R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

May 8, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - A common currency for online fraud - Fake checks have been the stock in trade of online fraud artists for years. Now authorities are noting a surge in schemes involving sophisticated counterfeiting of a different form of payment: United States postal money orders. http://news.com.com/A+common+currency+for+online+fraud/2100-1030_3-5684147.html?tag=nefd.top

FYI - Insecurities over Indian outsourcing - A case of bank fraud involving an India-based outsourcer has rekindled a debate about using overseas contractors for tasks involving sensitive data. http://news.com.com/Insecurities+over+Indian+outsourcing/2100-7355_3-5685170.html?tag=cd.lede

FYI - IRS security flaws expose taxpayer data to snooping, GAO finds - Security flaws in computer systems used by the Internal Revenue Service expose millions of taxpayers to potential identity theft or illegal police snooping, according to a congressional report released today.  http://www.computerworld.com/printthis/2005/0,4814,101166,00.html

FYI - Sovereign blames retailer in ID theft scam - Sovereign Bank is trying to blame BJ's Wholesale Club Inc. in an identity theft scheme that victimized hundreds of the bank's debit cardholders last year. http://philadelphia.bizjournals.com/philadelphia/stories/2005/02/14/story4.html?t=printable

FYI - Carnegie Mellon reports computer breach - Carnegie Mellon University is warning more than 5,000 students, employees and graduates that their Social Security numbers and other personal information may have been accessed during a breach of the school's computer network. http://msnbc.msn.com/id/7590506/

FYI - Ameritrade warns 200,000 clients about potential data breach - A computer backup tape containing account information of more than 200,000 Ameritrade Inc. clients was apparently lost or accidentally destroyed while being shipped, prompting the online investment brokerage to notify the clients of a potential breach. http://www.computerworld.com/printthis/2005/0,4814,101217,00.html

FYI - Army of zombies invades China - China's rapid Internet growth has brought with it a somewhat disturbing side effect: multiplying zombies up to no good. Zombies, or Internet-connected computers infected by worms or viruses and under the control of a hacker, are used to launch denial-of-service (DoS) attacks, or send spam or phishing e-mails. An average of 157,000 new zombies are identified each day, and 20% of these are in China, security company CipherTrust Inc. http://www.computerworld.com/printthis/2005/0,4814,101231,00.html

FYI - SANS Releases Analysis of Log Management Industry - In conjunction with Log Logic and other security log analysis vendors, SANS offers a free analysis of the rapidly growing Log Analysis industry. https://www.sans.org/webcasts/20050426_analyst_report.pdf

Return to the top of the newsletter

WEB SITE COMPLIANCE -
Advertisements

Generally, Internet web sites are considered advertising by the regulatory agencies. In some cases, the regulations contain special rules for multiple-page advertisements. It is not yet clear what would constitute a single "page" in the context of the Internet or on-line text. Thus, institutions should carefully review their on-line advertisements in an effort to minimize compliance risk.

In addition, Internet or other systems in which a credit application can be made on-line may be considered "places of business" under HUD's rules prescribing lobby notices. Thus, institutions may want to consider including the "lobby notice," particularly in the case of interactive systems that accept applications. 


Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
We continue the series  from the FDIC "Security Risks Associated with the Internet." 

System Architecture and Design

The Internet can facilitate unchecked and/or undesired access to internal systems, unless systems are appropriately designed and controlled. Unwelcome system access could be achieved through IP spoofing techniques, where an intruder may impersonate a local or internal system and be granted access without a password. If access to the system is based only on an IP address, any user could gain access by masquerading as a legitimate, authorized user by "spoofing" the user's address. Not only could any user of that system gain access to the targeted system, but so could any system that it trusts. 

Improper access can also result from other technically permissible activities that have not been properly restricted or secured. For example, application layer protocols are the standard sets of rules that determine how computers communicate across the Internet. Numerous application layer protocols, each with different functions and a wide array of data exchange capabilities, are utilized on the Internet. The most familiar, Hyper Text Transfer Protocol (HTTP), facilitates the movement of text and images. But other types of protocols, such as File Transfer Protocol (FTP), permit the transfer, copying, and deleting of files between computers. Telnet protocol actually enables one computer to log in to another. Protocols such as FTP and Telnet exemplify activities which may be improper for a given system, even though the activities are within the scope of the protocol architecture. 

The open architecture of the Internet also makes it easy for system attacks to be launched  against systems from anywhere in the world. Systems can even be accessed and then used to launch attacks against other systems. A typical attack would be a denial of service attack, which is intended to bring down a server, system, or application. This might be done by overwhelming a system with so many requests that it shuts down. Or, an attack could be as simple as accessing and altering a Web site, such as changing advertised rates on certificates of deposit. 


Security Scanning Products 


A number of software programs exist which run automated security scans against Web servers, firewalls, and internal networks. These programs are generally very effective at identifying weaknesses that may allow unauthorized system access or other attacks against the system. Although these products are marketed as security tools to system administrators and information systems personnel, they are available to anyone and may be used with malicious intent. In some cases, the products are freely available on the Internet.


Return to the top of the newsletter

IT SECURITY QUESTION:  Backup operations: (Part 1 of 2)

a. Is the network backed up? Rotation?
b. Is the core application backed up? Rotation?
c. Are backup tapes stored off premises? Distance?
d. Are backup tapes taken off premises after the backup is finished?
e. Are backup tapes kept in the computer room?

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

18. If the institution, in its privacy policies, reserves the right to disclose nonpublic personal information to nonaffiliated third parties in the future, does the privacy notice include, as applicable, the:

a. categories of nonpublic personal information that the financial institution reserves the right to disclose in the future, but does not currently disclose;  [6(e)(1)] and

b. categories of affiliates or nonaffiliated third parties to whom the financial institution reserves the right in the future to disclose, but to whom it does not currently disclose, nonpublic personal information? [6(e)(2)]

VISTA penetration-vulnerability testing - Does {custom4} need an affordable internal or external penetration-vulnerability test?  R. Kinney Williams & Associates provides the independence required by the FFIEC IT Examination Manual.  We are IT auditors and do not sell hardware or software like many IT testing companies and consultants. In addition, we have over 30 years experience auditing IT operations for financial institutions, which includes 21 years examination experience.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated