|
December 15, 2002
FYI - For overworked administrators, the weekly flood of
patches for new vulnerabilities can quickly lead to a vicious cycle
of trying to solve the latest crisis. In the end, it does
little to enhance the security of their networks. http://www.eweek.com/article2/0,3959,758258,00.asp.
FYI - Barbarians at the Gate: An
Introduction to Distributed Denial of Service Attacks http://online.securityfocus.com/infocus/1647.
FYI - Final Rule
Implementing Sections of the USA PATRIOT Act That Address Correspondent
Accounts for Foreign Shell Banks - The U.S. Department of the Treasury
issued the attached final rule on September 26, 2002, to implement
Sections 313(a) and 319(b) of the USA PATRIOT Act. The rule adds sections
103.177 and 103.185 to the Bank Secrecy Act regulations. www.fdic.gov/news/news/financial/2002/FIL02136.html
FYI
- Final Rule Implementing Information-Sharing Section of USA PATRIOT ACT -
The Department of the Treasury has issued a final rule to implement
Section 314 of the USA PATRIOT Act. This section addresses the sharing of
information on suspected money laundering or terrorist financing between
law enforcement and banks, and among financial institutions. www.fdic.gov/news/news/financial/2002/FIL02135.html
FYI
- U.S. Department of Treasury FinCEN Advisories 20A, 22A, and 25A - This
advisory letter revises the list of countries detailed in OCC Advisory
Letter (AL) 2002-7, “U.S. Department of Treasury FinCEN advisories 17A,
18A, and 26A,” dated October 10, 2002. www.occ.treas.gov/ftp/advisory/2002-10.txt
FYI - MasterCard International, which last year opened a gleaming
$160 million data-processing campus in Missouri, is gearing up for
its next challenge: building a back-up and disaster-recovery site
designed for the age of terrorism. http://www.nwfusion.com/news/2002/1202mastercard.html
FYI - A security hole on Tower Records' Web site
exposed data on millions of U.S. and U.K. customers until it was
closed late Wednesday. http://news.com.com/2100-1017-976271.html.
INTERNET
COMPLIANCE - Expedited Funds Availability Act
(Regulation CC)
Generally, the rules pertaining to the duty of an institution to
make deposited funds available for withdrawal apply in the
electronic financial services environment. This includes rules on
fund availability schedules, disclosure of policy, and payment of
interest. Recently, the FRB published a commentary that clarifies
requirements for providing certain written notices or disclosures to
customers via electronic means. Specifically, the commentary to the
regulations states that a financial institution satisfies the
written exception hold notice requirement, and the commentary to the
regulations states that a financial institution satisfies the
general disclosure requirement by sending an electronic version that
displays the text and is in a form that the customer may keep.
However, the customer must agree to such means of delivery of
notices and disclosures. Information is considered to be in a form
that the customer may keep if, for example, it can be downloaded or
printed by the customer. To reduce compliance risk, financial
institutions should test their programs' ability to provide
disclosures in a form that can be downloaded or printed.
INTERNET SECURITY - We continue our review of
the FDIC paper "Risk Assessment Tools and Practices or
Information System Security."
Hackers may use "social engineering" a scheme using social
techniques to obtain technical information required to access a
system. A hacker may claim to be someone authorized to access the
system such as an employee or a certain vendor or contractor. The
hacker may then attempt to get a real employee to reveal user names
or passwords, or even set up new computer accounts. Another threat
involves the practice of "war-dialing" in which hackers
use a program that automatically dials telephone numbers and
searches for modem lines that bypass network firewalls and other
security measures. A few other common forms of system attack
include:
Denial of service (system failure), which is any action preventing a
system from operating as intended. It may be the unauthorized
destruction, modification, or delay of service. For example, in an
"SYN Flood" attack, a system can be flooded with requests
to establish a connection, leaving the system with more open
connections than it can support. Then, legitimate users of the
system being attacked are not allowed to connect until the open
connections are closed or can time out.
Internet Protocol (IP) spoofing, which allows an intruder via the
Internet to effectively impersonate a local system's IP address in
an attempt to gain access to that system. If other local systems
perform session authentication based on a connections IP address,
those systems may misinterpret incoming connections from the
intruder as originating from a local trusted host and not require a
password.
Trojan horses, which are programs that contain additional (hidden)
functions that usually allow malicious or unintended activities. A
Trojan horse program generally performs unintended functions that
may include replacing programs, or collecting, falsifying, or
destroying data. Trojan horses can be attached to e-mails and may
create a "back door" that allows unrestricted access to a
system. The programs may automatically exclude logging and other
information that would allow the intruder to be traced.
Viruses, which are computer programs that may be embedded in other
code and can self-replicate. Once active, they may take unwanted and
unexpected actions that can result in either nondestructive or
destructive outcomes in the host computer programs. The virus
program may also move into multiple platforms, data files, or
devices on a system and spread through multiple systems in a
network. Virus programs may be contained in an e-mail attachment and
become active when the attachment is opened.
PRIVACY EXAMINATION QUESTION
- We continue our series listing the regulatory-privacy
examination questions. When you answer the question each week,
you will help ensure compliance with the privacy regulations.
46. Does the institution refrain from disclosing,
directly or through affiliates, account numbers or similar forms of
access numbers or access codes for a consumer's credit card account,
deposit account, or transaction account to any nonaffiliated third
party (other than to a consumer reporting agency) for telemarketing,
direct mail or electronic mail marketing to the consumer, except:
a. to the institution's agents or service providers solely to
market the institution's own products or services, as long as the
agent or service provider is not authorized to directly initiate
charges to the account; [§12(b)(1)] or
b. to a participant in a private label credit card program or
an affinity or similar program where the participants in the program
are identified to the customer when the customer enters into the
program? [§12(b)(2)]
(Note: an "account number or similar form of access
number or access code" does not include numbers in encrypted
form, so long as the institution does not provide the recipient with
a means of decryption. [§12(c)(1)] A transaction account does not
include an account to which third parties cannot initiate charges. [§12(c)(2)])
|
