March 5, 2000
FYI - Consumer advocates, government policy makers, Congressional staff, bankers and policy analysts will explore the privacy of consumer financial information in an electronic age at an interagency public forum hosted by the FDIC on March 23, 2000.
FYI - The U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) updated its listing of Specially Designated Nationals and Blocked Persons to include new entries for Sudan. On February 22, 2000, OFAC updated its listing of Specially Designated Nationals and Blocked Persons to include the names of numerous new Specially Designated Narcotics Traffickers and to make changes to some of the entries previously listed.
Press release at http://www.fdic.gov/news/news/financial/2000/fil0010.html
List of blocked accounts at http://www.treas.gov/ofac/
FYI - The OFAC administers laws that impose economic sanctions against foreign nations and individuals. This includes blocking accounts and other assets and prohibiting financial transactions. Internet banking businesses must comply with OFAC requirements. Your Bank needs to collect enough information to identify customers and determine whether a particular transaction is prohibited under OFAC rules.
FYI - The advance notice of proposed rulemaking (ANPR) seeks public comment to assist the OCC in responding to the rapid growth of electronic commerce and the significant business opportunities that these technological developments are affording national banks consistent with safety and soundness. The ANPR was published in the Federal Register on February 2, 2000. The comment period for the ANPR closes on April 3, 2000.
Press release at http://www.occ.treas.gov/ftp/bulletin/2000-5.txt
Advanced notice at http://www.occ.treas.gov/ftp/regs/2000-5b.txt
INTERNET SECURITY - Last week we reviewed "social engineering" and "war dialing." This week we review other common forms of system attacks as outlined by FDIC:
1) Denial of service (system failure), which is any action preventing a system from operating as intended. It may be the unauthorized destruction, modification, or delay of service. For example, in a "SYN Flood" attack, a system can be flooded with requests to establish a connection, leaving the system with more open connections than it can support. Then, legitimate users of the system being attacked are not allowed to connect until the open connections are closed or can time out.
2) Internet Protocol (IP) spoofing, which allows an intruder via the Internet to effectively impersonate a local system's IP address in an attempt to gain access to that system. If other local systems perform session authentication based on a connection's IP address, those systems may misinterpret incoming connections from the intruder as originating from a local trusted host and not require a password.
3) Trojan horses, which are programs that contain additional (hidden) functions that usually allow malicious or unintended activities. A Trojan horse program generally performs unintended functions that may include replacing programs, or collecting, falsifying, or destroying data. Trojan horses can be attached to e-mails and may create a "back door" that allows unrestricted access to a system. The programs may automatically exclude logging and other information that would allow the intruder to be traced.
4) Viruses, which are computer programs that may be embedded in other code and can self-replicate. Once active, they may take unwanted and unexpected actions that can result in either nondestructive or destructive outcomes in the host computer programs. The virus program may also move into multiple platforms, data files, or devices on a system and spread through multiple systems in a network. Virus programs may be contained in an e-mail attachment and become active when the attachment is opened.
INTERNET COMPLIANCE - The Equal Credit Opportunity Act (Regulation B) clarifies the rules concerning the taking of credit applications by specifying that application information entered directly into and retained by a computerized system qualifies as a written application under this section. If an institution makes credit application forms available through its on-line system, it must ensure that the forms satisfy the requirements.
The regulation also clarifies the regulatory requirements that apply when an institution takes loan applications through electronic media. If an applicant applies through an electronic medium (for example, the Internet or a facsimile) without video capability that allows employees of the institution to see the applicant, the institution may treat the application as if it were received by mail.
INTERNET RISKS - According to the OCC, Internet banking creates new risk control challenges. Over the past few weeks, we covered the OCC's comments on Credit Risk, Interest Rate Risk, Liquidity Risk, and Price Risk. This week we will cover Foreign Exchange Risk.
Foreign exchange risk is present when a loan or portfolio of loans is denominated in a foreign currency or is funded by borrowings in another currency. In some cases, banks will enter into multi-currency credit commitments that permit borrowers to select the currency they prefer to use in each rollover period. Foreign exchange risk can be intensified by political, social, or economic developments. The consequences can be unfavorable if one of the currencies involved becomes subject to stringent exchange controls or is subject to wide exchange-rate fluctuations. Foreign exchange risk is discussed in more detail in the "Foreign Exchange," booklet of the Comptroller's Handbook.
Banks may be exposed to foreign exchange risk if they accept deposits from non-U.S. residents or create accounts denominated in currencies other than U.S. dollars. Appropriate systems should be developed if banks engage in these activities.
PRIVACY STATEMENT - The FDIC, the Board of Governors of the Federal Reserve System, the OCC, and the OTS have jointly proposed the attached rule on the privacy of consumers' financial information. This regulation is required by the Gramm-Leach-Bliley Act. Comments are due by March 31, 2000.
Press release at http://www.fdic.gov/news/news/financial/2000/fil0011.html
Attached rule at http://www.fdic.gov/news/news/financial/2000/FIL0011a.html
IN CLOSING - This past week Kevin Mitnick gave testimony to the Senate Government Affairs committee regarding Internet and computer security. Mr. Mitnick was released from federal prison January 21, 2000, after spending 59 months in jail for "hacking" computer systems. The most interesting part of his testimony was that he gained access to the computers by using "social engineering" techniques or more aptly defined as a con. In other words, he convinced employees to give him usernames, passwords, and other confidential computer information. He, along with some others that testified, indicated that employees need to be trained not to give out confidential information.
I would recommend that Your Bank's senior management read Mr. Mitnick's opening statement. It is really an eye opener as to how he obtained confidential information and his thoughts about computer security. Send me an e-mail, and I will be happy to e-mail you Mr. Mitnick's remarks as a Word format attachment.