HAPPY NEW YEAR - We wish you a happy and prosperous New Year.  R. Kinney Williams  - 2006 Conference & Convention Schedule http://www.yennik.com/conferences/index.htm

THANK YOU - Because of your support, we continue to the be the leader in providing Internet security audits to financial institutions.  More than 2,700 subscribers read our e-newsletters each week.  Further, our web sites had over 4,700,000 hits during 2005.  R. Kinney Williams & Associates has clients in 41 states. Your comments and suggestions for improving the newsletter are always welcomed.  Please let us know how we can serve your Internet security needs during the New Year.  R. Kinney Williams, President of Yennik, Inc.

FYI - IT security incidents up by a quarter on last year - Security-related events have risen by 22.4pc on last year and more organizations are losing money as a result, according to a new survey that claims to be the largest of its type in the world. http://www.siliconrepublic.com/news/news.nv?storyid=single5805

FYI - IT provider recovers from devastating oil depot blast - After massive explosions at a fuel storage site destroyed much of its infrastructure on Sunday, a major U.K. IT provider is restoring data and setting up new hardware at other facilities throughout England. http://www.computerworld.com/printthis/2005/0,4814,107073,00.html

FYI - ABN AMRO says computer tape with information about customers was lost - A subsidiary of LaSalle Bank Corp. said Friday a tape containing information of about 2 million residential mortgage customers around the country was lost as it was being transported from Chicago to Texas. http://famulus.msnbc.com/famulusgen/ap12-16-140510.asp?t=apcom&vts=121620051414
http://www.thekansascitychannel.com/news/5591631/detail.html

FYI - Card skimmers eyed in Sam's Club data theft - A victim of the recent Sam's Club security breach suggested that fraudsters may have stolen credit card information by using illegal "card-skimming" devices attached to the pumps at the company's gas stations. The fraudulent activity may also have been going on for a longer period than that suggested by the wholesale giant, and it may affect thousands of people. http://www.computerworld.com/printthis/2005/0,4814,107067,00.html

FYI - NIST releases biometric data specs - The National Institute of Standards and Technology has released long-awaited biometric data specifications for secure federal identity cards. Agencies must begin issuing the secure cards to employees and contractors by Oct. 27, 2006. http://www.fcw.com/article91747-12-16-05-Web

FYI - Ford computer with employee data reported stolen - Ford Motor Co. informed about 70,000 active and former white-collar employees that a computer with company data, including social security numbers, was stolen from a Ford facility. http://www.detnews.com/apps/pbcs.dll/article?AID=/20051222/AUTO01/512220429/1013

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 2 of 2)

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code.  According to the Official Staff Commentary (OSC,) an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated," is a consumer's authorization via a home banking system.  To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request).  The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability.  A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device.  Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - e continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION - Shared Secret Systems (Part 1 of 2)

Shared secret systems uniquely identify the user by matching knowledge on the system to knowledge that only the system and user are expected to share. Examples are passwords, pass phrases, or current transaction knowledge. A password is one string of characters (e.g., "t0Ol@Tyme"). A pass phrase is typically a string of words or characters (e.g., "My car is a shepherd") that the system may shorten to a smaller password by means of an algorithm. Current transaction knowledge could be the account balance on the last statement mailed to the user/customer. The strength of shared secret systems is related to the lack of disclosure of and about the secret, the difficulty in guessing or discovering the secret, and the length of time that the secret exists before it is changed.

A strong shared secret system only involves the user and the system in the generation of the shared secret. In the case of passwords and pass phrases, the user should select them without any assistance from any other user, such as the help desk. One exception is in the creation of new accounts, where a temporary shared secret could be given to the user for the first login, after which the system prompts the user to create a different password. Controls should prevent any user from re - using shared secrets that may have been compromised or were recently used by them.

Passwords are the most common authentication mechanism. Passwords are generally made difficult to guess when they are composed from a large character set, contain a large number of characters, and are frequently changed. However, since hard - to - guess passwords may be difficult to remember, users may take actions that weaken security, such as writing the passwords down. Any password system must balance the password strength with the user's ability to maintain the password as a shared secret. When the balancing produces a password that is not sufficiently strong for the application, a different authentication mechanism should be considered. Pass phrases are one alternative to consider. Due to their length, pass phrases are generally more resistant to attack than passwords. The length, character set, and time before enforced change are important controls for pass phrases as well as passwords.

Shared secret strength is typically assured through the use of automated tools that enforce the password selection policy. Authentication systems should force changes to shared secrets on a schedule commensurate with risk.

Passwords can also be dynamic. Dynamic passwords typically use seeds, or starting points, and algorithms to calculate a new - shared secret for each access. Because each password is used for only one access, dynamic passwords can provide significantly more authentication strength than static passwords. In most cases, dynamic passwords are implemented through tokens. A token is a physical device, such as an ATM card, smart card, or other device that contains information used in the authentication process.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

5. Determine whether external servers are appropriately isolated through placement in DMZs, with supporting servers on DMZs separate from external networks, public servers, and internal networks.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Consumer and Customer:

The distinction between consumers and customers is significant because financial institutions have additional disclosure duties with respect to customers. All customers covered under the regulation are consumers, but not all consumers are customers.

A "consumer" is an individual, or that individual's legal representative, who obtains or has obtained a financial product or service from a financial institution that is to be used primarily for personal, family, or household purposes.

A "financial service" includes, among other things, a financial institution's evaluation or brokerage of information that the institution collects in connection with a request or an application from a consumer for a financial product or service. For example, a financial service includes a lender's evaluation of an application for a consumer loan or for opening a deposit account even if the application is ultimately rejected or withdrawn.

Consumers who are not customers are entitled to an initial privacy and opt out notice only if their financial institution wants to share their nonpublic personal information with nonaffiliated third parties outside of the exceptions.

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.