R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

January 9, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing

FYI - Cyber crime booms in 2004 - 2004 saw the appearance of real phone viruses - The last 12 months have seen a dramatic growth in almost every security threat that plague Windows PCs. http://news.bbc.co.uk/2/hi/technology/4105007.stm

FYI - Blood bank fears ID heist - More than 100,000 people who donated to a California blood bank may have parted with more than plasma. http://news.com.com/2102-1029_3-5500114.html?tag=st.util.print

FYI - Feds limited on digital signatures - Federal officials received a reminder this week not to deviate from a list of acceptable vendors when buying digital signature services. http://www.fcw.com/fcw/articles/2004/1220/web-pki-12-21-04.asp

FYI - Google's search for security - When the Santy.A worm started spreading on Tuesday, Mikko Hypponen knew he had a way to stop the worm in its tracks. The only problem: He had trouble finding the right people to talk to at Google. The Santy worm used the search engine to select potential victims. http://asia.cnet.com/news/security/printfriendly.htm?AT=39210616-39037064t-39000005c

FYI - Security workers praise Sarbanes-Oxley - Many security workers feel that government regulations aimed at protecting IT networks from threats are working, according to new survey. http://news.com.com/2102-7348_3-5500894.html?tag=st.util.print

FYI - Who else had your bank account number? Financial firms often recycle them, Bay Area man finds. http://sfgate.com/cgi-bin/article.cgi?file=/c/a/2005/01/05/MNGPEALB271.DTL

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 2 of 3)

Risks Associated With E-Mail and Internet-Related Fraudulent Schemes
Internet-related fraudulent schemes present a substantial risk to the reputation of any financial institution that is impersonated or spoofed. Financial institution customers and potential customers may mistakenly perceive that weak information security resulted in security breaches that allowed someone to obtain confidential information from the financial institution. Potential negative publicity regarding an institution's business practices may cause a decline in the institution's customer base, a loss in confidence or costly litigation.

In addition, customers who fall prey to e-mail and Internet-related fraudulent schemes face real and immediate risk. Criminals will normally act quickly to gain unauthorized access to financial accounts, commit identity theft, or engage in other illegal acts before the victim realizes the fraud has occurred and takes action to stop it.

Educating Financial Institution Customers About E-Mail and Internet-Related Fraudulent Schemes
Financial institutions should consider the merits of educating customers about prevalent e-mail and Internet-related fraudulent schemes, such as phishing, and how to avoid them. This may be accomplished by providing customers with clear and bold statement stuffers and posting notices on Web sites that convey the following messages:

!  A financial institution's Web page should never be accessed from a link provided by a third party. It should only be accessed by typing the Web site name, or URL address, into the Web browser or by using a "book mark" that directs the Web browser to the financial institution's Web site.
!  A financial institution should not be sending e-mail messages that request confidential information, such as account numbers, passwords, or PINs. Financial institution customers should be reminded to report any such requests to the institution.
!  Financial institutions should maintain current Web site certificates and describe how the customer can authenticate the institution's Web pages by checking the properties on a secure Web page.

To explain the red flags and risks of phishing and identity theft, financial institutions can refer customers to or use resources distributed by the Federal Trade Commission (FTC), including the following FTC brochures:

!  "How Not to Get Hooked by the ‘Phishing' Scam," published in July 2003, which is available at: http://www.ftc.gov/bcp/conline/pubs/alerts/phishingalrt.htm
!  "ID Theft: When Bad Things Happen to Your Good Name," published in September 2002, which is available at: http://www.ftc.gov/bcp/conline/pubs/credit/idtheft.htm 

Return to the top of the newsletter

- We continue our series on the FFIEC interagency Information Security Booklet.


Measurement and Interpretation of Test Results. Institutions should design tests to produce results that are logical and objective. Results that are reduced to metrics are potentially more precise and less subject to confusion, as well as being more readily tracked over time. The interpretation and significance of test results are most useful when tied to threat scenarios. Traceability. Test results that indicate an unacceptable risk in an institution's security should be traceable to actions subsequently taken to reduce the risk to an acceptable level.

Thoroughness. Institutions should perform tests sufficient to provide a high degree of assurance that their security plan, strategy and implementation is effective in meeting the security objectives. Institutions should design their test program to draw conclusions about the operation of all critical controls. The scope of testing should encompass all systems in the institution's production environment and contingency plans and those systems within the institution that provide access to the production environment.

Frequency. Test frequency should be based on the risk that critical controls are no longer functioning. Factors to consider include the nature, extent, and results of prior tests, the value and sensitivity of data and systems, and changes to systems, policies and procedures, personnel, and contractors. For example, network vulnerability scanning on highrisk systems can occur at least as frequently as significant changes are made to the network.

Return to the top of the newsletter


5. Determine if cryptographic keys expire and are replaced at appropriate time intervals.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

2)  Does the institution provide a clear and conspicuous notice that accurately reflects its privacy policies and practices to all consumers, who are not customers, before any nonpublic personal information about the consumer is disclosed to a nonaffiliated third party, other than under an exception in §§14 or 15? [§4(a)(2)]?


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated