January 28, 2001
FYI CLIENTS - A security breach at Travelocity exposed the personal information of thousands of the online travel company's customers, the company confirmed Monday.
INTERNET SECURITY - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."
Hackers may use "social engineering" a scheme using social techniques to obtain technical information required to access a system. A hacker may claim to be someone authorized to access the system such as an employee or a certain vendor or contractor. The hacker may then attempt to get a real employee to reveal user names or passwords, or even set up new computer accounts. Another threat involves the practice of "war-dialing" in which hackers use a program that automatically dials telephone numbers and searches for modem lines that bypass network firewalls and other security measures. A few other common forms of system attack include:
Denial of service (system failure), which is any action preventing a system from operating as intended. It may be the unauthorized destruction, modification, or delay of service. For example, in an
"SYN Flood" attack, a system can be flooded with requests to establish a connection, leaving the system with more open connections than it can support. Then, legitimate users of the system being attacked are not allowed to connect until the open connections are closed or can time out.
Internet Protocol (IP) spoofing, which allows an intruder via the Internet to effectively impersonate a local system's IP address in an attempt to gain access to that system. If other local systems perform session authentication based on a connections IP address, those systems may misinterpret incoming connections from the intruder as originating from a local trusted host and not require a password.
Trojan horses, which are programs that contain additional (hidden) functions that usually allow malicious or unintended activities. A Trojan horse program generally performs unintended functions that may include replacing programs, or collecting, falsifying, or destroying data. Trojan horses can be attached to e-mails and may create a "back door" that allows unrestricted access to a system. The programs may automatically exclude logging and other information that would allow the intruder to be traced.
Viruses, which are computer programs that may be embedded in other code and can self-replicate. Once active, they may take unwanted and unexpected actions that can result in either nondestructive or destructive outcomes in the host computer programs. The virus program may also move into multiple platforms, data files, or devices on a system and spread through multiple systems in a network. Virus programs may be contained in an e-mail attachment and become active when the attachment is opened.
INTERNET COMPLIANCE - Flood Disaster Protection Act
The regulation implementing the National Flood Insurance Program requires a financial institution to notify a prospective borrower and the servicer that the structure securing the loan is located or to be located in a special flood hazard area. The regulation also requires a notice of the servicer's identity be delivered to the insurance provider. While the regulation addresses electronic delivery to the servicer and to the insurance provider, it does not address electronic delivery of the notice to the borrower.
PRIVACY STATEMENT - CLIENTS
OCC Advisory Letter on Privacy Preparedness and attached Preparedness Questionnaire
FDIC Creates privacy rule handbook
IN CLOSING - Last week we discussed electronic disclosures. Mark Moore with Bankers Compliance Group brought to our attention that since October 1, 2000, the Federal Electronic Signatures in Global and National Commerce Act (commonly referred to as "E-Sign") allows delivery of electronic disclosures, provided the bank complies with Section 101(c) of the regulation. For more information you can contact Mark at