HAPPY NEW YEAR
- We wish you a happy and prosperous New Year. R. Kinney
Williams - 2006 Conference & Convention Schedule
THANK YOU - Because of your
support, we continue to the be the leader in providing Internet
security audits to financial institutions. More than 2,700
subscribers read our e-newsletters each week. Further, our web
sites had over 4,700,000 hits during 2005. R. Kinney Williams
& Associates has clients in 41 states. Your comments and suggestions
for improving the newsletter are always welcomed. Please let
us know how we can serve your Internet security needs during the New
Year. R. Kinney Williams, President of Yennik, Inc.
FYI - IT security incidents up
by a quarter on last year - Security-related events have risen by
22.4pc on last year and more organizations are losing money as a
result, according to a new survey that claims to be the largest of
its type in the world.
FYI - IT provider recovers from
devastating oil depot blast - After massive explosions at a fuel
storage site destroyed much of its infrastructure on Sunday, a major
U.K. IT provider is restoring data and setting up new hardware at
other facilities throughout England.
FYI - ABN AMRO says computer
tape with information about customers was lost - A subsidiary of
LaSalle Bank Corp. said Friday a tape containing information of
about 2 million residential mortgage customers around the country
was lost as it was being transported from Chicago to Texas.
FYI - Card skimmers eyed in
Sam's Club data theft - A victim of the recent Sam's Club security
breach suggested that fraudsters may have stolen credit card
information by using illegal "card-skimming" devices attached to the
pumps at the company's gas stations. The fraudulent activity may
also have been going on for a longer period than that suggested by
the wholesale giant, and it may affect thousands of people.
FYI - NIST releases biometric
data specs - The National Institute of Standards and Technology has
released long-awaited biometric data specifications for secure
federal identity cards. Agencies must begin issuing the secure cards
to employees and contractors by Oct. 27, 2006.
FYI - Ford computer with
employee data reported stolen - Ford Motor Co. informed about 70,000
active and former white-collar employees that a computer with
company data, including social security numbers, was stolen from a
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Electronic Fund Transfer Act, Regulation E (Part 2 of 2)
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the
Official Staff Commentary (OSC,) an example of a consumer's
authorization that is not in the form of a signed writing but is,
instead, "similarly authenticated," is a consumer's authorization
via a home banking system.
To satisfy the regulatory requirements, the institution must
have some means to identify the consumer (such as a security code)
and make a paper copy of the authorization available (automatically
or upon request). The
text of the electronic authorization must be displayed on a computer
screen or other visual display that enables the consumer to read the
communication from the institution. Only the consumer may authorize
the transfer and not, for example, a third-party merchant on behalf
of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A
financial institution may receive correspondence through an
electronic medium concerning an unauthorized transaction, loss, or
theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - e
continue our series on the FFIEC interagency Information Security
SECURITY CONTROLS -
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Shared Secret Systems (Part 1 of 2)
Shared secret systems uniquely identify the user by matching
knowledge on the system to knowledge that only the system and user
are expected to share. Examples are passwords, pass phrases, or
current transaction knowledge. A password is one string of
characters (e.g., "t0Ol@Tyme"). A pass phrase is typically a string
of words or characters (e.g., "My car is a shepherd") that the
system may shorten to a smaller password by means of an algorithm.
Current transaction knowledge could be the account balance on the
last statement mailed to the user/customer. The strength of shared
secret systems is related to the lack of disclosure of and about the
secret, the difficulty in guessing or discovering the secret, and
the length of time that the secret exists before it is changed.
A strong shared secret system only involves the user and the system
in the generation of the shared secret. In the case of passwords and
pass phrases, the user should select them without any assistance
from any other user, such as the help desk. One exception is in the
creation of new accounts, where a temporary shared secret could be
given to the user for the first login, after which the system
prompts the user to create a different password. Controls should
prevent any user from re - using shared secrets that may have been
compromised or were recently used by them.
Passwords are the most common authentication mechanism. Passwords
are generally made difficult to guess when they are composed from a
large character set, contain a large number of characters, and are
frequently changed. However, since hard - to - guess passwords may
be difficult to remember, users may take actions that weaken
security, such as writing the passwords down. Any password system
must balance the password strength with the user's ability to
maintain the password as a shared secret. When the balancing
produces a password that is not sufficiently strong for the
application, a different authentication mechanism should be
considered. Pass phrases are one alternative to consider. Due to
their length, pass phrases are generally more resistant to attack
than passwords. The length, character set, and time before enforced
change are important controls for pass phrases as well as passwords.
Shared secret strength is typically assured through the use of
automated tools that enforce the password selection policy.
Authentication systems should force changes to shared secrets on a
schedule commensurate with risk.
Passwords can also be dynamic. Dynamic passwords typically use
seeds, or starting points, and algorithms to calculate a new -
shared secret for each access. Because each password is used for
only one access, dynamic passwords can provide significantly more
authentication strength than static passwords. In most cases,
dynamic passwords are implemented through tokens. A token is a
physical device, such as an ATM card, smart card, or other device
that contains information used in the authentication process.
the top of the newsletter
B. NETWORK SECURITY
5. Determine whether external servers are
appropriately isolated through placement in DMZs, with supporting
servers on DMZs separate from external networks, public servers, and
Return to the top of
INTERNET PRIVACY - We continue our
series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Consumer and Customer:
The distinction between consumers and customers is
significant because financial institutions have additional
disclosure duties with respect to customers. All customers covered
under the regulation are consumers, but not all consumers are
A "consumer" is an individual, or that individual's legal
representative, who obtains or has obtained a financial product or
service from a financial institution that is to be used primarily
for personal, family, or household purposes.
A "financial service" includes, among other things, a financial
institution's evaluation or brokerage of information that the
institution collects in connection with a request or an application
from a consumer for a financial product or service. For example, a
financial service includes a lender's evaluation of an application
for a consumer loan or for opening a deposit account even if the
application is ultimately rejected or withdrawn.
Consumers who are not customers are entitled to an initial privacy
and opt out notice only if their financial institution wants to
share their nonpublic personal information with nonaffiliated third
parties outside of the exceptions.
A "customer" is a consumer who has a "customer relationship" with a
financial institution. A "customer relationship" is a continuing
relationship between a consumer and a financial institution under
which the institution provides one or more financial products or
services to the consumer that are to be used primarily for personal,
family, or household purposes.