R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News
for clients

November 30, 2003

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Internet Auditing Services


FYI  - Nachi worm infected Diebold ATMs - The Nachi worm compromised Windows-based automated teller machines at two financial institutions last August, according to ATM-maker Diebold, in the first confirmed case of malicious code penetrating cash machines.  http://www.securityfocus.com/news/7517 

FYI  - $100,000 bounty offered for stolen PC - Wells Fargo said it had offered a $100,000 reward for information leading to the arrest and conviction of the burglar who stole a bank consultant's computer that had sensitive customer information on it.  http://zdnet.com.com/2102-1105_2-5110830.html?tag=printthis 

FYI  - Hackers moving faster: Report - Hackers who attack computer systems are becoming more nimble and are taking less time to exploit system vulnerabilities as they become known, a new report says.  http://www.globetechnology.com/servlet/story/RTGAM.20031118.gtissnov18/BNStory/Technology 

FYI  -
The Federal Reserve Board published proposed rules to establish more uniform standards for providing disclosures under five consumer protection regulations: B (Equal Credit Opportunity); E (Electronic Fund Transfers); M (Consumer Leasing); Z (Truth in Lending); and DD (Truth in Savings). www.federalreserve.gov/boarddocs/press/bcreg/2003/20031126/default.htm 

FYI - Upscale thieves nab workplace laptops - A man walked into an Atlanta office, made chitchat with two workers and sat down for lunch with them. Nobody noticed when he left with four stolen laptops.  http://www.lubbockonline.com/stories/112903/nat_112903059.shtml 

FYI - Internet fraudsters sentenced to 15 years - Six men were sentenced for a total of 15 and a half years in jail at Wood Green Crown Court on Friday, after pleading guilty to using the Internet to defraud UK banks to the tune of 350,000.  http://www.zdnet.co.uk/print/?TYPE=story&AT=39118059-39020369t-10000022c 

Return to the top of the newsletter

INTERNET COMPLIANCEDisclosures/Notices (Part 2 of 2)

In those instances where an electronic form of communication is permissible by regulation, to reduce compliance risk institutions should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery. Furthermore, financial institutions advertising or selling non-deposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance. 

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  


SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Protocols and Ports (Part 2 of 3)

Other common protocols in a TCP/IP network include the following types.

! Address resolution protocol (ARP) - Obtains the hardware address of connected devices and matches that address with the IP address for that device. The hardware address is the Ethernet card's address, technically referred to as the "media access control" (MAC) address. Ethernet systems route messages by the MAC address, requiring a router to obtain both the IP address and the MAC address of connected devices. Reverse ARP (RARP) also exists as a protocol.

! Internet control message protocol (ICMP) - Used to send messages about network health between devices, provides alternate routing information if trouble is detected, and helps to identify problems with a routing.

! File transfer protocol (FTP) - Used to browse directories and transfer files. Although access can be authenticated or anonymous, FTP does not support encrypted authentication. Conducting FTP within encrypted channels, such as a Virtual Private Network (VPN), secure shell (SSH) or secure sockets layer (SSL) sessions can improve security.

! Trivial file transfer protocol (TFTP) - A file transfer protocol with no file - browsing ability, and no support for authentication.

! Simple mail - transfer protocol (SMTP) - Commonly used in e-mail systems to send mail.

! Post office protocol (POP) - Commonly used to receive e-mail.

! Hypertext transport protocol (HTTP) - Used for Web browsing.

! Secure shell (SSH)  - Encrypts communications sessions, typically used for remote administration of servers.

! Secure sockets layer (SSL)  - Typically used to encrypt Webbrowsing sessions, sometimes used to secure e-mail transfers and FTP sessions.


Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

1. Determine whether hosts are hardened through the removal of unnecessary software and services, consistent with the needs identified in the risk assessment, and that configuration takes advantage of available object, device, and file access controls.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

17. Does the institution provide consumers who receive the short-form initial notice with a reasonable means of obtaining the longer initial notice, such as: 

a. a toll-free telephone number that the consumer may call to request the notice;  [6(d)(4)(i)] or

b. for the consumer who conducts business in person at the institution's office, having copies available to provide immediately by hand-delivery?  [6(d)(4)(ii)]

Return to the top of the newsletter

INTERNET AUDITING SERVICESR. Kinney Williams & Associates is recognized as a leader in independent Internet auditing for financial institutions.  With clients in 37 states, and an outstanding record of successful expedient testing, R. Kinney Williams & Associates is your ideal choice as an independent entity to perform your penetration assessment study, which includes the Vulnerability Internet Security Test Audit (VISTA).  You will find information about VISTA at  http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated