R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

April 10, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing

FYI - Laptop theft puts data of 98,000 at risk - The University of California, Berkeley, is warning more than 98,000 people that the theft of a laptop from its graduate school admissions office has exposed their personal information. http://news.com.com/Laptop+theft+puts+data+of+98%2C000+at+risk/2100-1029_3-5645362.html?tag=cd.top

FYI - Securities commission rife with security gaps, GAO says - The Securities and Exchange Commission, which is charged with regulating financial systems and controls of publicly trade companies and monitoring securities markets, has trouble regulating its own financial data, according to the Government Accountability Office. http://www.govexec.com/story_page.cfm?articleid=30858&printerfriendlyVers=1&

FYI - Microsoft in Piracy Battle with Korean Bank - A local bank is under investigation for using pirated software in what police said Wednesday was likely only the tip of the iceberg. http://english.chosun.com/w21data/html/news/200503/200503230040.html

FYI - FBI investigating high-tech attack by hacker on UNLV server - A hacker has infiltrated a UNLV computer server containing records for thousands of international students, university officials said. http://www.lasvegassun.com/sunbin/stories/nevada/2005/mar/19/031910382.html

FYI - Security on the Offensive - Tired of being under attack, companies are taking preventive steps to head off security breaches. http://www.computerworld.com/printthis/2005/0,4814,100450,00.html

FYI - Getting Identity Under Control - Many organizations are turning to user-provisioning technologies to help manage access to corporate applications and data. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5601

FYI - GAO - Information Security: Continued Efforts Needed to Sustain Progress in Implementing Statutory Requirements. http://www.gao.gov/cgi-bin/getrpt?GAO-05-483T

Final Guidance on Response Programs Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice - The FFIEC agencies are jointly issuing the attached interpretive guidance for financial institutions to develop and implement a response program designed to address incidents of unauthorized access to sensitive customer information maintained by the financial institution or its service provider. www.fdic.gov/news/news/financial/2005/fil2705.html 

Return to the top of the newsletter

Electronic Fund Transfer Act, Regulation E  (Part 2 of 2)

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated on-line. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the OSC, an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated" is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution.

Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required. 

Return to the top of the newsletter

This concludes our coverage of  the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Part III. Risks Associated with Both Internal Wireless Networks and Wireless Internet Devices

Evolution and Obsolescence

As the wireless technologies available today evolve, financial institutions and their customers face the risk of current investments becoming obsolete in a relatively short time. As demonstrated by the weaknesses in WEP and earlier versions of WAP and the changes in standards for wireless technologies, wireless networking as a technology may change significantly before it is considered mature. Financial institutions that invest heavily in components that may become obsolete quickly may feel the cost of adopting an immature technology.

Controlling the Impact of Obsolescence

Wireless internal networks are subject to the same types of evolution that encompass the computing environment in general. Key questions to ask a vendor before purchasing a wireless internal network solution include:

1)  What is the upgrade path to the next class of network?
2)  Do the devices support firmware (Flash) upgrades for security patches and upgrades?
3)  How does the vendor distribute security information and patches?

The financial institution should also consider the evolving standards of the wireless community. Before entering into an expensive implementation, the institution should research when the next major advances in wireless are likely to be released. Bank management can then make an informed decision on whether the implementation should be based on currently available technology or a future implementation based on newer technology.

The potential obsolescence of wireless customer access can be controlled in other ways. As the financial institution designs applications that are to be delivered through wireless devices, they should design the application so that the business logic is not tied to a particular wireless technology. This can be accomplished by placing the majority of the business logic on back-end or mid-tier servers that are independent of the wireless application server. The wireless application server then becomes a connection point between the customer and the transactions performed. As the institution decides to upgrade or replace the application server, the business logic can remain relatively undisturbed.

Return to the top of the newsletter

IT SECURITY QUESTION:  On-going IT security training:

a. Are new employees trained in computer security?
b. Is continuous computer security training provided users?
c. Has executive management attended a computer security conference?
d. Has the Network Administrator received training regarding security issues involving the servers and the network?
e. Has the IT Security Officer received training regarding IT security issues?

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

14. Does the institution describe the following about its policies and practices with respect to protecting the confidentiality and security of nonpublic personal information:

a. who is authorized to have access to the information; and [6(c)(6)(i)]

b. whether security practices and policies are in place to ensure the confidentiality of the information in accordance with the institution's policy?  [6(c)(6)(ii)]

(Note: the institution is not required to describe technical information about the safeguards used in this respect.)

VISTA penetration-vulnerability testing - Does {custom4} need an affordable internal or external penetration-vulnerability test?  R. Kinney Williams & Associates provides the independence required by the FFIEC IT Examination Manual.  We are IT auditors and do not sell hardware or software like many IT testing companies and consultants. In addition, we have over 30 years experience auditing IT operations for financial institutions, which includes 21 years examination experience.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated