Internet Banking News

March 12, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Focus on cybersecurity compliance called ineffective - Adherence to congressionally mandated IT security processes is a poor measure of the true state of cybersecurity across the government, a former federal chief information security officer said. http://www.govexec.com/story_page.cfm?articleid=33439&printerfriendlyVers=1&\

FYI - The threat from anonymous networks - Eliminating anonymous traffic on corporate networks is vital to securing infrastructure, according to experts. http://www.scmagazine.com/us/news/article/542812/?n=us

FYI - IRS needs to tighten security settings - The IRS has not consistently maintained the security settings it established and deployed under a common operating environment (COE), resulting in a high risk of exploitation for some of its computers, according to the Treasury Department's inspector general for tax administration. http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcndaily2&story.id=38341

FYI - Ernst & Young fails to disclose high-profile data loss - Exclusive Ernst and Young should go ahead and pony up for its own suite of transparency services. The accounting firm failed to disclose a high profile loss of customer data until being confronted by The Register. http://www.theregister.co.uk/2006/02/25/ernst_young_mcnealy/print.html
http://www.sfgate.com/cgi-bin/article.cgi?file=/c/a/2006/02/25/BUG2IHEGCC1.DTL&type=printable

FYI - Ernst & Young loses four more laptops - Ernst and Young appears set on establishing a laptop loss record in February. The accounting giant has lost four more systems, according to a report in the Miami Herald. http://www.theregister.co.uk/2006/02/26/ey_laptops/print.html

FYI - FBI widens probe of debit-card theft - The FBI has expanded its investigation into a debit card fraud that has mostly affected 200,000 consumers in the Western United States, saying that the case might be linked to other debit card thefts around the country. http://news.com.com/2102-7348_3-6042217.html?tag=st.util.print

FYI - Schwab to cover losses due to fraud - Responding to growing anxiety about cybercrime, Charles Schwab Corp. on Wednesday joined the small number of online banks and brokerages that publicly promise to cover customer losses from online fraud. http://www.sfgate.com/cgi-bin/article.cgi?file=/chronicle/archive/2006/02/23/BUGNEHCT5V1.DTL&type=printable

FYI - Professor criticized for online-attack test - A final practical test for a computer-security class has network administrators up in arms. http://www.securityfocus.com/brief/151

FYI - Profit driven hackers a growing threat - Quiet, targeted and profit-driven. These are the adjectives describing the current attacks ruling the IT threat landscape, according to Symantec's latest Internet Security Threat Report. http://www.scmagazine.com/us/news/article/545259/?n=us

FYI - Debit card thieves get around PIN obstacle - Wave of ATM fraud indicates criminals have upped the ante - With consumers around the country reporting mysterious fraudulent account withdrawals, and multiple banks announcing problems with stolen account information, it appears thieves have unleashed a powerful new way to steal money from cash machines. http://www.msnbc.msn.com/id/11731365/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC "Authentication in an Internet Banking Environment."

Summary of Key Points

The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

Consistent with the FFIEC Information Technology Examination Handbook, Information Security Booklet, December 2002, financial institutions should periodically:

1) Ensure that their information security program:
a. Identifies and assesses the risks associated with Internet-based products and services,
b. Identifies risk mitigation actions, including appropriate authentication strength, and
c. Measures and evaluates customer awareness efforts;

2) Adjust, as appropriate, their information security program in light of any relevant changes in technology, the sensitivity of its customer information, and internal or external threats to information; and

3) Implement appropriate risk mitigation strategies.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

Examples of Common Authentication Weaknesses, Attacks, and Offsetting Controls (Part 1 of 2)

All authentication methodologies display weaknesses. Those weaknesses are of both a technical and a nontechnical nature. Many of the weaknesses are common to all mechanisms. Examples of common weaknesses include warehouse attacks, social engineering, client attacks, replay attacks, and hijacking.

Warehouse attacks result in the compromise of the authentication storage system, and the theft of the authentication data. Frequently, the authentication data is encrypted; however, dictionary attacks make decryption of even a few passwords in a large group a trivial task. A dictionary attack uses a list of likely authenticators, such as passwords, runs the likely authenticators through the encryption algorithm, and compares the result to the stolen, encrypted authenticators. Any matches are easily traceable to the pre-encrypted authenticator.

Dictionary and brute force attacks are viable due to the speeds with which comparisons are made. As microprocessors increase in speed, and technology advances to ease the linking of processors across networks, those attacks will be even more effective. Because those attacks are effective, institutions should take great care in securing their authentication databases. Institutions that use one - way hashes should consider the insertion of secret bits (also known as "salt") to increase the difficulty of decrypting the hash. The salt has the effect of increasing the number of potential authenticators that attackers must check for validity, thereby making the attacks more time consuming and creating more opportunity for the institution to identify and react to the attack.

Warehouse attacks typically compromise an entire authentication mechanism. Should such an attack occur, the financial institution might have to deny access to all or nearly all users until new authentication devices can be issued (e.g. new passwords). Institutions should consider the effects of such a denial of access, and appropriately plan for largescale re - issuances of authentication devices.

Return to the top of the newsletter

IT SECURITY QUESTION:

B. NETWORK SECURITY

15. Determine whether appropriate controls exist over the confidentiality and integrity of data transmitted over the network (e.g. encryption, parity checks, message authentication).

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 1 of 3)

A. Through discussions with management and review of available information, identify the institution's information sharing practices (and changes to those practices) with affiliates and nonaffiliated third parties; how it treats nonpublic personal information; and how it administers opt-outs. Consider the following as appropriate:

1) Notices (initial, annual, revised, opt out, short-form, and simplified);

2) Institutional privacy policies and procedures, including those to:
     a) process requests for nonpublic personal information, including requests for aggregated data;
     b) deliver notices to consumers; manage consumer opt out directions (e.g., designating files, allowing a reasonable time to opt out, providing new opt out and privacy notices when necessary, receiving opt out directions, handling joint account holders);
     c) prevent the unlawful disclosure and use of the information received from nonaffiliated financial institutions; and
     d) prevent the unlawful disclosure of account numbers;

3) Information sharing agreements between the institution and affiliates and service agreements or contracts between the institution and nonaffiliated third parties either to obtain or provide information or services;

4) Complaint logs, telemarketing scripts, and any other information obtained from nonaffiliated third parties (Note: review telemarketing scripts to determine whether the contractual terms set forth under section 13 are met and whether the institution is disclosing account number information in violation of section 12);

5) Categories of nonpublic personal information collected from or about consumers in obtaining a financial product or service (e.g., in the application process for deposit, loan, or investment products; for an over-the-counter purchase of a bank check; from E-banking products or services, including the data collected electronically through Internet cookies; or through ATM transactions);

6) Categories of nonpublic personal information shared with, or received from, each nonaffiliated third party; and

7) Consumer complaints regarding the treatment of nonpublic personal information, including those received electronically.

8) Records that reflect the bank's categorization of its information sharing practices under Sections 13, 14, 15, and outside of these exceptions.

9) Results of a 501(b) inspection (used to determine the accuracy of the institution's privacy disclosures regarding data security).