R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

January 8, 2006

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - IM threats to increase next year - Cybercriminals will become yet more sophisticated in 2006, discovering new vulnerabilities in instant messaging systems and mobile security, one firm noted in a year-end study. MessageLabs warned that malicious users will increasingly target IM in the next year, calling it a "widening backdoor" to infect enterprises with spam and trojan attacks. http://www.scmagazine.com/us/news/article/533780/?n=us

FYI - Broadcom engineer indicted on alleged theft of trade secrets - An engineer has been indicted by the U.S. Attorney for the Northern District of California for allegedly committing theft and unauthorized downloading of trade secrets. The indictment alleges that a former employee of Netgear Inc. committed computer fraud by downloading dozens of proprietary files from Marvell Semiconductor Inc.'s Extranet in May after accepting a position with Marvell's competitor, Broadband Corp. http://www.eetimes.com/showArticle.jhtml?articleID=175400269

FYI - National Australia Bank customers baited in email 'phishing' scam - ONLINE fraudsters have targeted National Australia Bank customers over Christmas with a flood of hoax emails designed to trick account holders into revealing their internet banking details. http://www.theaustralian.news.com.au/printpage/0,5942,17668502,00.html

FYI - Encryption: A nice idea that few want to implement? - Companies are not embracing encryption as a way to protect sensitive data. According to Ponemon Institute's 2005 National Encryption Survey, only 4.2% of companies responding to our survey say their organizations have an enterprisewide encryption plan. http://www.computerworld.com/printthis/2005/0,4814,107280,00.html

FYI - Sweaty hands might make you unpopular as a dance partner, but they could someday prevent hackers from getting into your bank account. Researchers at Clarkson University have found that fingerprint readers can be spoofed by fingerprint images lifted with Play-doh or gelatin or a model of a finger molded out of dental plaster. The group even assembled a collection of fingers cut from the hands of cadavers. http://news.zdnet.com/2102-1009_22-6003440.html?tag=printthis

FYI - Lost and found: DHL returns missing data tape - A missing backup tape holding valuable data on 2 million mortgage customers has been found, but with the original airbill missing. Though it's unlikely that customer data was compromised, the company has urged affected customers to monitor their credit activity. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1153797,00.html

FYI - IT security professionals moving up the corporate pecking order - Ultimate responsibility for information security is moving up corporate management hierarchies, as board-level directors and CEOs - or CISO/CSOs - are increasingly held accountable for safeguarding IT infrastructures, new research has revealed. http://www.scmagazine.com/us/news/article/533697/?n=us

FYI - Computers with patients' information stolen from office - A medical office has warned about 700 patients that their personal data may have been compromised by the theft of six computers. http://www.philly.com/mld/philly/news/13530545.htm

Return to the top of the newsletter

Reserve Requirements of Depository Institutions (Regulation D)

Pursuant to the withdrawal and transfer restrictions imposed on savings deposits, electronic transfers, electronic withdrawals (paid electronically) or payments to third parties initiated by a depositor from a personal computer are included as a type of transfer subject to the six transaction limit imposed on passbook savings and MMDA accounts.

Institutions also should note that, to the extent stored value or other electronic money represents a demand deposit or transaction account, the provisions of Regulation D would apply to such obligations. 

Consumer Leasing Act (Regulation M)

The regulation provides examples of advertisements that clarify the definition of an advertisement under Regulation M. The term advertisement includes messages inviting, offering, or otherwise generally announcing to prospective customers the availability of consumer leases, whether in visual, oral, print, or electronic media. Included in the examples are on-line messages, such as those on the Internet. Therefore, such messages are subject to the general advertising requirements.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  



Shared Secret Systems (Part 2 of 2)

Weaknesses in shared secret mechanisms generally relate to the ease with which an attacker can discover the secret. Attack methods vary.

! A dictionary attack is one common and successful way to discover passwords. In a dictionary attack, the attacker obtains the system password file, and compares the password hashes against hashes of commonly used passwords.

Controls against dictionary attacks include securing the password file from compromise, detection mechanisms to identify a compromise, heuristic intrusion detection to detect differences in user behavior, and rapid reissuance of passwords should the password file ever be compromised. While extensive character sets and storing passwords as one - way hashes can slow down a dictionary attack, those defensive mechanisms primarily buy the financial institution time to identify and react to the password file compromises.

! An additional attack method targets a specific account and submits passwords until the correct password is discovered.

Controls against those attacks are account lockout mechanisms, which commonly lock out access to the account after a risk - based number of failed login attempts.

! A variation of the previous attack uses a popular password, and tries it against a wide range of usernames.

Controls against this attack on the server are a high ratio of possible passwords to usernames, randomly generated passwords, and scanning the IP addresses of authentication requests and client cookies for submission patterns.

! Password guessing attacks also exist. These attacks generally consist of an attacker gaining knowledge about the account holder and password policies and using that knowledge to guess the password.

Controls include training in and enforcement of password policies that make passwords difficult to guess. Such policies address the secrecy, length of the password, character set, prohibition against using well - known user identifiers, and length of time before the password must be changed. Users with greater authorization or privileges, such as root users or administrators, should have longer, more complex passwords than other users.

! Some attacks depend on patience, waiting until the logged - in workstation is unattended.

Controls include automatically logging the workstation out after a period of inactivity (Existing industry practice is no more than 20 - 30 minutes) and heuristic intrusion detection.

! Attacks can take advantage of automatic login features, allowing the attacker to assume an authorized user's identity merely by using a workstation.

Controls include prohibiting and disabling automatic login features, and heuristic intrusion detection.

! User's inadvertent or unthinking actions can compromise passwords. For instance, when a password is too complex to readily memorize, the user could write the password down but not secure the paper. Frequently, written - down passwords are readily accessible to an attacker under mouse pads or in other places close to the user's machines. Additionally, attackers frequently are successful in obtaining passwords by using social engineering and tricking the user into giving up their password.

Controls include user training, heuristic intrusion detection, and simpler passwords combined with another authentication mechanism.

! Attacks can also become much more effective or damaging if different network devices share the same or a similar password.

Controls include a policy that forbids the same or similar password on particular network devices.

Return to the top of the newsletter



6. Determine whether appropriate segregation exists between the responsibility for networks and the responsibility for computer operations.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Consumer and Customer:

A "customer" is a consumer who has a "customer relationship" with a financial institution. A "customer relationship" is a continuing relationship between a consumer and a financial institution under which the institution provides one or more financial products or services to the consumer that are to be used primarily for personal, family, or household purposes.

For example, a customer relationship may be established when a consumer engages in one of the following activities with a financial institution:

1)  maintains a deposit or investment account; 

2)  obtains a loan; 

3)  enters into a lease of personal property; or 

4)  obtains financial, investment, or economic advisory services for a fee.

Customers are entitled to initial and annual privacy notices regardless of the information disclosure practices of their financial institution.

There is a special rule for loans. When a financial institution sells the servicing rights to a loan to another financial institution, the customer relationship transfers with the servicing rights. However, any information on the borrower retained by the institution that sells the servicing rights must be accorded the protections due any consumer.

Note that isolated transactions alone will not cause a consumer to be treated as a customer. For example, if an individual purchases a bank check from a financial institution where the person has no account, the individual will be a consumer but not a customer of that institution because he or she has not established a customer relationship. Likewise, if an individual uses the ATM of a financial institution where the individual has no account, even repeatedly, the individual will be a consumer, but not a customer of that institution.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated