Internet Banking News

February 16, 2014

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - Target, Neiman Marcus Differ on EMV - Executives Share Views on Security at Senate Hearing - At a Feb. 4 Senate hearing, a senior executive from Target Corp. endorsed a shift to chip cards, combined with PINs, to enhance security, while a Neiman Marcus executive questioned if that was a prudent move. http://www.govinfosecurity.com/target-neiman-marcus-differ-on-emv-a-6472

FYI - Getting ahead of new threats - There are six security threats all businesses should be aware of for 2014 - Cyber security stepped into the limelight in 2013 with numerous global cyber attacks, high-profile data breaches and the arrest of several prominent cyber criminals. http://www.scmagazine.com/getting-ahead-of-new-threats/article/329723/

FYI - Finger-Pointing at Breach Hearing - Retailers, Banks Debate Card Security Issues - Several payment system experts testifying at a Senate hearing Feb. 3 urged the adoption of chip card technology in the wake of high-profile breaches at Target Corp. and Neiman Marcus. http://www.govinfosecurity.com/finger-pointing-at-breach-hearing-a-6468

FYI - 75 Percent of Pentagon Contractors Adjusted Security After Snowden Leaks - Leaks of national secrets by former federal contractor Edward Snowden drove 75 percent of U.S. defense company executives to adjust information security procedures, mostly by increasing employee training and going on high alert for deviant behavior. http://www.nextgov.com/cybersecurity/2014/02/75-percent-pentagon-contractors-adjusted-security-after-snowden-leaks/78302/?oref=ng-HPtopstory

FYI - We want it HARDER: City bankers survive simulated cyber-war - Finance firms reckon Waking Shark II should have featured espionage & malware threats - A Bank of England-sponsored exercise designed to test how well financial firms handle a major cyber attack has uncovered serious communication problems. http://www.theregister.co.uk/2014/02/06/waking_shark_ii_post_mortem/

FYI - Cryptolocker makes millions of dollars in four months - If hackers aren't out to steal a few numbers off the back of a credit card, then they've graduated onto holding an entire computer system hostage.
http://www.connectamarillo.com/news/story.aspx?id=1005134#.UvqPLDaYacM
http://www.snopes.com/computer/virus/cryptolocker.asp

FYI - National Cyber Defense competition comes to Iowa State - Since the recent NSA leaks, cyber defense has been in the headlines of U.S. news. Iowa State held the National Cyber Defense Competition. The competition is designed to mimic real-world situations in which students would have to act quickly to defend their network from various intrusions. http://www.iowastatedaily.com/news/article_4e9dde66-9135-11e3-b825-001a4bcf887a.html

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Sochi hackers compromise reporter's laptops, smartphone - An experiment set up by NBC News reporter Richard Engel demonstrated this week how quickly Russian hackers can break into the laptops and other mobile devices of those traveling to Sochi for the Winter Olympics. http://www.scmagazine.com/sochi-hackers-compromise-reporters-laptops-smartphone/article/333073/

FYI - Target vendor, Fazio Mechanical, confirms being victim of attack - Target announced last week that hackers were able to compromise its systems using credentials stolen from a third party vendor. On Wednesday, technology journalist Brian Krebs identified the vendor as Fazio Mechanical Services, a provider of refrigeration and HVAC systems. http://www.scmagazine.com/target-vendor-fazio-mechanical-confirms-being-victim-of-attack/article/333051/

FYI - At least 4,500 payment cards compromised by JackPOS malware in U.S. and Canada - At least 4,500 payment cards have been compromised in the United States and Canada by a new point-of-sale (POS) malware, JackPOS, that is based on Alina, according to researchers with cyber intelligence company IntelCrawler. http://www.scmagazine.com/at-least-4500-payment-cards-compromised-by-jackpos-malware-in-us-and-canada/article/333408/

FYI - Barclays data breach affects thousands - A major British bank is investigating the possible theft and sale of customers' personal data. At least 2,000 Barclays customers might be affected. http://www.scmagazine.com/barclays-data-breach-affects-thousands/article/333401/

FYI - Nielsen staffer accidentally sends mass email containing employee data - An undisclosed number of Nielsen Audio employees are being notified that their personal information – including Social Security numbers – may be at risk after an employee with human resources mistakenly sent out a mass email containing the data. http://www.scmagazine.com/nielsen-staffer-accidentally-sends-mass-email-containing-employee-data/article/333320/

FYI - Hackers break into networks of 3 big medical device makers - Hackers have penetrated the computer networks of the country's top medical device makers. http://www.sfgate.com/news/article/Hackers-break-into-networks-of-3-big-medical-5217780.php

FYI - Two skimming devices found on California hotel computers - South San Francisco Embassy Suites hotel is notifying an undisclosed number of guests that their payment card information may be at risk after skimming devices were discovered on two computers in 2013. http://www.scmagazine.com/two-skimming-devices-found-on-california-hotel-computers/article/333575

FYI - Laptop stolen from California charity employee, thousands impacted - More than 3,000 clients and potential clients of Easter Seal Society of Superior California, a nonprofit charity group serving adults and children with special needs, may have had personal information compromised after an employee's vehicle was broken into and a work-issued laptop was stolen. http://www.scmagazine.com/laptop-stolen-from-california-charity-employee-thousands-impacted/article/333775/

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 2 of 2)

In those instances where an electronic form of communication is permissible by regulation, to reduce compliance risk institutions should ensure that the consumer has agreed to receive disclosures and notices through electronic means. Additionally, institutions may want to provide information to consumers about the ability to discontinue receiving disclosures through electronic means, and to implement procedures to carry out consumer requests to change the method of delivery. Furthermore, financial institutions advertising or selling non-deposit investment products through on-line systems, like the Internet, should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Routing (Part 1 of 2)

Packets are moved through networks using routers, switches, and hubs. The unique IP address is commonly used in routing. Since users typically use text names instead of IP addresses for their addressing, the user's software must obtain the numeric IP address before sending the message. The IP addresses are obtained from the Domain Naming System (DNS), a distributed database of text names (e.g., anybank.com) and their associated IP addresses. For example, financial institution customers might enter the URL of the Web site in their Web browser. The user's browser queries the domain name server for the IP associated with anybank.com. Once the IP is obtained, the message is sent. Although the example depicts an external address, DNS can also function on internal addresses.

A router directs where data packets will go based on a table that links the destination IP address with the IP address of the next machine that should receive the packet. Packets are forwarded from router to router in that manner until they arrive at their destination. Since the router reads the packet header and uses a table for routing, logic can be included that provides an initial means of access control by filtering the IP address and port information contained in the message header. Simply put, the router can refuse to forward, or forward to a quarantine or other restricted area, any packets that contain IP addresses or ports that the institution deems undesirable. Security policies should define the filtering required by the router, including the type of access permitted between sensitive source and destination IP addresses. Network administrators implement these policies by configuring an access configuration table, which creates a filtering router or a basic firewall.

A switch directs the path a message will take within the network. Switching works faster than IP routing because the switch only looks at the network address for each message and directs the message to the appropriate computer. Unlike routers, switches do not support packet filtering. Switches, however, are designed to send messages only to the device for which they were intended. The security benefits from that design can be defeated and traffic through a switch can be sniffed.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

36. Does the institution use a reasonable means for delivering the notices, such as:

a. hand-delivery of a printed copy; [§9(b)(1)(i)]

b. mailing a printed copy to the last known address of the consumer; [§9(b)(1)(ii)]

c. for the consumer who conducts transactions electronically, clearly and conspicuously posting the notice on the institution's electronic site and requiring the consumer to acknowledge receipt as a necessary step to obtaining a financial product or service; [§9(b)(1)(iii)] or

d. for isolated transactions, such as ATM transactions, posting the notice on the screen and requiring the consumer to acknowledge receipt as a necessary step to obtaining the financial product or service? [§9(b)(1)(iv)]

(Note: insufficient or unreasonable means of delivery include: exclusively oral notice, in person or by telephone; branch or office signs or generally published advertisements; and electronic mail to a customer who does not obtain products or services electronically. [§9 (b)(2)(i) and (ii), and (d)])