Internet Banking News

May 9, 2010

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Are you ready for your IT examination? The Weekly IT Security Review provides a checklist of the IT security issues covered in the FFIEC IT Examination Handbook, which will prepare you for the IT examination. For more information and to subscribe visit http://www.yennik.com/it-review/.

FYI - White House Updates Cybersecurity Orders - The three-pronged approach should help federal agencies do away with wasteful compliance spending and encourage improved security, say White House officials. http://www.informationweek.com/news/government/security/showArticle.jhtml?articleID=224500173&subSection=News

FYI - Mobile network hack reveals sensitive cellphone data - Brad Pitt geo tracking made easy - Researchers have demonstrated structural cracks in GSM mobile networks that make it easy to find the number of most US-based cellphone users and to track virtually any GSM-enabled handset across the globe. http://www.theregister.co.uk/2010/04/22/gsm_info_disclosure_hack/

FYI - Cybercrime boosts jobs in security - As corporations across the country have come to understand the nature of today's fast-evolving cyberthreat landscape, many of them are now asking themselves the same question: What kind of security team does an organization need? http://www.sfgate.com/cgi-bin/article.cgi?f=/c/a/2010/04/23/BUOJ1D2VIK.DTL

FYI - Refresh your firewall - I've never known an organization's CSO or CIO to admit they managed a larger budget than they needed, and the prospects don't look much more promising moving forward. So that begs the question - what to do first. For my money, I'd start by refreshing the firewalls. http://www.scmagazineus.com/first-things-first-refresh-your-firewall/article/168800/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Digital Photocopiers Loaded With Secrets - Your Office Copy Machine Might Digitally Store Thousands of Documents That Get Passed on at Resale - At a warehouse in New Jersey, 6,000 used copy machines sit ready to be sold. CBS News chief investigative correspondent Armen Keteyian reports almost every one of them holds a secret. http://www.cbsnews.com/stories/2010/04/19/eveningnews/main6412439.shtml

FYI - 1.5 million stolen Facebook accounts up for grabs - Researchers at VeriSign's iDefense have discovered a single hacker selling 1.5 million stolen Facebook account credentials on an underground market. The stolen credentials were put up for sale by a hacker with the handle "kirllos" who is believed to be from Eastern Europe. http://www.scmagazineus.com/15-million-stolen-facebook-accounts-up-for-grabs/article/168639/?DCMP=EMC-SCUS_Newswire

FYI - Blippy Leaks Four Credit Card Numbers - Social exhibitionism meets Google Search and learns that one can share too much information. One day after The New York Times explored the rise in social Web sites that expose information about users' purchases and activities, declaring that people are becoming more relaxed about privacy, a minor data breach at one such site offers a reminder that people do indeed have something to hide. http://www.informationweek.com/news/security/privacy/showArticle.jhtml?articleID=224600308

FYI - U.S. businesses face skimming fraud increase - U.S. banks are grappling with a recent increase in skimming attacks, which are being carried out by Eastern European gangs aiming to steal consumer bank account numbers and PINs. http://www.scmagazineus.com/us-businesses-face-skimming-fraud-increase/article/168793/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 1 of 3)

E-mail and Internet-related fraudulent schemes, such as "phishing" (pronounced "fishing"), are being perpetrated with increasing frequency, creativity and intensity. Phishing involves the use of seemingly legitimate e-mail messages and Internet Web sites to deceive consumers into disclosing sensitive information, such as bank account information, Social Security numbers, credit card numbers, passwords, and personal identification numbers (PINs). The perpetrator of the fraudulent e-mail message may use various means to convince the recipient that the message is legitimate and from a trusted source with which the recipient has an established business relationship, such as a bank. Techniques such as a false "from" address or the use of seemingly legitimate bank logos, Web links and graphics may be used to mislead e-mail recipients.

In most phishing schemes, the fraudulent e-mail message will request that recipients "update" or "validate" their financial or personal information in order to maintain their accounts, and direct them to a fraudulent Web site that may look very similar to the Web site of the legitimate business. These Web sites may include copied or "spoofed" pages from legitimate Web sites to further trick consumers into thinking they are responding to a bona fide request. Some consumers will mistakenly submit financial and personal information to the perpetrator who will use it to gain access to financial records or accounts, commit identity theft or engage in other illegal acts.

The Federal Deposit Insurance Corporation (FDIC) and other government agencies have also been "spoofed" in the perpetration of e-mail and Internet-related fraudulent schemes. For example, in January 2004, a fictitious e-mail message that appeared to be from the FDIC was widely distributed, and it told recipients that their deposit insurance would be suspended until they verified their identity. The e-mail message included a hyperlink to a fraudulent Web site that looked similar to the FDIC's legitimate Web site and asked for confidential information, including bank account information.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - This concludes the series from the FDIC "Security Risks Associated with the Internet." Starting next week, we will begin covering the OCC Bulletin about Infrastructure Threats and Intrusion Risks.

V. Security Flaws and Bugs

Because hardware and software continue to improve, the task of maintaining system performance and security is ongoing. Products are frequently issued which contain security flaws or other bugs, and then security patches and version upgrades are issued to correct the deficiencies. The most important action in this regard is to keep current on the latest software releases and security patches. This information is generally available from product developers and vendors. Also important is an understanding of the products and their security flaws, and how they may affect system performance. For example, if there is a time delay before a patch will be available to correct an identified problem, it may be necessary to invoke mitigating controls until the patch is issued.

Reference sources for the identification of software bugs exist, such as the Computer Emergency Response Team Coordination Center (CERT/CC) at the Software Engineering Institute of Carnegie Mellon University, Pittsburgh, Pennsylvania. The CERT/CC, among other activities, issues advisories on security flaws in software products, and provides this information to the general public through subscription e‑mail, Internet newsgroups (Usenet), and their Web site at www.cert.org. Many other resources are freely available on the Internet.

Active Content Languages

Active content languages have been the subject of a number of recent security discussions within the technology industry. While it is not their only application, these languages allow computer programs to be attached to Web pages. As such, more appealing and interactive Web pages can be created, but this function may also allow unauthorized programs to be automatically downloaded to a user's computer. To date, few incidents have been reported of harm caused by such programs; however, active content programs could be malicious, designed to access or damage data or insert a virus.

Security problems may result from an implementation standpoint, such as how the languages and developed programs interact with other software, such as Web browsers. Typically, users can disable the acceptance of such programs on their Web browser. Or, users can configure their browser so they may choose which programs to accept and which to deny. It is important for users to understand how these languages function and the risks involved, so that they make educated decisions regarding their use. Security alerts concerning active content languages are usually well publicized and should receive prompt reviews by those utilizing the technology.

VI. Viruses

Because potentially malicious programs can be downloaded directly onto a system from the Internet, virus protection measures beyond the traditional boot scanning techniques may be necessary to properly protect servers, systems, and workstations. Additional protection might include anti-virus products that remain resident, providing for scanning during downloads or the execution of any program. It is also important to ensure that all system users are educated in the risks posed to systems by viruses and other malicious programs, as well as the proper procedures for accessing information and avoiding such threats.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 4 of 6)

Requirements for Notices (continued)

Notice Content. A privacy notice must contain specific disclosures. However, a financial institution may provide to consumers who are not customers a "short form" initial notice together with an opt out notice stating that the institution's privacy notice is available upon request and explaining a reasonable means for the consumer to obtain it. The following is a list of disclosures regarding nonpublic personal information that institutions must provide in their privacy notices, as applicable:

1) categories of information collected;

2) categories of information disclosed;

3) categories of affiliates and nonaffiliated third parties to whom the institution may disclose information;

4) policies with respect to the treatment of former customers' information;

5) information disclosed to service providers and joint marketers (Section 13);

6) an explanation of the opt out right and methods for opting out;

7) any opt out notices the institution must provide under the Fair Credit Reporting Act with respect to affiliate information sharing;

8) policies for protecting the security and confidentiality of information; and

9) a statement that the institution makes disclosures to other nonaffiliated third parties as permitted by law (Sections 14 and 15).

IT Security Checklist
A weekly email that provides an effective
method to prepare for your IT examination.