Internet Banking News

March 8, 2009

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Number of reported cyber incidents jumps - Federal civilian agencies reported three times as many cyber-related incidents in fiscal 2008 as they did in fiscal 2006 to the Homeland Security Department's office that coordinates defenses and responses to cyberattacks. Meanwhile, an official says the office suspects the actual number of cyber incidents is higher. http://fcw.com/Articles/2009/02/17/CERT-cyber-incidents.aspx

FYI - Fugitive hacker indicted for running VoIP scam - U.S. seeks extradition of Miami man who was on the run for more than 2 years - Just days after his apprehension in Mexico following two years on the run from law enforcement authorities, an alleged hacker was indicted this week by a federal grand jury for hacking into the computer networks of voice-over-IP service providers. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9128199&source=rss_topic17

FYI - CVS Pays $2.25 Million and Toughens Practices to Settle HIPAA Privacy Case - The U.S. Department of Health and Human Services (HHS) and the Federal Trade Commission (FTC) today announced that CVS, the nation's largest retail pharmacy chain, will pay the U.S. government a $2.25 million settlement and take corrective action to ensure it does not violate the privacy of its millions of patients when disposing of patient information such as identifying information on pill bottle labels. http://www.hhs.gov/news/press/2009pres/02/20090218a.html

FYI - Starbucks sued after laptop data breach - A Chicago-area Starbucks employee has brought a class-action lawsuit against the coffee retailer, claiming damages from an October 2008 data breach. http://www.networkworld.com/news/2009/022309-starbucks-sued-after-laptop-data.html

FYI - Former staff swipe confidential company data - More than half - 59 per cent - of US workers made redundant or who left their job last year admitted swiping confidential corporate data, such as customer list, before they left, a new study claims. http://www.theregister.co.uk/2009/02/23/insider_threat_survey/

FYI - Comprehensive health care security with ISO 27001 - Security is an ongoing concern for most health care providers -- witness the recent fight over electronic health care records (EHRs) in the debate over the stimulus bill as it wended its way through Congress. http://www.scmagazineus.com/Comprehensive-health-care-security-with-ISO-27001/article/127806/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers steal thousands of Wyndham credit card numbers - The company estimates that 41 Wyndham hotels and resorts were affected - Hackers broke into a computer at Wyndham Hotels and Resorts last July and stole tens of thousands of customer credit card numbers, the hotel chain has warned. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9128222&source=rss_topic17

FYI - Visa confirms another payment processor breach - Another payment processor has fallen victim to hackers, Visa confirmed. Visa and MasterCard are notifying banks about accounts impacted by a "major compromise," unrelated to the massive Heartland Payment Systems incident announced last month, according to a number of credit unions and banking associations.
http://www.securityfocus.com/brief/913
http://www.scmagazineus.com/Visa-confirms-another-payment-processor-breach/article/127725/?DCMP=EMC-SCUS_Newswire
http://news.cnet.com/8301-1009_3-10171502-83.html

FYI - Government travel site hacked, remains shuttered - A government website used by a dozen federal agencies to book travel was hacked, redirecting federal employees to a site capable of downloading malware. The site, GovTrip.com, remained offline as of Thursday afternoon EST. http://www.scmagazineus.com/Government-travel-site-hacked-remains-shuttered/article/127596/?DCMP=EMC-SCUS_Newswire

FYI - Three months, three breaches at the Univ. of Florida-Gainesville - The latest exposes data on more than 97,000 students, faculty, staff - For the second time in three months, the University of Florida, Gainesville, has acknowledged a major data breach -- and a statement posted on the university's Web site indicated that there was a third, less-public breach discovered by the school during the same period. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=knowledge_center&articleId=9128398&taxonomyId=1&intsrc=kc_top

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 1 of 2)

Generally, when online banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated online. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

MALICIOUS CODE

Malicious code is any program that acts in unexpected and potentially damaging ways. Common types of malicious code are viruses, worms, and Trojan horses. The functions of each were once mutually exclusive; however, developers combined functions to create more powerful malicious code. Currently malicious code can replicate itself within a computer and transmit itself between computers. Malicious code also can change, delete, or insert data, transmit data outside the institution, and insert backdoors into institution systems. Malicious code can attack institutions at either the server or the client level. It can also attack routers, switches, and other parts of the institution infrastructure. Malicious code can also monitor users in many ways, such as logging keystrokes, and transmitting screenshots to the attacker.

Typically malicious code is mobile, using e - mail, Instant Messenger, and other peer-to-peer (P2P) applications, or active content attached to Web pages as transmission mechanisms. The code also can be hidden in programs that are downloaded from the Internet or brought into the institution on diskette. At times, the malicious code can be created on the institution's systems either by intruders or by authorized users. The code can also be introduced to a Web server in numerous ways, such as entering the code in a response form on a Web page.

Malicious code does not have to be targeted at the institution to damage the institution's systems or steal the institution's data. Most malicious code is general in application, potentially affecting all Internet users with whatever operating system or application the code needs to function.

Return to the top of the newsletter

IT SECURITY QUESTION:

F. PERSONNEL SECURITY

3. Determine if the institution requires personnel with authority to access customer information and confidential institution information to sign and abide by confidentiality agreements.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties only under Sections 14 and/or 15.

Note: This module applies only to customers.

A. Disclosure of Nonpublic Personal Information

1) Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party.

a. Compare the data shared and with whom the data were shared to ensure that the institution accurately states its information sharing practices and is not sharing nonpublic personal information outside the exceptions.

B. Presentation, Content, and Delivery of Privacy Notices

1) Obtain and review the financial institution's initial and annual notices, as well as any simplified notice that the institution may use. Note that the institution may only use the simplified notice when it does not also share nonpublic personal information with affiliates outside of Section 14 and 15 exceptions. Determine whether or not these notices:

a. Are clear and conspicuous (§§3(b), 4(a), 5(a)(1));

b. Accurately reflect the policies and practices used by the institution (§§4(a), 5(a)(1)). Note, this includes practices disclosed in the notices that exceed regulatory requirements; and

c. Include, and adequately describe, all required items of information (§6).

2) Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written customer records where available, determine if the institution has adequate procedures in place to provide notices to customers, as appropriate. Assess the following:

a) Timeliness of delivery (§§4(a), 4(d), 4(e), 5(a)); and

b. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the customer agrees; or as a necessary step of a transaction) (§9) and accessibility of or ability to retain the notice (§9(e)).