R. Kinney Williams
March 19, 2006
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit
FYI - Former US
government IT worker guilty of hacking - A former IT system auditor
for a US government agency faces a five-year prison sentence on a
computer hacking charge after secretly monitoring his supervisor's
e-mail and computer use, the U.S. Department of Justice (DOJ) said.
FYI - Bank cards
compromised by security breach - Around 800 Bank of Bermuda
customers have had their cards compromised after a security breach
in the US. It comes less than a year after 1,600 of the bank's
customers were hit when a hacker broke into a system - again in
FYI - Researcher
develops 'active cookies' to take a bite out of cyber crooks - An
Indiana University School of Informatics scientist has said that his
newly developed active cookie technology provides a "strong shield"
against identity theft and cyber attacks.
FYI - Ohio secretary of
state sued over ID info posted online - The inclusion of residents'
Social Security numbers online is being challenged - An Ohio man is
suing the Ohio secretary of state for posting his and other
residents' Social Security numbers for years on state Web sites
where publicly searchable records are stored, showing retail
purchases made using credit cards or bank loans.
FYI - Server hack at
Georgetown Univ. probed - Data on as many as 41,000 people may have
been compromised - Georgetown University in Washington has called in
the U.S. Secret Service to investigate a server breach that may have
exposed confidential information including the names, dates of birth
and Social Security numbers belonging to more than 41,000 people.
FYI - State college in
Colorado warns 93,000 after laptop theft - Student-employee had
sensitive info on machine - A state college in Denver believes it
may have lost sensitive information on more than 93,000 students
after one of the school's laptop computers was stolen from an
employee's home late last month.
FYI - Researcher Hacks
Microsoft Fingerprint Reader - Hackers could steal your fingerprint
information. Never mind worrying about hackers stealing your
password. A security researcher with the Finnish military has shown
how people could steal your fingerprint, by taking advantage of an
omission in Microsoft's Fingerprint Reader, a PC authentication
device that Microsoft has been shipping since September 2004.
FYI - New debit card
fraud tied to West Coast case - A spate of fraudulent debit card
charges in Massachusetts, New Mexico and Bermuda is being linked to
a case that led some West Coast financial institutions last month to
replace 200,000 cards. Citibank, a major issuer of debit and credit
cards, has "detected several hundred fraudulent cash withdrawals in
three countries," spokesman Robert Julavitis wrote in an e-mail
Tuesday. The bank told customers the thefts are a result of an
information breach at a "third-party business" that it did not name.
FYI - 'Computer
terrorist' Mitnick teaches hacker blocking - He argues that while
sophisticated technology can help keep networks clean from viruses,
it is useless if hackers can con a company's employees into handing
over passwords by posing, for example, as colleagues.
FYI - Vulnerabilities up
by over a third - The Threat Insight Quarterly, published by
security firm ISS, found that the number of vulnerabilities in 2005
had increased by over a third from the previous year. Analysts from
X-Force, the research and development team at ISS, evaluated 4,472
vulnerabilities in both hardware and software last year.
FYI - Visa warns software may
store customer data - A popular software that retailers use to
control debit-card transactions may inadvertently store sensitive
customer information, including PIN codes, says Visa.
FYI - Feds Get Low Marks for
Computer Security - Department of Homeland Security is among the
federal agencies receiving a failing grade. The U.S. government will
get low marks for computer security in a congressional report
scheduled to be released Thursday. According to documents obtained
by the IDG News Service, the federal government will get a D+
overall rating in the 2005 federal computer security scorecards, the
same score it received last year.
Return to the top
of the newsletter
WEB SITE COMPLIANCE
We continue our series on the FFIEC "Authentication in an Internet
Financial institutions engaging in any form of Internet banking
should have effective and reliable methods to authenticate
customers. An effective authentication system is necessary for
compliance with requirements to safeguard customer information, to
prevent money laundering and terrorist financing, to reduce fraud,
to inhibit identity theft, and to promote the legal enforceability
of their electronic agreements and transactions. The risks of doing
business with unauthorized or incorrectly identified persons in an
Internet banking environment can result in financial loss and
reputation damage through fraud, disclosure of customer information,
corruption of data, or unenforceable agreements.
There are a variety of technologies and methodologies financial
institutions can use to authenticate customers. These methods
include the use of customer passwords, personal identification
numbers (PINs), digital certificates using a public key
infrastructure (PKI), physical devices such as smart cards, one-time
passwords (OTPs), USB plug-ins or other types of "tokens",
transaction profile scripts, biometric identification, and others.
The level of risk protection afforded by each of these techniques
varies. The selection and use of authentication technologies and
methods should depend upon the results of the financial
institution's risk assessment process.
• Something the user knows (e.g., password, PIN);
• Something the user has (e.g., ATM card, smart card); and
• Something the user is (e.g., biometric characteristic, such as a
Authentication methods that depend on more than one factor are more
difficult to compromise than single-factor methods. Accordingly,
properly designed and implemented multifactor authentication methods
are more reliable and stronger fraud deterrents. For example, the
use of a logon ID/password is single-factor authentication (i.e.,
something the user knows); whereas, an ATM transaction requires
multifactor authentication: something the user possesses (i.e., the
card) combined with something the user knows (i.e., PIN). A
multifactor authentication methodology may also include
"out-of-band" controls for risk mitigation.
The success of a particular authentication method depends on more
than the technology. It also depends on appropriate policies,
procedures, and controls. An effective authentication method should
have customer acceptance, reliable performance, scalability to
accommodate growth, and interoperability with existing systems and
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION
LOGICAL AND ADMINISTRATIVE ACCESS CONTROL
Examples of Common Authentication Weaknesses, Attacks, and
Offsetting Controls (Part 2 of 2)
Social engineering involves an attacker obtaining
authenticators by simply asking for them. For instance, the attacker
may masquerade as a legitimate user who needs a password reset, or a
contractor who must have immediate access to correct a system
performance problem. By using persuasion, being aggressive, or using
other interpersonal skills, the attackers encourage a legitimate
user or other authorized person to give them authentication
credentials. Controls against these attacks involve strong
identification policies and employee training.
Client attacks are an area of vulnerability common to all
authentication mechanisms. Passwords, for instance, can be captured
by hardware - or
software - based keystroke capture mechanisms. PKI private keys
could be captured or reverse - engineered from their tokens.
Protection against these attacks primarily consists of physically
securing the client systems, and, if a shared secret is used,
changing the secret on a frequency commensurate with risk. While
physically securing the client system is possible within areas under
the financial institution's control, client systems outside the
institution may not be similarly protected.
Replay attacks occur when an attacker eavesdrops and records the
authentication as it is communicated between a client and the
financial institution system, then later uses that recording to
establish a new session with the system and masquerade as the true
user. Protections against replay attacks include changing
cryptographic keys for each session, using dynamic passwords,
expiring sessions through the use of time stamps, expiring PKI
certificates based on dates or number of uses, and implementing
liveness tests for biometric systems.
Hijacking is an attacker's use of an authenticated user's
session to communicate with system components. Controls against
hijacking include encryption of the user's session and the use of
encrypted cookies or other devices to authenticate each
communication between the client and the server.
Return to the top of the
16. Determine whether appropriate notification is
made of requirements for authorized use, through banners or other
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Examination Procedures (Part 2 of 3)
B. Use the information gathered from step A to work through the
"Privacy Notice and Opt Out Decision Tree." Identify
which module(s) of procedures is (are) applicable.
C. Use the information gathered from step A to work through the
Reuse and Redisclosure and Account Number Sharing Decision Trees, as
necessary (Attachments B & C). Identify which module is
D. Determine the adequacy of the financial institution's internal
controls and procedures to ensure compliance with the privacy
regulation as applicable. Consider the following:
1) Sufficiency of internal policies and procedures, and
controls, including review of new products and services and controls
over servicing arrangements and marketing arrangements;
2) Effectiveness of management information systems, including
the use of technology for monitoring, exception reports, and
standardization of forms and procedures;
3) Frequency and effectiveness of monitoring procedures;
4) Adequacy and regularity of the institution's training
5) Suitability of the compliance audit program for ensuring
a) the procedures address all
regulatory provisions as applicable;
b) the work is accurate and
comprehensive with respect to the institution's information sharing
c) the frequency is appropriate;
d) conclusions are appropriately
reached and presented to responsible parties;
e) steps are taken to correct
deficiencies and to follow-up on previously identified deficiencies;
6) Knowledge level of management and personnel.
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.