Internet Banking News

April 23, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - SEC has failed to fix security gaps, GAO says - Information security weaknesses persist at the Securities Exchange Commission because the agency has not followed through on recommendations the Government Accountability Office made last year for comprehensive, agency wide information security. http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn_daily&story.id=40313

FYI - HP printer users warned of critical flaw - HP has warned users of its Color LaserJet 2500 and 4600 printers of a flaw that could be exploited by hackers to gain remote admin control over PCs running the devices' control software. http://www.vnunet.com/vnunet/news/2153487/hp-printer-users-warned-upgrade

FYI - New e-greeting spam hides keylogger - Security watchers have identified a new batch of malicious e-greeting spam that conceals keylogging spyware designed to steal online banking passwords and other sensitive information. http://www.scmagazine.com/us/news/article/552891/?n=us

FYI - Better web banking security demanded - Almost 90 percent of U.S. bank account holders would like their financial service providers to monitor online banking sessions for signs of irregular activity in the way they currently scrutinize credit card transactions, recently released research has found. http://www.scmagazine.com/us/news/article/552892/?n=us

FYI - Postbank unveils anti-phishing measures - In an attempt to stop phishing attacks on its internet banking customers, a German bank will introduce electronic signatures in its customer emails. http://www.scmagazine.com/us/news/article/552905/?n=us

FYI - Update: Fla. residents' data exposure a statewide issue - The Social Security numbers, driver's license information and bank account details belonging to potentially millions of current and former residents of Florida are available to anyone on the Internet because sensitive information has not been redacted from public records being posted on county Web sites. http://www.computerworld.com/printthis/2006/0,4814,110389,00.html

FYI - RaboDirect's 100% No Fraud Guarantee - Online bank RaboDirect, has announced a 100% Secure Guarantee for its Irish customers. The bank, which implements the highest levels of online banking security is the first bank in Ireland to give a guaranteed protection to its customers. http://www.rabodirect.ie/press/press_releases/20060409_no_fraud_guarantee.asp

FYI - Data breach at Progressive highlights insider threat - An employee, later fired, improperly accessed data on foreclosed properties - A recent case in which an employee at Progressive Casualty Insurance Co. wrongfully accessed information on foreclosure properties she was interested in buying highlights again the dangers posed to corporate security by insiders. http://www.computerworld.com/printthis/2006/0,4814,110303,00.html

FYI - Compliance, Not Malware, Drives IT Budgets: Survey - Chief security officers say their primary reasons for investing in security software have to do with compliance rules, not virus threats. Regulatory compliance and protecting intellectual property (IP) are among the top reasons driving demand for security products - not phishing, worms, spyware and hack attacks, according to a recent report. http://www.informationweek.com/story/showArticle.jhtml?articleID=184429550

FYI - Researcher: Security risks in Web services largely ignored - AJAX, XML could be exploited by hackers, Stamos warns - In their rush to implement Web services, some companies may be exposing themselves to new security risks that they may not fully understand, a security researcher said yesterday. http://www.computerworld.com/printthis/2006/0,4814,110321,00.html

FYI - Half of European companies unprotected against vulnerabilities - Nearly half of IT professionals believe their infrastructures are not completely protected against vulnerabilities, new research has found. The study, conducted by Ipsos Research, found that 45 percent of over 600 senior IT personnel throughout Europe questioned felt that their IT infrastructure was "never 100 percent protected from software and network vulnerabilities." http://www.scmagazine.com/us/news/article/554286/half+companies+not+completely+protected+against+vulnerabilities/

FYI - NCUA - Disaster Planning and Response - Letter to Credit Unions - Influenza Pandemic Preparedness. www.ncua.gov/letters/RiskAlert/2006/06-Risk-01.pdf

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 1 of 5)

BACKGROUND

Web-site spoofing is a method of creating fraudulent Web sites that look similar, if not identical, to an actual site, such as that of a bank. Customers are typically directed to these spoofed Web sites through phishing schemes or pharming techniques. Once at the spoofed Web site, the customers are enticed to enter information such as their Internet banking username and password, credit card information, or other information that could enable a criminal to use the customers' accounts to commit fraud or steal the customers' identities. Spoofing exposes a bank to strategic, operational, and reputational risks; jeopardizes the privacy of bank customers; and exposes banks and their customers to the risk of financial fraud.

PROCEDURES TO ADDRESS SPOOFING

Banks can mitigate the risks of Web-site spoofing by implementing the identification and response procedures discussed in this bulletin. A bank also can help minimize the impact of a spoofing incident by assigning certain bank employees responsibility for responding to such incidents and training them in the steps necessary to respond effectively. If a bank's Internet activities are outsourced, the bank can address spoofing risks by ensuring that its contracts with its technology service providers stipulate appropriate procedures for detecting and reporting spoofing incidents, and that the service provider's process for responding to such incidents is integrated with the bank's own internal procedures.

Banks can improve the effectiveness of their response procedures by establishing contacts with the Federal Bureau of Investigation (FBI) and local law enforcement authorities in advance of any spoofing incident. These contacts should involve the appropriate departments and officials responsible for investigating computer security incidents. Effective procedures should also include appropriate time frames to seek law enforcement involvement, taking note of the nature and type of information and resources that may be available to the bank, as well as the ability of law enforcement authorities to act rapidly to protect the bank and its customers.

Additionally, banks can use customer education programs to mitigate some of the risks associated with spoofing attacks. Education efforts can include statement stuffers and Web-site alerts explaining various Internet-related scams, including the use of fraudulent e-mails and Web-sites in phishing attacks. In addition, because the attacks can exploit vulnerabilities in Web browsers and/or operating systems, banks should consider reminding their customers of the importance of safe computing practices.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Protocols and Ports (Part 3 of 3)

Applications are built in conformance with the protocols to provide services from hosts to clients. Because clients must have a standard way of accessing the services, the services are assigned to standard host ports. Ports are logical not physical locations that are either assigned or available for specific network services. Under TCP/IP, 65536 ports are available, and the first 1024 ports are commercially accepted as being assigned to certain services. For instance, Web servers listen for requests on port 80, and secure socket layer Web servers listen on port 443. A complete list of the commercially accepted port assignments is available at www.iana.org. Ports above 1024 are known as high ports, and are user - assignable. However, users and administrators have the freedom to assign any port to any service, and to use one port for more than one service. Additionally, the service listening on one port may only proxy a connection for a separate service. For example, a Trojan horse keystroke - monitoring program can use the Web browser to send captured keystroke information to port 80 of an attacker's machine. In that case, monitoring of the packet headers from the compromised machine would only show a Web request to port 80 of a certain IP address.

Return to the top of the newsletter

IT SECURITY QUESTION:

C. HOST SECURITY

2. Determine if the configuration minimizes the functionality of programs, scripts, and plug - ins to what is necessary and justifiable.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 13=, 14, and/or 15 but outside of these exceptions (Part 1 of 2)

A. Disclosure of Nonpublic Personal Information

1) Select a sample of third party relationships with nonaffiliated third parties and obtain a sample of data shared between the institution and the third party. The sample should include a cross-section of relationships but should emphasize those that are higher risk in nature as determined by the initial procedures. Perform the following comparisons to evaluate the financial institution's compliance with disclosure limitations.

a. Compare the data shared and with whom the data were shared to ensure that the institution accurately categorized its information sharing practices and is not sharing nonpublic personal information outside the exceptions (��13, 14, 15).

b. Compare the categories of data shared and with whom the data were shared to those stated in the privacy notice and verify that what the institution tells consumers in its notices about its policies and practices in this regard and what the institution actually does are consistent (��10, 6).

2) Review contracts with nonaffiliated third parties that perform services for the financial institution not covered by the exceptions in section 14 or 15. Determine whether the contracts adequately prohibit the third party from disclosing or using the information other than to carry out the purposes for which the information was disclosed. Note that the "grandfather" provisions of Section 18 apply to certain of these contracts. (�13(a)).

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.