Internet Banking News

January 5, 2014

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Is DHS growing into cyber mission? - After years of controversy, DHS appears to be getting a handle on cybersecurity. From the beginning of the Homeland Security Department, there has been vigorous debate about its cybersecurity mission, questioning the wisdom of trying to grow a new capability in DHS rather than handing this task to the well-resourced and better-skilled NSA. http://www.federaltimes.com/article/20131223/IT01/312230001/Is-DHS-growing-into-cyber-mission-

FYI - Japan Warns of Security Risk in Software for Language Input - Japan’s government warned that certain software used for writing Japanese characters could lead to security leaks, including some programs made in China. The National Information Security Center asked all central government ministries to avoid the programs when making confidential documents because a record of the writing can be sent to servers outside the country. http://www.bloomberg.com/news/2013-12-26/japan-warns-of-security-risk-in-software-used-for-language-input.html

FYI - Three hackers in police net for siphoning Rs 10 lakh - Three people were arrested on Sunday for hacking a bank account and transferring around Rs 10 lakh from the account of one of the partners of a city-based event management company. Kingpin is on the run. http://articles.timesofindia.indiatimes.com/2013-12-30/bhopal/45708388_1_union-bank-bank-account-password

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers target Bitcoin alternative, Dogecoins - Cyber criminals have hacked Dogewallet, a storage system for Dogecoins, which is an alternative to popular digital currency, Bitcoin. http://www.scmagazine.com/hackers-target-bitcoin-alternative-dogecoins/article/327195/?DCMP=EMC-SCUS_Newswire&spMailingID=7662983&spUserID=MjI5OTI3MzMyMQS2&spJobID=108880516&spReportId=MTA4ODgwNTE2S0

FYI - Computers stolen from Calif. EDD facility, personal info compromised - An undisclosed number of individuals may have had personal information compromised after a secured California Employment Development Department (EDD) facility was broken into and computers containing Unemployment Insurance (UI) records were stolen. http://www.scmagazine.com/computers-stolen-from-calif-edd-facility-personal-info-compromised/article/327124/?DCMP=EMC-SCUS_Newswire&spMailingID=7662983&spUserID=MjI5OTI3MzMyMQS2&spJobID=108880516&spReportId=MTA4ODgwNTE2S0

FYI - Employee sends info on 2,000 to personal email address, gets fired - An employee with a private contractor for Colorado Medicaid was fired after sending an email to a personal account that contained sensitive information on almost 2,000 people. http://www.scmagazine.com/employee-sends-info-on-2000-to-personal-email-address-gets-fired/article/327280/?DCMP=EMC-SCUS_Newswire&spMailingID=7675058&spUserID=MjI5OTI3MzMyMQS2&spJobID=110311564&spReportId=MTEwMzExNTY0S0

FYI - Card fraud hitting Boston convention groups linked to restaurant chain breach - The Briar Group, a Brighton, Mass.-based restaurant operator, has confirmed that it suffered a breach. Those impacted include attendees of recent Boston conventions. http://www.scmagazine.com/card-fraud-hitting-boston-convention-groups-linked-to-restaurant-chain-breach/article/327371/?DCMP=EMC-SCUS_Newswire&spMailingID=7675058&spUserID=MjI5OTI3MzMyMQS2&spJobID=110311564&spReportId=MTEwMzExNTY0S0

FYI - A Target payment processor denies being impacted in 40M card breach - While waiting for Target to announce exactly how attackers compromised its point-of-sale (POS) devices to steal roughly 40 million credit and debit cards in two and a half weeks, a payment processor for the retail giant – First Data Corporation – has denied being impacted in the breach. http://www.scmagazine.com/a-target-payment-processor-denies-being-impacted-in-40m-card-breach/article/327365/

FYI - NatWest hit by cyber-attack leaving customers unable to access online accounts - The bank was targeted by a distributed denial of service (DDoS) attack, although it insists there was "no risk" to customers - NatWest has been targeted by a cyber-attack, which left customers unable to access their accounts online. http://www.mirror.co.uk/news/uk-news/natwest-online-banking-failure-cyber-attack-2965486

FYI - Crooks steal money from ATMs using USB drives, experts weigh in - ATMs (automated teller machines) around the world that are still running Windows XP – which reaches end of support in April – are vulnerable to malware being loaded on machines via USB drives, a couple of German researchers revealed at the annual Chaos Communication Congress on Friday. http://www.scmagazine.com/crooks-steal-money-from-atms-using-usb-drives-experts-weigh-in/article/327454/?DCMP=EMC-SCUS_Newswire&spMailingID=7683054&spUserID=MjI5OTI3MzMyMQS2&spJobID=111216153&spReportId=MTExMjE2MTUzS0

FYI - Delta Air Lines website glitch lets flyers nab extra low fares - A computer glitch affecting the Delta Air Lines website and other flight booking sites allowed travelers to make off with a deal of a lifetime. http://www.scmagazine.com/delta-air-lines-website-glitch-lets-flyers-nab-extra-low-fares/article/327456/?DCMP=EMC-SCUS_Newswire&spMailingID=7683054&spUserID=MjI5OTI3MzMyMQS2&spJobID=111216153&spReportId=MTExMjE2MTUzS0

FYI - Court employee compromises personal info of Washington state residents - The personal information of more than 3,000 residents of Washington state was compromised after a temporary city court employee sent forms, background information and municipal court lists to her personal email. http://www.scmagazine.com/court-employee-compromises-personal-info-of-washington-state-residents/article/327364/?DCMP=EMC-SCUS_Newswire&spMailingID=7683054&spUserID=MjI5OTI3MzMyMQS2&spJobID=111216153&spReportId=MTExMjE2MTUzS0

FYI - Stolen laptop impacts 3,500 individuals in South Carolina - Nearly 3,500 members of the South Carolina Health Insurance Pool may have had personal information compromised after a password-protected laptop containing the sensitive data was stolen from an independent auditor's car. http://www.scmagazine.com/stolen-laptop-impacts-3500-individuals-in-south-carolina/article/327449/?DCMP=EMC-SCUS_Newswire&spMailingID=7683054&spUserID=MjI5OTI3MzMyMQS2&spJobID=111216153&spReportId=MTExMjE2MTUzS0

FYI - Hackers taunt Skype: 'Stop spying on people!' - The Syrian Electronic Army targets the public faces of Skype, hacking messages to its blog and to its Twitter and Facebook accounts. The publicity-minded Syrian Electronic Army on Wednesday targeted the public faces of Skype, posting antisurveillance messages to the video-chat service's blog and to its Twitter and Facebook accounts. http://news.cnet.com/8301-1009_3-57616439-83/hackers-taunt-skype-stop-spying-on-people/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

FYI - Overexposed: Snapchat user info from 4.6M accounts - The incident comes just days after Snapchat acknowledged a potential flaw that would allow exposure of usernames and phone numbers. Heads up, Snapchat users: someone has allegedly comprised 4.6 million accounts, potentially exposing your usernames and phone numbers. http://news.cnet.com/8301-1009_3-57616434-83/overexposed-snapchat-user-info-from-4.6m-accounts/?tag=nl.e757&s_cid=e757&ttag=e757&ftag=CAD2e9d5b9

FYI - Virginia hospital employee accesses records for four years, gets fired - An employee with Riverside Health System in Newport News, Virginia has been fired for inappropriately accessing the medical records of nearly 1,000 patients over the span of four years. http://www.scmagazine.com/virginia-hospital-employee-accesses-records-for-four-years-gets-fired/article/327485/?DCMP=EMC-SCUS_Newswire&spMailingID=7689306&spUserID=MjI5OTI3MzMyMQS2&spJobID=111498976&spReportId=MTExNDk4OTc2S0

Return to the top of the newsletter

WEB SITE COMPLIANCE - Reserve Requirements of Depository Institutions (Regulation D)

Pursuant to the withdrawal and transfer restrictions imposed on savings deposits, electronic transfers, electronic withdrawals (paid electronically) or payments to third parties initiated by a depositor from a personal computer are included as a type of transfer subject to the six transaction limit imposed on passbook savings and MMDA accounts.

Institutions also should note that, to the extent stored value or other electronic money represents a demand deposit or transaction account, the provisions of Regulation D would apply to such obligations.

Consumer Leasing Act (Regulation M)

The regulation provides examples of advertisements that clarify the definition of an advertisement under Regulation M. The term advertisement includes messages inviting, offering, or otherwise generally announcing to prospective customers the availability of consumer leases, whether in visual, oral, print, or electronic media. Included in the examples are on-line messages, such as those on the Internet. Therefore, such messages are subject to the general advertising requirements.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Network security requires effective implementation of several control mechanisms to adequately secure access to systems and data. Financial institutions must evaluate and appropriately implement those controls relative to the complexity of their network. Many institutions have increasingly complex and dynamic networks stemming from the growth of distributed computing.

Security personnel and network administrators have related but distinct responsibilities for ensuring secure network access across a diverse deployment of interconnecting network servers, file servers, routers, gateways, and local and remote client workstations. Security personnel typically lead or assist in the development of policies, standards, and procedures, and monitor compliance. They also lead or assist in incident-response efforts. Network administrators implement the policies, standards, and procedures in their day-to-day operational role.

Internally, networks can host or provide centralized access to mission-critical applications and information, making secure access an organizational priority. Externally, networks integrate institution and third-party applications that grant customers and insiders access to their financial information and Web-based services. Financial institutions that fail to restrict access properly expose themselves to increased transaction, reputation, and compliance risk from threats including the theft of customer information, data alteration, system misuse, or denial-of-service attacks.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

28. Does the institution refrain from requiring all joint consumers to opt out before implementing any opt out direction with respect to the joint account? [§7(d)(4)]

29. Does the institution comply with a consumer's direction to opt out as soon as is reasonably practicable after receiving it? [§7(e)]