Internet Banking News

April 16, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - NCUA - Letter to Credit Unions 06-CU-07 - IT Security Compliance Guide. www.ncua.gov/letters/2006/CU/06-CU-07Encl.pdf

FYI - Thousands of Marines may be at risk for identity theft after loss of portable drive - A portable drive with personal information on more than 207,750 Marines was lost earlier this month, possibly jeopardizing those troops' credit records and privacy. http://www.estripes.com/article.asp?section=104&article=35264&archive=true

FYI - Feds push for improved privacy notices - The goal: Make financial institutions' privacy practices easier to decipher - Federal regulators released a prototype privacy notice designed to make it easier for consumers to read about, understand and compare the privacy practices of banks and other financial institutions. http://www.computerworld.com/printthis/2006/0,4814,110121,00.html

FYI - BAY AREA BART to investigate computer work at rush hour - Troubleshooting crashed system, stranded 35,000 - BART officials promised to thoroughly investigate why technicians risked working on computers that control trains while the transit system was running, work that crashed BART's main computer, stalled 50 to 60 trains, and stranded 35,000 passengers for more than an hour at the peak of the Wednesday evening commute. http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2006/03/31/BART.TMP

FYI - Cash machine 'skimmers' steal thousands - Banks are contacting hundreds of people who were exposed to an ATM fraud where cash-card details were copied and used to rob accounts of more than $20,000. It is New Zealand's first case of "skimming", where sophisticated devices are used to harvest account information from cards while a small camera captures the Pin number. http://www.nzherald.co.nz/section/story.cfm?c_id=5&ObjectID=10375158

FYI - Hacker hits Georgia state database via hole in security software - Confidential information on more than 570,000 people exposed - An unpatched flaw in a "widely used security program" was exploited by an unknown hacker to gain access to a Georgia Technology Authority (GTA) database containing confidential information on more than 570,000 members of the state's pension plans. http://www.computerworld.com/printthis/2006/0,4814,110094,00.html

FYI - Study: Online Banking Gains Users - Electronic bill pay services also prove popular, study finds. The number of online banking customers in the U.S. grew to nearly 40 million during the last quarter of 2005, up 27 percent from the previous year, according to Reston, Virginia-based comScore Networks. And during the same period the use of online payment services at banks grew 36 percent, comScore said in a statement. http://www.pcworld.com/news/article/0,aid,125360,tk,dn041106X,00.asp

Return to the top of the newsletter

WEB SITE COMPLIANCE - We conclude our series on the FFIEC "Authentication in an Internet Banking Environment."

Customer Awareness

Financial institutions have made, and should continue to make, efforts to educate their customers. Because customer awareness is a key defense against fraud and identity theft, financial institutions should evaluate their consumer education efforts to determine if additional steps are necessary. Management should implement a customer awareness program and periodically evaluate its effectiveness. Methods to evaluate a program's effectiveness include tracking the number of customers who report fraudulent attempts to obtain their authentication credentials (e.g., ID/password), the number of clicks on information security links on Web sites, the number of statement stuffers or other direct mail communications, the dollar amount of losses relating to identity theft, etc.

Conclusion

Financial institutions offering Internet-based products and services should have reliable and secure methods to authenticate their customers. The level of authentication used by the financial institution should be appropriate to the risks associated with those products and services. Financial institutions should conduct a risk assessment to identify the types and levels of risk associated with their Internet banking applications. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks. The agencies consider single-factor authentication, as the only control mechanism, to be inadequate in the case of high-risk transactions involving access to customer information or the movement of funds to other parties.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Protocols and Ports (Part 2 of 3)

Other common protocols in a TCP/IP network include the following types.

! Address resolution protocol (ARP) - Obtains the hardware address of connected devices and matches that address with the IP address for that device. The hardware address is the Ethernet card's address, technically referred to as the "media access control" (MAC) address. Ethernet systems route messages by the MAC address, requiring a router to obtain both the IP address and the MAC address of connected devices. Reverse ARP (RARP) also exists as a protocol.

! Internet control message protocol (ICMP) - Used to send messages about network health between devices, provides alternate routing information if trouble is detected, and helps to identify problems with a routing.

! File transfer protocol (FTP) - Used to browse directories and transfer files. Although access can be authenticated or anonymous, FTP does not support encrypted authentication. Conducting FTP within encrypted channels, such as a Virtual Private Network (VPN), secure shell (SSH) or secure sockets layer (SSL) sessions can improve security.

! Trivial file transfer protocol (TFTP) - A file transfer protocol with no file - browsing ability, and no support for authentication.

! Simple mail - transfer protocol (SMTP) - Commonly used in e-mail systems to send mail.

! Post office protocol (POP) - Commonly used to receive e-mail.

! Hypertext transport protocol (HTTP) - Used for Web browsing.

! Secure shell (SSH) - Encrypts communications sessions, typically used for remote administration of servers.

! Secure sockets layer (SSL) - Typically used to encrypt Webbrowsing sessions, sometimes used to secure e-mail transfers and FTP sessions.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

1. Determine whether hosts are hardened through the removal of unnecessary software and services, consistent with the needs identified in the risk assessment, and that configuration takes advantage of available object, device, and file access controls.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13). (Part 3 of 3)

C. Opt Out Right

1) Review the financial institution's opt out notices. An opt out notice may be combined with the institution's privacy notices. Regardless, determine whether the opt out notices:

a. Are clear and conspicuous (��3(b) and 7(a)(1));

b. Accurately explain the right to opt out (�7(a)(1));

c. Include and adequately describe the three required items of information (the institution's policy regarding disclosure of nonpublic personal information, the consumer's opt out right, and the means to opt out) (�7(a)(1)); and

d. Describe how the institution treats joint consumers (customers and those who are not customers), as applicable (�7(d)).

2) Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written records where available, determine if the institution has adequate procedures in place to provide the opt out notice and comply with opt out directions of consumers (customers and those who are not customers), as appropriate. Assess the following:

a. Timeliness of delivery (�10(a)(1));

b. Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (�9).

c. Reasonableness of the opportunity to opt out (the time allowed to and the means by which the consumer may opt out) (��10(a)(1)(iii), 10(a)(3)); and

d. Adequacy of procedures to implement and track the status of a consumer's (customers and those who are not customers) opt out direction, including those of former customers (�7(e), (f), (g)).

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.