Internet Banking News

May 20, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Royal Bank of Scotland to give customers handheld chip and PIN readers - Move follows Barclays' announcement - The Royal Bank of Scotland is to become the second bank in a month to give out handheld chip and PIN readers to customers. The move follows Barclays' announcement last month that it would hand out chip and PIN devices to 500,000 customers. http://www.computerworlduk.com/technology/security-products/authentication/news/index.cfm?newsid=2843

FYI - Thumb Drives Replace Malware As Top Security Concern, Study Finds - A survey of IT managers showed that while more than half use a USB flash drive on a daily basis, many still view portable storage devices as a huge security threat. A worker calls up a sensitive investor list and downloads it on her thumb drive, slips it into her pocket, and walks out, smiling and waving to her boss and the security officer stationed at the front door. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199300021

FYI - NIST Issues Security Recommendations For RFID - Federal agency guidelines help "smart tag" users evaluate and reduce potential security and privacy risks. The National Institute of Standards and Technology (NIST) has issued guidelines for radio-frequency identification (RFID). http://www.informationweek.com/shared/printableArticle.jhtml?articleID=199202262

FYI - CIS tool aims to help federal agencies check Windows security settings - They have until February to implement common secure configuration settings - The Center for Internet Security (CIS) this summer will release a free tool designed to help federal agencies check whether their Windows systems configurations comply with security requirements mandated recently by the White House's Office of Management and Budget. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9018362&in

FYI - J.P. Morgan Chase probing data breach shown in YouTube video - The video appears to show client documents in garbage bags - Financial services firm J.P. Morgan Chase is investigating claims by a Washington, D.C.-based workers union that it dumped documents containing personal financial data belonging to its customers in garbage bags outside five branch offices in New York. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=17&articleId=9018384&intsrc=hm_topic

FYI - GAO Information Technology: VA and DOD Are Making Progress in Sharing Medical Information, but Are Far from Comprehensive Electronic Medical Records.
http://www.gao.gov/cgi-bin/getrpt?GAO-07-852T
Highlights - http://www.gao.gov/highlights/d07852thigh.pdf

FYI - Lax security led to TJX breach - A wireless network that employed less protection than many people use on their home systems appears to be the weak link that led TJX Companies, the US-based retailing empire, to preside over the world's biggest known theft of credit-card numbers. http://www.theregister.co.uk/2007/05/04/txj_nonfeasance/print.html

MISSING COMPUTERS/DATA

FYI - Stolen laptop may hold ID numbers - Delays follow in notification of theft - An Information Technology investigation has revealed that a laptop stolen from a faculty member's Baton Rouge home may contain personally identifiable information for about 750 University students. http://media.www.lsureveille.com/media/storage/paper868/news/2007/05/03/News/Stolen.Laptop.May.Hold.Id.Numbers-2892874.shtml

FYI - Missing drive held DNR names, SSN - Official says employees being informed, protected - A miniature data storage device containing the names and Social Security numbers of 1,433 current and retired Department of Natural Resources employees is missing but does not appear to have been used to exploit personal information, according to the superintendent of the agency's police force. http://www.baltimoresun.com/news/local/bal-dnrstory0503,0,2665140.story?coll=bal-local-headlines

FYI - Hospital staff warned after theft - A computer containing the bank details of thousands of hospital staff has been stolen from an NHS building, it has been revealed. The computer contains bank and personal information about staff at the Royal Cornwall Hospitals NHS Trust but does contain any patient records. http://www.channel4.com/news/articles/society/health/hospital%20staff%20warned%20after%20theft/493432

FYI - Data about 139 officers left on donated computer - Names and Social Security numbers for 139 Champaign police officers were left on a computer donated to charity. http://www.news-gazette.com/news/print/2007/05/01/data_about__officers_left_on_donated/

FYI - Personal data stolen from Virginia agency - The names, addresses and Social Security numbers of 40,000 people were stolen last month from a state agency that serves elderly Virginians. http://content.hamptonroads.com/story.cfm?story=123820&ran=180020

FYI - TSA computer hard drive missing - Drive contained data for over 100,000 Homeland Security employees - The Transportation Security Administration has lost a computer hard drive containing Social Security numbers, bank data and payroll information for about 100,000 employee records. http://www.msnbc.msn.com/id/18497134/

FYI - M&S staff at risk in laptop theft - M&S believes no-one has yet become a victim of identity crime - Staff at Marks and Spencer have been warned they may be at risk of identity crime after the theft of a laptop. Salary details, addresses, dates of birth, national insurance and phone numbers were on the machine which was stolen from a printing firm. http://news.bbc.co.uk/2/hi/programmes/moneybox/6626581.stm

Return to the top of the newsletter

WEB SITE COMPLIANCE - Non-Deposit Investment Products

Financial institutions advertising or selling non-deposit investment products on-line should ensure that consumers are informed of the risks associated with non-deposit investment products as discussed in the "Interagency Statement on Retail Sales of Non Deposit Investment Products." On-line systems should comply with this Interagency Statement, minimizing the possibility of customer confusion and preventing any inaccurate or misleading impression about the nature of the non-deposit investment product or its lack of FDIC insurance.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING - TESTING CONCEPTS AND APPLICATION

Testing Risks to Data Integrity, Confidentiality, and Availability. Management is responsible for carefully controlling information security tests to limit the risks to data integrity, confidentiality, and system availability. Because testing may uncover nonpublic customer information, appropriate safeguards to protect the information must be in place. Contracts with third parties to provide testing services should require that the third parties implement appropriate measures to meet the objectives of section 501(b) of the GLBA. Management also is responsible for ensuring that employee and contract personnel who perform the tests or have access to the test results have passed appropriate background checks, and that contract personnel are appropriately bonded. Because certain tests may pose more risk to system availability than other tests, management is responsible for considering whether to require the personnel performing those tests to maintain logs of their testing actions. Those logs can be helpful should the systems react in an unexpected manner.

Confidentiality of Test Plans and Data. Since knowledge of test planning and results may facilitate a security breach, institutions should carefully limit the distribution of their testing information. Management is responsible for clearly identifying the individuals responsible for protecting the data and provide guidance for that protection, while making the results available in a useable form to those who are responsible for following up on the tests. Management also should consider requiring contractors to sign nondisclosure agreements and to return to the institution information they obtained in their testing.

Return to the top of the newsletter

IT SECURITY QUESTION: ENCRYPTION

4. Determine whether adequate provision is made for different cryptographic keys for different uses and data.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Opt Out Right and Exceptions:

The Right

Consumers must be given the right to "opt out" of, or prevent, a financial institution from disclosing nonpublic personal information about them to a nonaffiliated third party, unless an exception to that right applies. The exceptions are detailed in sections 13, 14, and 15 of the regulations and described below.

As part of the opt out right, consumers must be given a reasonable opportunity and a reasonable means to opt out. What constitutes a reasonable opportunity to opt out depends on the circumstances surrounding the consumer's transaction, but a consumer must be provided a reasonable amount of time to exercise the opt out right. For example, it would be reasonable if the financial institution allows 30 days from the date of mailing a notice or 30 days after customer acknowledgement of an electronic notice for an opt out direction to be returned. What constitutes a reasonable means to opt out may include check-off boxes, a reply form, or a toll-free telephone number, again depending on the circumstances surrounding the consumer's transaction. It is not reasonable to require a consumer to write his or her own letter as the only means to opt out.