Internet Banking News

January 27, 2013

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Bank regulatory body proposes social media guidance - The Federal Financial Institutions Examination Council (FFIEC) released the guidance on Tuesday, and banks have 60 days to respond with comments. http://www.scmagazine.com/bank-regulatory-body-proposes-social-media-guidance/article/277462/?DCMP=EMC-SCUS_Newswire

FYI - HHS posts final HIPAA omnibus rule - The long-awaited HIPAA omnibus rule was posted by the Department of Health and Human Services (HHS) on the Federal Register public inspection desk yesterday.
http://healthitsecurity.com/2013/01/18/hhs-posts-final-hipaa-omnibus-rule/
http://www.medpagetoday.com/PracticeManagement/InformationTechnology/36940

FYI - Cyber war, China 'key to security', says Julia Gillard - JULIA Gillard will this week identify the rise of China and a massive escalation in cyber attacks against government and industry as two of the key security issues facing the nation in a major address designed to strengthen Labor's defence credentials. http://www.theaustralian.com.au/national-affairs/defence/cyber-war-china-key-to-security-says-julia-gillard/story-e6frg8yo-1226557811625

FYI - Iran’s Cyber Threat Potential Great, U.S. General Says - Iran’s developing ability to launch cyber attacks will make it “a force to be reckoned with,” the head of the U.S. Air Force Space Command said. http://www.bloomberg.com/news/2013-01-17/iran-s-cyber-threat-potential-great-u-s-general-says.html

FYI - 'Bob' outsources tech job to China; watches cat videos at work - Developer at critical infrastructure firm outsourced job to China for a fraction of his six-figure salary, Verizon researcher finds - Showing what can happen when companies don't periodically review network logs, a software developer working for a large U.S. critical infrastructure company hired a Chinese firm to do his job so he could spend time surfing Reddit and watching cat videos. http://www.computerworld.com/s/article/9235926/_Bob_outsources_tech_job_to_China_watches_cat_videos_at_work?taxonomyId=17

FYI - Google sees one password ring to rule them all - Google researchers have proposed a USB key, or even a finger ring, to solve the problems with website passwords - Google thinks it might have found an answer to the vexing problem of forgotten or weak passwords: "physical" passwords, which might come in the form of a piece of jewelry such as a ring. http://www.computerworld.com/s/article/9235971/Google_sees_one_password_ring_to_rule_them_all?taxonomyId=17

FYI - Sony fined in U.K. for PlayStation breach - The U.K. Information Commissioner's Office has fined Sony Computer Entertainment Europe for the 2011 breach that exposed the personal information of tens of millions of Sony PlayStation Network customers. http://www.scmagazine.com/sony-fined-in-uk-for-playstation-breach/article/277507/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Patient data revealed in medical device hack - Researchers have exploited critical vulnerabilities in two popular medical management platforms used in a host of services, including assisting surgeries and generating patient reports. http://www.scmagazine.com/patient-data-revealed-in-medical-device-hack/article/276568/

FYI - DHS warns of password-cracker targeting industrial networks - The Homeland Security Department is alerting key businesses to a new hacking technique that guesses the passwords of technology that controls power generation and other complex industrial processes. http://www.nextgov.com/cybersecurity/2013/01/dhs-warns-password-cracker-targeting-industrial-networks/60767/?oref=ng-channeltopstory

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 5 of 5) Next week we will begin our series on the Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes.

PROCEDURES TO ADDRESS SPOOFING - Contact the OCC and Law Enforcement Authorities

If a bank is the target of a spoofing incident, it should promptly notify its OCC supervisory office and report the incident to the FBI and appropriate state and local law enforcement authorities. Banks can also file complaints with the Internet Fraud Complaint Center (see http://www.ic3.gov), a partnership of the FBI and the National White Collar Crime Center.

In order for law enforcement authorities to respond effectively to spoofing attacks, they must be provided with information necessary to identify and shut down the fraudulent Web site and to investigate and apprehend the persons responsible for the attack. The data discussed under the "Information Gathering" section should meet this need.

In addition to reporting to the bank's supervisory office and law enforcement authorities, there are other less formal mechanisms that a bank can use to report these incidents and help combat fraudulent activities. For example, banks can use "Digital Phishnet" (http://www.digitalphishnet.com/), which is a joint initiative of industry and law enforcement designed to support apprehension of perpetrators of phishing-related crimes, including spoofing. Members of Digital Phishnet include ISPs, online auction services, financial institutions, and financial service providers. The members work closely with the FBI, Secret Service, U.S. Postal Inspection Service, Federal Trade Commission (FTC), and several electronic crimes task forces around the country to assist in identifying persons involved in phishing-type crimes.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet."

SECURITY MEASURES

System Architecture and Design

Measures to address access control and system security start with the appropriate system architecture. Ideally, if an Internet connection is to be provided from within the institution, or a Web site established, the connection should be entirely separate from the core processing system. If the Web site is placed on its own server, there is no direct connection to the internal computer system. However, appropriate firewall technology may be necessary to protect Web servers and/or internal systems.

Placing a "screening router" between the firewall and other servers provides an added measure of protection, because requests could be segregated and routed to a particular server (such as a financial information server or a public information server). However, some systems may be considered so critical, they should be completely isolated from all other systems or networks. Security can also be enhanced by sending electronic transmissions from external sources to a machine that is not connected to the main operating system.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

The Exceptions

Exceptions to the opt out right are detailed in sections 13, 14, and 15 of the regulations. Financial institutions need not comply with opt-out requirements if they limit disclosure of nonpublic personal information:

1) To a nonaffiliated third party to perform services for the financial institution or to function on its behalf, including marketing the institution's own products or services or those offered jointly by the institution and another financial institution. The exception is permitted only if the financial institution provides notice of these arrangements and by contract prohibits the third party from disclosing or using the information for other than the specified purposes. In a contract for a joint marketing agreement, the contract must provide that the parties to the agreement are jointly offering, sponsoring, or endorsing a financial product or service. However, if the service or function is covered by the exceptions in section 14 or 15 (discussed below), the financial institution does not have to comply with the additional disclosure and confidentiality requirements of section 13. Disclosure under this exception could include the outsourcing of marketing to an advertising company. (Section 13)

2) As necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or under certain other circumstances relating to existing relationships with customers. Disclosures under this exception could be in connection with the audit of credit information, administration of a rewards program, or to provide an account statement. (Section 14)

3) For specified other disclosures that a financial institution normally makes, such as to protect against or prevent actual or potential fraud; to the financial institution's attorneys, accountants, and auditors; or to comply with applicable legal requirements, such as the disclosure of information to regulators. (Section 15)