R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

March 27, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - MIT says it won't admit hackers - Business school joins Harvard in decision - The dean of MIT's Sloan School of Management yesterday said Sloan will join Harvard Business School in rejecting applications from prospective students who hacked into a website last week to learn whether they had been admitted before they were formally notified. http://www.boston.com/business/articles/2005/03/09/mit_says_it_wont_admit_hackers/

FYI - RFID Invades the Capital - A new smartcard, the type privacy advocates fear because it combines biometric data with radio tags, will soon be one of the most common ID cards in Washington. http://www.wired.com/news/print/0,1294,66801,00.html

FYI - Credit card and purchase data from 103 DSW Shoe Warehouse stores was stolen and used in fraudulent activity, according to parent company Retail Ventures. The theft is the latest reported instance in recent weeks in which customers' personal data was stolen or lost. Other companies to report such problems include Bank of America, ChoicePoint and LexisNexis. http://news.zdnet.com/2102-1009_22-5608311.html?tag=printthis

FYI - Bluetooth phones hacked from a mile away - Bluetooth phones may be vulnerable to attack from up to a mile away by a new device that can pick up distant transmissions from enabled handsets. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=db426fdc-f512-4d07-aa91-d78c45e164b9&newsType=Latest%20News&s=n

FYI - IT sec community has false sense of security - A false sense of security could lead IT managers to getting the sack, a new survey has revealed. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=806f5f0b-e70c-48cb-b2d8-6f8eff0607ee&newsType=Latest%20News&s=n

FYI - A phishing wolf in sheep's clothing - An easily-remedied Web site loophole may be leaving banks and other companies that do business online more susceptible to phishing attacks, according to Netcraft. http://news.com.com/2102-7349_3-5616419.html?tag=st.util.print

FYI - The Ten Commandments of PC Security - Fight off nasty viruses, worms, and Trojan horses by following these simple rules. http://pcworld.about.com/news/Oct292003id113175.htm

FYI - Probe eyes attempted $420 million online bank heist - Israeli police are investigating with British forces an attempted robbery of 219 million pounds, or $421.2 million, at the London offices of the Japanese bank Sumitomo. http://news.com.com/2102-7349_3-5622794.html?tag=st.util.print


FYI - Determined Data Thieves Crash Las Vegas DMV - Thieves broke into the Donovan North Las Vegas office of the Nevada Department of Motor Vehicles and stole a computer and equipment used to make driver's licenses. Files on the computer contained information that can be found on the front of a driver's license, social security numbers and signatures along with pictures of 8,900 Nevada motorists. http://www.govtech.net/magazine/channel_story.php?channel=3&id=93392

Return to the top of the newsletter

WEB SITE COMPLIANCE -
We finish our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."  (Part 10 of 10)  

B. RISK MANAGEMENT TECHNIQUES

Managing Service Providers

Financial institutions, especially smaller institutions, may choose to subcontract with a service provider to create, arrange, and manage their websites, including weblinks. The primary risks for these financial institutions are the same as for those institutions that arrange the links directly. However, if a financial institution uses a set of pre-established links to a large number of entities whose business policies or procedures may be unfamiliar, it may increase its risk exposure. This is particularly true in situations in which the institution claims in its published privacy policy that it maintains certain minimum information security standards at all times.

When a financial institution subcontracts weblinking arrangements to a service provider, the institution should conduct sufficient due diligence to ensure that the service provider is appropriately managing the risk exposure from other parties. Management should keep in mind that a vendor might establish links to third parties that are unacceptable to the financial institution. Finally, the written agreement should contain a regulatory requirements clause in which the service provider acknowledges that its linking activities must comply with all applicable consumer protection laws and regulations.

Financial institution management should consider weblinking agreements with its service provider to mitigate significant risks. These agreements should be clear and enforceable with descriptions of all obligations, liabilities, and recourse arrangements. These may include the institution's right to exclude from its site links the financial institution considers unacceptable. Such contracts should include a termination clause, particularly if the contract does not include the ability to exclude websites. Finally, a financial institution should apply its link monitoring policies discussed above to links arranged by service providers or other vendors.

FYI CLIENTS - The complete statement on Weblinking: Identifying Risks and Risk Management Techniques can be found at http://www.fdic.gov/news/news/financial/2003/fil0330a.html.


Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
- We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."


Part II. Risks Associated with Wireless Internet Devices

As wireless Internet devices become more prevalent in the marketplace, financial institutions are adopting wireless application technologies as a channel for reaching their customers. Wireless Internet services are becoming available in major cities across the United States. Through wireless banking applications, a financial institution customer could access account information and perform routine non-cash transactions without having to visit a branch or ATM.

The wireless Internet devices available today present attractive methods for offering and using financial services. Customers have access to financial information from anywhere they can receive wireless Internet access. Many of the wireless devices have built-in encryption through industry-standard encryption methods. This encryption has its limits based on the processing capabilities of the device and the underlying network architecture.

A popular standard for offering wireless applications is through the use of the Wireless Application Protocol (WAP). WAP is designed to bring Internet application capabilities to some of the simplest user interfaces. Unlike the Web browser that is available on most personal computer workstations, the browser in a wireless device (such as a cell phone) has a limited display that in many cases can provide little, if any, graphical capabilities. The interface is also limited in the amount of information that can be displayed easily on the screen. Further, the user is limited by the keying capabilities of the device and often must resort to many key presses for simple words.

The limited processing capabilities of these devices restrict the robustness of the encryption network transmissions. Effective encryption is, by nature, processing-intensive and often requires complex calculations. The time required to complete the encryption calculations on a device with limited processing capabilities may result in unreasonable delays for the device's user. Therefore, simpler encryption algorithms and smaller keys may be used to speed the process of obtaining access.

WAP is an evolving protocol. The most recent specification of WAP (WAP 2.0 - July 2001) offers the capability of encrypting network conversations all the way from the WAP server (at the financial institution) to the WAP client (the financial institution customer). Unfortunately, WAP 2.0 has not yet been fully adopted by vendors that provide the building blocks for WAP applications. Previous versions of WAP provide encryption between the WAP client and a WAP gateway (owned by the Wireless Provider). The WAP gateway then must re-encrypt the information before it is sent across the Internet to the financial institution. Therefore, sensitive information is available at the wireless provider in an unencrypted form. This limits the financial institution's ability to provide appropriate security over customer information.

Return to the top of the newsletter

IT SECURITY QUESTION:  Internet connection to the network:

a. Is there an Internet use policy?
b. Are employees required to sign that they have read the Internet use policy?
c. Is there an Internet security policy?
d. Is Internet access given to all employees?
e. Is a password required to access the Internet?
f.  Is Internet access analog?
g. Is Internet access DSL, cable, or secure T1 line?
h. Is there a firewall (hardware or software) between the Internet and the network?
i.  Is there an intrusion detection system?
j.  Do all employees have e-mail privileges?
k. Is penetration-vulnerability testing performed?
l.  Is there an anti-virus program on the network servers and is the program current?
m. Is there an Internet activity report that is regularly review?


Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.


Content of Privacy Notice

12. Does the institution make the following disclosures regarding service providers and joint marketers to whom it discloses nonpublic personal information under 13:

a. as applicable, the same categories and examples of nonpublic personal information disclosed as described in paragraphs (a)(2) and (c)(2) of section six (6) (see questions 8b and 10); and [6(c)(4)(i)]

b. that the third party is a service provider that performs marketing on the institution's behalf or on behalf of the institution and another financial institution; [6(c)(4)(ii)(A)] or

c. that the third party is a financial institution with which the institution has a joint marketing agreement? [6(c)(4)(ii)(B)]


VISTA penetration-vulnerability testing - Does {custom4} need an affordable internal or external penetration-vulnerability test?  R. Kinney Williams & Associates provides the independence required by the FFIEC IT Examination Manual.  We are IT auditors and do not sell hardware or software like many IT testing companies and consultants. In addition, we have over 30 years experience auditing IT operations for financial institutions, which includes 21 years examination experience.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated