R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

December 29, 2002

THANK YOU - Because of your help, more than 2,100 subscribers read our e-newsletters each week.  Further, our web sites had over 1,600,000 hits during 2002.  Our web site audit and vulnerability-penetration testing clients are located in 35 states.  Your comments and suggestions are always welcome.  Please let us know how we can serve your Internet security needs.  Thank you, R. Kinney Williams, President, R. Kinney Williams & Associates.

 - Non-work-related Web surfing activity is behind an explosion in virus-driven network security disasters, according to a recent Australian survey. 
ZDNet Article - http://www.zdnet.com.au/newstech/hr/story/0,2000024989,20270733,00.htm 
Australian survey - http://www.websense.com/company/news/research/Australian_Web@Work_Survey_2002.doc 
US Report - http://www.websense.com/company/news/research/webatwork2002.pdf 
European Report - http://www.websense.com/company/news/research/Internet_Misuse_Survey_2002.pdf 

FYI - e-Commerce Guide for Credit Unions - The guide offers information to assist credit unions engaging in, or considering, e-Commerce activities (electronic delivery of financial services via the Internet).  Credit unions can use this information as a guide to aid in the planning, contracting, delivery, and support of e-Commerce activities. www.ncua.gov/Ref/letters/02-CU-17.htm

FYI - Terrorists on the Net? Who Cares? - To all those Chicken Littles clucking frantically about the imminent threat of a terrorist attack on U.S. computer networks, a new report says: Knock it off.  Online attacks are merely "weapons of mass annoyance," no more harmful than the routine power failures, airplane delays and dropped phone calls that take place every day.  http://www.wired.com/news/infostructure/0,1377,56935,00.html 

FYI - Ex-IT worker charged with sabotage - A former system administrator for UBS PaineWebber appeared in a New Jersey federal court Tuesday on charges of sabotaging two-thirds of the company's computer systems in an attempt to crash its stock price.  http://news.com.com/2100-1001-978386.html 

FYI - Bank Secrecy Act/Anti-Money Laundering - This bulletin transmits a notice of designation of Nauru and Ukraine as Primary Money Laundering Concerns. www.occ.treas.gov/ftp/bulletin/2002-47.txt

- Electronic Fund Transfer Act, Regulation E  (Part 2 of 2)

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated on-line. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the OSC, an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated" is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution.

Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required. 

We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security." 

Host-Versus Network-Based Vulnerability Assessment Tools

As in intrusion detection systems, which are discussed later in this appendix, there are generally two types of vulnerability assessment tools: host-based and network-based.  Another category is sometimes used for products that assess vulnerabilities of specific applications (application-based) on a host.  A host is generally a single computer or workstation that can be connected to a computer network.  Host-based tools assess the vulnerabilities of specific hosts.  They usually reside on servers, but can be placed on specific desktop computers, routers, or even firewalls. 

Network-based vulnerability assessment tools generally reside on the network, specifically analyzing the network to determine if it is vulnerable to known attacks.  Both host- and network-based products offer valuable features, and the risk assessment process should help an institution determine which is best for its needs.  Information systems personnel should understand the types of tools available, how they operate, where they are located, and the output generated from the tools.

Host-based vulnerability assessment tools are effective at identifying security risks that result from internal misuse or hackers using a compromised system.  They can detect holes that would allow access to a system such as unauthorized modems, easily guessed passwords, and unchanged vendor default passwords.  The tools can detect system vulnerabilities such as poor virus protection capabilities; identify hosts that are configured improperly; and provide basic information such as user log-on hours, password/account expiration settings, and users with dial-in access.  The tools may also provide a periodic check to confirm that various security policies are being followed.  For instance, they can check user permissions to access files and directories, and identify files and directories without ownership.

Network-based vulnerability assessment tools are more effective than host-based at detecting network attacks such as denial of service and Internet Protocol (IP) spoofing.  Network tools can detect unauthorized systems on a network or insecure connections to business partners.  Running a host-based scan does not consume network overhead, but can consume processing time and available storage on the host.  Conversely, frequently running a network-based scan as part of daily operations increases network traffic during the scan.  This may cause inadvertent network problems such as router crashes.

FYI - Please remember that we perform vulnerability-penetration studies and would be happy to e-mail {custom4} a proposal. E-mail Kinney Williams at examiner@yennik.com for more information.

PRIVACY EXAMINATION QUESTION - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Exceptions to Notice and Opt Out Requirements for Processing and Servicing Transactions

If the institution discloses nonpublic personal information to nonaffiliated third parties, do the requirements for initial notice in 4(a)(2), opt out in 7 and 10, revised notice in 8, and for service providers and joint marketing in 13, not apply because the information is disclosed as necessary to effect, administer, or enforce a transaction that the consumer requests or authorizes, or in connection with:

a.  servicing or processing a financial product or service requested or authorized by the consumer; [14(a)(1)]

b.  maintaining or servicing the consumer's account with the institution or with another entity as part of a private label credit card program or other credit extension on behalf of the entity; or [14(a)(2)]

c.  a proposed or actual securitization, secondary market sale (including sale of servicing rights) or other similar transaction related to a transaction of the consumer? [14(a)(3)]

IN CLOSING - We hope you have a prosperous New Year.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated