Internet Banking News

May 13, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Massachusetts banks file class action suit against TJX - Customers may feel forgiveness; the debit card issuers, less so - The massive data breach disclosed earlier this year by Framingham Mass.-based TJX Companies Inc. appears to have done little to hurt consumer confidence in the company so far. But it is getting the giant retailer into all sorts of legal trouble.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9017758&source=rss_topic17
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070430/653034/

FYI - Bank Secrecy Act - Wolfsberg Group, Clearing House Joint Statement on Payment Message Standards - The Wolfsberg Group and The Clearing House Association L.L.C. have issued the attached joint statement endorsing measures to enhance the transparency of international wire transfers. www.fdic.gov/news/news/financial/2007/fil07037.html

FYI - VeriSign to offer disposable passwords on bank card - A leading provider of digital-security services wants to make disposable passwords easier for consumers to accept by squeezing the technology into the corner of a regular credit or ATM card. http://www.marketwatch.com/news/story/verisign-offer-disposable-passwords-bank/story.aspx?guid=%7B8166FB26-1646-4B6D-91EB-941138004266%7D

FYI - GAO report targets data breach guidelines - Report says agencies need to know how and when to offer credit monitoring and other services to reduce the risk of identity theft. A U.S. Government Accountability Office (GAO) report issued Monday in response to a May 2006 data breach at the Department of Veterans Affairs says federal agencies should have uniform guidelines governing when to offer credit monitoring to individuals whose personal information is exposed. http://www.networkworld.com/news/2007/043007-gao-data-breach-guidelines.html

FYI - YouTube Shocker: Chase Bank Records Found In Trash - Video Exploits Security Lapses With Customer Info - A bank error that's certainly not in your favor has found its way onto the Internet, and now officials say very personal information of thousands of Chase Bank customers could find its way into the hands of identity thieves.
http://wcbstv.com/topstories/local_story_121055435.html
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070502/654180/

FYI - New York State settles with breach notification law violator - A claims management company that violated New York's breach notification law for taking seven weeks to report a missing laptop containing personal information of more than a half-million injured workers has settled with the state. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070502/653843/

MISSING COMPUTERS/DATA

FYI - Ceridian chagrined by leak of client data - A former employee apparently accidentally posted on the Internet payroll files that were mixed in with family photos. For some, nothing is more sacred than their identities and their bank accounts. http://www.startribune.com/535/story/1144594.html

FYI - Personal data on 160,000 Neiman Marcus employees at risk - It was contained on computer equipment that's been stolen - Specialty retailer The Neiman Marcus Group Inc. yesterday sent letters to nearly 160,000 current and former employees to tell them of a potential breach involving their personal data.
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9017725&source=rss_topic17
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070430/653059/

FYI - 175 told of possible computer security incident at Purdue - Purdue University is informing 175 people who were students in fall 2001 that a Web page containing information about them was inadvertently available on the Internet. http://news.uns.purdue.edu/x/2007a/070424KsanderEngineer.html

FYI - NY teen hacks AOL, infects systems - District Attorney's office charges 17-year-old boy with computer tampering, computer trespass, and criminal possession of computer material - A New York teenager broke into AOL networks and databases containing customer information and infected servers with a malicious program to transfer confidential data to his computer, AOL and the Manhattan District Attorney's Office allege. http://www.infoworld.com/article/07/04/26/HNteenhackaol_1.html

FYI - Caterpillar says computer equipment containing employee data stolen - Caterpillar Inc. said late Friday that a laptop computer containing personal data on employees was stolen from a benefits consultant that works with the company. http://www.cantonrep.com/index.php?ID=351057&Category=23&subCategoryID=

Return to the top of the newsletter

WEB SITE COMPLIANCE - Fair Housing Act

A financial institution that advertises on-line credit products that are subject to the Fair Housing Act must display the Equal Housing Lender logotype and legend or other permissible disclosure of its nondiscrimination policy if required by rules of the institution's regulator.

Home Mortgage Disclosure Act (Regulation C)

The regulations clarify that applications accepted through electronic media with a video component (the financial institution has the ability to see the applicant) must be treated as "in person" applications. Accordingly, information about these applicants' race or national origin and sex must be collected. An institution that accepts applications through electronic media without a video component, for example, the Internet or facsimile, may treat the applications as received by mail.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING

Information security is an integrated process that reduces information security risks to acceptable levels. The entire process, including testing, is driven by an assessment of risks. The greater the risk, the greater the need for the assurance and validation provided by effective information security testing.

In general, risk increases with system accessibility and the sensitivity of data and processes. For example, a high-risk system is one that is remotely accessible and allows direct access to funds, fund transfer mechanisms, or sensitive customer data. Information only Web sites that are not connected to any internal institution system or transaction capable service are lower-risk systems. Information systems that exhibit high risks should be subject to more frequent and rigorous testing than low-risk systems. Because tests only measure the security posture at a point in time, frequent testing provides increased assurance that the processes that are in place to maintain security over time are functioning.

A wide range of tests exists. Some address only discrete controls, such as password strength. Others address only technical configuration, or may consist of audits against standards. Some tests are overt studies to locate vulnerabilities. Other tests can be designed to mimic the actions of attackers. In many situations, management may decide to perform a range of tests to give a complete picture of the effectiveness of the institution's security processes. Management is responsible for selecting and designing tests so that the test results, in total, support conclusions about whether the security control objectives are being met.

Return to the top of the newsletter

IT SECURITY QUESTION: ENCRYPTION

3. Determine if cryptographic key controls are adequate.

! Identify where cryptographic keys are stored.
! Review security where keys are stored and when they are used (e.g., in a hardware module).
! Review cryptographic key distribution mechanisms to secure the keys against unauthorized disclosure, theft, and diversion.
! Verify that two persons are required for a cryptographic key to be used, where appropriate.
! Review audit and security reports that review the adequacy of cryptographic key controls.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Nonpublic Personal Information:

"Nonpublic personal information" generally is any information that is not publicly available and that:

1) a consumer provides to a financial institution to obtain a financial product or service from the institution;

2) results from a transaction between the consumer and the institution involving a financial product or service; or

3) a financial institution otherwise obtains about a consumer in connection with providing a financial product or service.

Information is publicly available if an institution has a reasonable basis to believe that the information is lawfully made available to the general public from government records, widely distributed media, or legally required disclosures to the general public. Examples include information in a telephone book or a publicly recorded document, such as a mortgage or securities filing.

Nonpublic personal information may include individual items of information as well as lists of information. For example, nonpublic personal information may include names, addresses, phone numbers, social security numbers, income, credit score, and information obtained through Internet collection devices (i.e., cookies).

There are special rules regarding lists. Publicly available information would be treated as nonpublic if it were included on a list of consumers derived from nonpublic personal information. For example, a list of the names and addresses of a financial institution's depositors would be nonpublic personal information even though the names and addresses might be published in local telephone directories because the list is derived from the fact that a person has a deposit account with an institution, which is not publicly available information.

However, if the financial institution has a reasonable basis to believe that certain customer relationships are a matter of public record, then any list of these relationships would be considered publicly available information. For instance, a list of mortgage customers where the mortgages are recorded in public records would be considered publicly available information. The institution could provide a list of such customers, and include on that list any other publicly available information it has about the customers on that list without having to provide notice or opt out.