R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

December 28, 2003

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Internet Auditing Services


FYI  - BankRI customer information stolen along with laptop - Bank Rhode Island's CEO said today that her IT department plans to install encryption and fraud-detection software on computers after a laptop containing the names, addresses and Social Security numbers of about 43,000 customers was stolen from its principal data-processing provider, Fiserv Inc.  http://www.computerworld.com/printthis/2003/0,4814,88443,00.html 
SANS Institute checklist to evaluate your application service provider:  http://www.sans.org/score/asp_checklist.php  

FYI- NASA sites hacked - Thirteen NASA Web sites were defaced this morning by a Brazilian crew dubbed drwxr, according to a statement from Zone-H, an organization that monitors hackinghttp://www.computerworld.com/printthis/2003/0,4814,88348,00.html 

FYI  - OMB releases e-authentication guidance - Agencies should assess authentication risks for online transactions and determine the required level of assurance for each transaction, Office of Management and Budget officials said.  http://www.fcw.com/fcw/articles/2003/1215/web-omb-12-16-03.asp 

FYI - AS/400 Programmer Convicted of Computer Fraud - An AS/400 programmer in Florida was given a one-year sentence earlier this month for intentionally deleting his former employer's critical OS/400 applications.
  http://www.midrangeserver.com/tfh/tfh121503-story03.html 

FYI - Windows ATMs Raise Security Concerns - Banks everywhere are replacing OS/2 with Windows, but are hackers happy?  http://www.pcworld.com/news/article/0,aid,113997,tk,dn122303X,00.asp 

FYI - Raymond James Financial Inc. said it could cost more than $13 million to settle complaints that it overcharged customers who made large purchases of mutual funds.  http://famulus.msnbc.com/famulusgen/ap12-24-074810.asp?t=apcom&vts=122420030846#body 


FYI - Bush signs bill aimed at controlling spam - President George W. Bush signed a bill into law today establishing federal rules for commercial e-mail and penalties for unsolicited mass spamming.  http://www.computerworld.com/printthis/2003/0,4814,88306,00.html 

FYI - Federal Regulators Seek Public Comment on Ways to Improve Privacy Notices - Eight federal regulators today announced an advance notice of proposed rulemaking  requesting public comment on ways to improve the privacy notices financial institutions provide to consumers under the Gramm-Leach-Bliley Act .
Press Release: www.fdic.gov/news/news/press/2003/pr13003.html
Press Release: www.federalreserve.gov/boarddocs/press/bcreg/2003/20031223/default.htm
Press Release: www.ncua.gov/news/press_releases/2003/JR03-1223.pdf
Press Release: www.ots.treas.gov/docs/77340.html
Press Release: www.occ.treas.gov/ftp/release/2003-104.htm
Attachment: www.occ.treas.gov/ftp/release/2003-104a.pdf
Attachment: www.occ.treas.gov/ftp/release/2003-104b.pdf
Attachment: www.occ.treas.gov/ftp/release/2003-104c.pdf
Attachment: www.occ.treas.gov/ftp/release/2003-104d.pdf
Attachment: www.occ.treas.gov/ftp/release/2003-104e.pdf

FYI - Burma and Two Burmese Banks Are Considered "Primary Money Laundering Concerns" - On November 18, 2003, the Department of the Treasury announced the designation of Burma and two Burmese banks to be of "primary money laundering concern" under Section 311 of the USA PATRIOT Act. Treasury, acting through the Financial Crimes Enforcement Network, is issuing a proposed rule to impose special measures against Burma and the two Burmese financial institutions. www.fdic.gov/news/news/financial/2003/fil0397.html

Return to the top of the newsletter

INTERNET COMPLIANCE -
 We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." 

A. RISK DISCUSSION

Reputation Risk


Customers may be confused about whether the financial institution or a third party is supplying the product, service, or other website content available through the link. The risk of customer confusion can be affected by a number of factors:

  • nature of the third-party product or service;
  • trade name of the third party; and
  • website appearance.

Nature of Product or Service

When a financial institution provides links to third parties that sell financial products or services, or provide information relevant to these financial products and services, the risk is generally greater than if third parties sell non-financial products and services due to the greater potential for customer confusion. For example, a link from a financial institution's website to a mortgage bank may expose the financial institution to greater reputation risk than a link from the financial institution to an online clothing store.

The risk of customer confusion with respect to links to firms selling financial products is greater for two reasons. First, customers are more likely to assume that the linking financial institution is providing or endorsing financial products rather than non-financial products. Second, products and services from certain financial institutions often have special regulatory features and protections, such as federal deposit insurance for qualifying deposits. Customers may assume that these features and protections also apply to products that are acquired through links to third-party providers, particularly when the products are financial in nature.

When a financial institution links to a third party that is providing financial products or services, management should consider taking extra precautions to prevent customer confusion. For example, a financial institution linked to a third party that offers nondeposit investment products should take steps to prevent customer confusion specifically with respect to whether the institution or the third party is offering the products and services and whether the products and services are federally insured or guaranteed by the financial institution.

Financial institutions should recognize, even in the case of non-financial products and services, that customers may have expectations about an institution's due diligence and its selection of third parties to which the financial institution links its website. Should customers experience dissatisfaction as a result of poor quality products or services, or loss as a result of their transactions with those companies, they may consider the financial institution responsible for the perceived deficiencies of the seller.


Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  


SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Routing (Part 2 of 2)

Routers and switches are sometimes difficult to locate. Users may install their own devices and create their own unauthorized subnets. Any unrecognized or unauthorized network devices pose security risks. Financial institutions should periodically audit network equipment to ensure that only authorized and maintained equipment resides on their network.

DNS hosts, routers and switches are computers with their own operating system. If successfully attacked, they can allow traffic to be monitored or redirected. Financial institutions must restrict, log, and monitor administrative access to these devices. Remote administration typically warrants an encrypted session, strong authentication, and a secure client. The devices should also be appropriately patched and hardened.

Packets are sent and received by devices using a network interface card (NIC) for each network to which they connect. Internal computers would typically have one NIC card for the corporate network or a subnet. Firewalls, proxy servers, and gateway servers are typically dual-homed with two NIC cards that allow them to communicate securely both internally and externally while limiting access to the internal network.


Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

5. Determine whether remotely configurable hosts are configured for secure remote administration.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

21. Does the institution provide the consumer with the following information about the right to opt out:

a. all the categories of nonpublic personal information that the institution discloses or reserves the right to disclose; [7(a)(2)(i)(A)]

b. all the categories of nonaffiliated third parties to whom the information is disclosed; [7(a)(2)(i)(A)];

c. that the consumer has the right to opt out of the disclosure of that information; [7(a)(2)(i)(A)] and

d. the financial products or services that the consumer obtains to which the opt out direction would apply? [7(a)(2)(i)(B)]


Return to the top of the newsletter

INTERNET AUDITING SERVICESR. Kinney Williams & Associates is recognized as a leader in independent Internet auditing for financial institutions.  With clients in 37 states, and an outstanding record of successful expedient testing, R. Kinney Williams & Associates is your ideal choice as an independent entity to perform your penetration assessment study, which includes the Vulnerability Internet Security Test Audit (VISTA).  You will find information about VISTA at  http://www.internetbankingaudits.com/ or email Kinney Williams at examiner@yennik.com.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated