web pages that relate to loans do not require the official advertising statement. 

CLIENTS - For more information regarding the "Member FDIC" logo, please visit
http://www.fdic.gov/regulations/resources/signage/index.html.


Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  


SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

Examples of Common Authentication Weaknesses, Attacks, and Offsetting Controls (Part 2 of 2)

Social engineering involves an attacker obtaining authenticators by simply asking for them. For instance, the attacker may masquerade as a legitimate user who needs a password reset, or a contractor who must have immediate access to correct a system performance problem. By using persuasion, being aggressive, or using other interpersonal skills, the attackers encourage a legitimate user or other authorized person to give them authentication credentials. Controls against these attacks involve strong identification policies and employee training.

Client attacks
are an area of vulnerability common to all authentication mechanisms. Passwords, for instance, can be captured by hardware -  or software - based keystroke capture mechanisms. PKI private keys could be captured or reverse - engineered from their tokens. Protection against these attacks primarily consists of physically securing the client systems, and, if a shared secret is used, changing the secret on a frequency commensurate with risk. While physically securing the client system is possible within areas under the financial institution’s control, client systems outside the institution may not be similarly protected.

Replay attacks
occur when an attacker eavesdrops and records the authentication as it is communicated between a client and the financial institution system, then later uses that recording to establish a new session with the system and masquerade as the true user. Protections against replay attacks include changing cryptographic keys for each session, using dynamic passwords, expiring sessions through the use of time stamps, expiring PKI certificates based on dates or number of uses, and implementing liveness tests for biometric systems.

Hijacking
is an attacker’s use of an authenticated user’s session to communicate with system components. Controls against hijacking include encryption of the user’s session and the use of encrypted cookies or other devices to authenticate each communication between the client and the server.

Return to the top of the newsletter

IT SECURITY QUESTION:

B. NETWORK SECURITY

16. Determine whether appropriate notification is made of requirements for authorized use, through banners or other means.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

13. If the institution does not disclose nonpublic personal information, and does not reserve the right to do so, other than under exceptions in §14 and §15, does the institution provide a simplified privacy notice that contains at a minimum: 

a. a statement to this effect;

b. the categories of nonpublic personal information it collects;

c. the policies and practices the institution uses to protect the confidentiality and security of nonpublic personal information; and

d. a general statement that the institution makes disclosures to other nonaffiliated third parties as permitted by law? [§6(c)(5)]

(Note: use of this type of simplified notice is optional; an institution may always use a full notice.)

Return to the top of the newsletter

INTERNET AUDITING SERVICESR. Kinney Williams & Associates is recognized as a leader in independent Internet auditing for financial institutions.  With clients in 37 states, and an outstanding record of successful expedient testing, R. Kinney Williams & Associates is your ideal choice as an independent entity to perform your penetration assessment study, which includes the Vulnerability Internet Security Test Audit (VISTA).  You will find information about VISTA at  http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated