Internet Banking News

March 26, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Quiz: Microsoft Office security, basic - You use Microsoft Office 2003 programs every day, but do you really know how to use their security features to your best advantage? Take this five question quiz and see if you know how to let Office 2003 work best for you. http://www.microsoft.com/athome/security/quiz/office_security_basic.mspx

FYI - Citibank reissues cards after fraudulent withdrawals - Fraudulent cash withdrawls have prompted Citibank to re-issue an unspecified number of credit and debit cards. The bank has also blocked PIN-based transactions of Citi-branded MasterCard cards in the UK, Russia and Canada to protect customer accounts. http://www.channelregister.co.uk/2006/03/07/citibank/print.html

FYI - Lloyds TSB security trial wipes out online fraud - But banking industry asks what is the best approach? Lloyds TSB has cut online banking fraud to zero among its customers who are trialling two-factor authentication devices. http://www.vnunet.com/computing/news/2151425/lloyds-tsb-trial-wipes-online

FYI - SSL tunnels create 'invisible' backdoors into corporate networks - Encrypted Secure Socket Layer (SSL) communications between internal corporate employees and external internet applications is "invisible" to companies and so comprises a "risk to the enterprise," new research has claimed. http://www.scmagazine.com/us/news/article/545591/?n=us

FYI - Community banks team up with Microsoft - Microsoft and the Independent Community Bankers of America (ICBA) have joined forces to help community banks improve their information security practices. http://www.scmagazine.com/us/news/article/545858/?n=us

FYI - Web banking fraud losses double in U.K. A sharp hike in the volume and sophistication of phishing scams pushed British online banking fraud losses to record levels of Ł23 million in 2005 - almost double the previous year's losses of Ł12 million, APACS, the U.K. payments association warned yesterday. http://www.scmagazine.com/us/news/article/545894/?n=us

FYI - GAO - Managing Sensitive Information: Departments of Energy and Defense Policies and Oversight Could Be Improved. http://www.gao.gov/new.items/d06369.pdf
http://www.gao.gov/highlights/d06369high.pdf

FYI - GAO - Information Security: Federal Agencies Show Mixed Progress in Implementing Statutory Requirements.
http://www.gao.gov/cgi-bin/getrpt?GAO-06-527T
http://www.gao.gov/highlights/d06527thigh.pdf

FYI - Citibank card fraud - magnetic strip to blame? - A Citibank ATM network breach in Canada, Russia and the UK could have been prevented if the bank's US customers had chip and PIN technology on their cards, a leading analyst has said. http://www.silicon.com/financialservices/0,3800010322,39157105,00.htm
http://www.techworld.com/security/news/index.cfm?NewsID=5526

FYI - Chase scam traced to Chinese bank - A phishing scam where unwary users are lured into filling out a bogus survey has been traced to a hacked web server of a state-owned Chinese bank. http://www.scmagazine.com/us/news/article/546334/?n=us

FYI - State seizes newspaper's hard drives in leak probe - The Pennsylvania Attorney General's Office has seized four newsroom hard drives as part of a probe into alleged leaks by a county coroner, after the state Supreme Court denied the newspaper's challenge to the search. http://www.yorkdispatch.com/pennsylvania/ci_3608667

FYI - GAO - Information Security: Department of Health and Human Services Needs to Fully Implement Its Program.
http://www.gao.gov/cgi-bin/getrpt?GAO-06-267
Highlights - http://www.gao.gov/highlights/d06267high.pdf

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC "Authentication in an Internet Banking Environment."

Risk Assessment

The implementation of appropriate authentication methodologies should start with an assessment of the risk posed by the institution's Internet banking systems. The risk should be evaluated in light of the type of customer (e.g., retail or commercial); the customer transactional capabilities (e.g., bill payment, wire transfer, loan origination); the sensitivity of customer information being communicated to both the institution and the customer; the ease of using the communication method; and the volume of transactions. Prior agency guidance has elaborated on this risk-based and "layered" approach to information security.

An effective authentication program should be implemented to ensure that controls and authentication tools are appropriate for all of the financial institution's Internet-based products and services. Authentication processes should be designed to maximize interoperability and should be consistent with the financial institution's overall strategy for Internet banking and electronic commerce customer services. The level of authentication used by a financial institution in a particular application should be appropriate to the level of risk in that application.

A comprehensive approach to authentication requires development of, and adherence to, the institution's information security standards, integration of authentication processes within the overall information security framework, risk assessments within lines of businesses supporting selection of authentication tools, and central authority for oversight and risk monitoring. This authentication process should be consistent with and support the financial institution's overall security and risk management programs.

The method of authentication used in a specific Internet application should be appropriate and reasonable, from a business perspective, in light of the reasonably foreseeable risks in that application. Because the standards for implementing a commercially reasonable system may change over time as technology and other procedures develop, financial institutions and technology service providers should develop an ongoing process to review authentication technology and ensure appropriate changes are implemented.

The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Single-factor authentication tools, including passwords and PINs, have been widely used for a variety of Internet banking and electronic commerce activities, including account inquiry, bill payment, and account aggregation. However, financial institutions should assess the adequacy of such authentication techniques in light of new or changing risks such as phishing, pharming, malware, and the evolving sophistication of compromise techniques. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

The risk assessment process should:

• Identify all transactions and levels of access associated with Internet-based customer products and services;

• Identify and assess the risk mitigation techniques, including authentication methodologies, employed for each transaction type and level of access; and

• Include the ability to gauge the effectiveness of risk mitigation techniques for current and changing risk factors for each transaction type and level of access.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Network security requires effective implementation of several control mechanisms to adequately secure access to systems and data. Financial institutions must evaluate and appropriately implement those controls relative to the complexity of their network. Many institutions have increasingly complex and dynamic networks stemming from the growth of distributed computing.

Security personnel and network administrators have related but distinct responsibilities for ensuring secure network access across a diverse deployment of interconnecting network servers, file servers, routers, gateways, and local and remote client workstations. Security personnel typically lead or assist in the development of policies, standards, and procedures, and monitor compliance. They also lead or assist in incident-response efforts. Network administrators implement the policies, standards, and procedures in their day-to-day operational role.

Internally, networks can host or provide centralized access to mission-critical applications and information, making secure access an organizational priority. Externally, networks integrate institution and third-party applications that grant customers and insiders access to their financial information and Web-based services. Financial institutions that fail to restrict access properly expose themselves to increased transaction, reputation, and compliance risk from threats including the theft of customer information, data alteration, system misuse, or denial-of-service attacks.

Return to the top of the newsletter

IT SECURITY QUESTION:

B. NETWORK SECURITY

17. Determine whether remote access devices and network access points for remote equipment are appropriately controlled.

• Remote access is disabled by default, and enabled only by management authorization.

• Management authorization is required for each user who accesses sensitive components or data remotely.

• Authentication is of appropriate strength (e.g., two - factor for sensitive components).

• Modems are authorized, configured and managed to appropriately mitigate risks.

• Appropriate logging and monitoring takes place.

• Remote access devices are appropriately secured and controlled by the institution.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 3 of 3)

E. Ascertain areas of risk associated with the financial institution's sharing practices (especially those within Section 13 and those that fall outside of the exceptions ) and any weaknesses found within the compliance management program. Keep in mind any outstanding deficiencies identified in the audit for follow-up when completing the modules.

F. Based on the results of the foregoing initial procedures and discussions with management, determine which procedures if any should be completed in the applicable module, focusing on areas of particular risk. The selection of procedures to be employed depends upon the adequacy of the institution's compliance management system and level of risk identified. Each module contains a series of general instruction to verify compliance, cross-referenced to cites within the regulation.
Additionally, there are cross-references to a more comprehensive checklist, which the examiner may use if needed to evaluate compliance in more detail.

G. Evaluate any additional information or documentation discovered during the course of the examination according to these procedures. Note that this may reveal new or different sharing practices necessitating reapplication of the Decision Trees and completion of additional or different modules.

H. Formulate conclusions.

1) Summarize all findings.

2) For violation(s) noted, determine the cause by identifying weaknesses in internal controls, compliance review, training, management oversight, or other areas.

3) Identify action needed to correct violations and weaknesses in the institution's compliance system, as appropriate.

4) Discuss findings with management and obtain a commitment for corrective action.