R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

December 15, 2002

FYI - For overworked administrators, the weekly flood of patches for new vulnerabilities can quickly lead to a vicious cycle of trying to solve the latest crisis.  In the end, it does little to enhance the security of their networks.  http://www.eweek.com/article2/0,3959,758258,00.asp

FYI - Barbarians at the Gate: An Introduction to Distributed Denial of Service Attacks  http://online.securityfocus.com/infocus/1647

Final Rule Implementing Sections of the USA PATRIOT Act That Address Correspondent Accounts for Foreign Shell Banks - The U.S. Department of the Treasury issued the attached final rule on September 26, 2002, to implement Sections 313(a) and 319(b) of the USA PATRIOT Act. The rule adds sections 103.177 and 103.185 to the Bank Secrecy Act regulations. www.fdic.gov/news/news/financial/2002/FIL02136.html

FYI - Final Rule Implementing Information-Sharing Section of USA PATRIOT ACT - The Department of the Treasury has issued a final rule to implement Section 314 of the USA PATRIOT Act. This section addresses the sharing of information on suspected money laundering or terrorist financing between law enforcement and banks, and among financial institutions. www.fdic.gov/news/news/financial/2002/FIL02135.html

FYI - U.S. Department of Treasury FinCEN Advisories 20A, 22A, and 25A - This advisory letter revises the list of countries detailed in OCC Advisory Letter (AL) 2002-7, U.S. Department of Treasury FinCEN advisories 17A, 18A, and 26A, dated October 10, 2002.  www.occ.treas.gov/ftp/advisory/2002-10.txt

FYI - MasterCard International, which last year opened a gleaming $160 million data-processing campus in Missouri, is gearing up for its next challenge: building a back-up and disaster-recovery site designed for the age of terrorism.  http://www.nwfusion.com/news/2002/1202mastercard.html 

FYI - A security hole on Tower Records' Web site exposed data on millions of U.S. and U.K. customers until it was closed late Wednesday.  http://news.com.com/2100-1017-976271.html.

INTERNET COMPLIANCE - Expedited Funds Availability Act (Regulation CC)

Generally, the rules pertaining to the duty of an institution to make deposited funds available for withdrawal apply in the electronic financial services environment. This includes rules on fund availability schedules, disclosure of policy, and payment of interest. Recently, the FRB published a commentary that clarifies requirements for providing certain written notices or disclosures to customers via electronic means. Specifically, the commentary to the regulations states that a financial institution satisfies the written exception hold notice requirement, and the commentary to the regulations states that a financial institution satisfies the general disclosure requirement by sending an electronic version that displays the text and is in a form that the customer may keep. However, the customer must agree to such means of delivery of notices and disclosures. Information is considered to be in a form that the customer may keep if, for example, it can be downloaded or printed by the customer. To reduce compliance risk, financial institutions should test their programs' ability to provide disclosures in a form that can be downloaded or printed.

We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

Hackers may use "social engineering" a scheme using social techniques to obtain technical information required to access a system. A hacker may claim to be someone authorized to access the system such as an employee or a certain vendor or contractor. The hacker may then attempt to get a real employee to reveal user names or passwords, or even set up new computer accounts. Another threat involves the practice of "war-dialing" in which hackers use a program that automatically dials telephone numbers and searches for modem lines that bypass network firewalls and other security measures. A few other common forms of system attack include:

Denial of service (system failure), which is any action preventing a system from operating as intended. It may be the unauthorized destruction, modification, or delay of service. For example, in an "SYN Flood" attack, a system can be flooded with requests to establish a connection, leaving the system with more open connections than it can support. Then, legitimate users of the system being attacked are not allowed to connect until the open connections are closed or can time out.

Internet Protocol (IP) spoofing, which allows an intruder via the Internet to effectively impersonate a local system's IP address in an attempt to gain access to that system. If other local systems perform session authentication based on a connections IP address, those systems may misinterpret incoming connections from the intruder as originating from a local trusted host and not require a password.

Trojan horses, which are programs that contain additional (hidden) functions that usually allow malicious or unintended activities. A Trojan horse program generally performs unintended functions that may include replacing programs, or collecting, falsifying, or destroying data. Trojan horses can be attached to e-mails and may create a "back door" that allows unrestricted access to a system. The programs may automatically exclude logging and other information that would allow the intruder to be traced. 

Viruses, which are computer programs that may be embedded in other code and can self-replicate. Once active, they may take unwanted and unexpected actions that can result in either nondestructive or destructive outcomes in the host computer programs. The virus program may also move into multiple platforms, data files, or devices on a system and spread through multiple systems in a network. Virus programs may be contained in an e-mail attachment and become active when the attachment is opened.

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Does the institution refrain from disclosing, directly or through affiliates, account numbers or similar forms of access numbers or access codes for a consumer's credit card account, deposit account, or transaction account to any nonaffiliated third party (other than to a consumer reporting agency) for telemarketing, direct mail or electronic mail marketing to the consumer, except:

a.  to the institution's agents or service providers solely to market the institution's own products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; [12(b)(1)] or

b.  to a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program? [12(b)(2)]

(Note: an "account number or similar form of access number or access code" does not include numbers in encrypted form, so long as the institution does not provide the recipient with a means of decryption. [12(c)(1)] A transaction account does not include an account to which third parties cannot initiate charges. [12(c)(2)])


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated