R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

May 21, 2006

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

- Consumers Losing Trust in Online Banking - Security must be considered a necessity, not a luxury, report says. U.S. consumers are not as enamored with online banking as they once were and are citing online security as their top concern, according to a report. http://www.pcworld.com/news/article/0,aid,125691,tk,dn051206X,00.asp

FYI - A cyberexercise with real-world lessons - Air Force cadets win 6th annual CDX competition - Students from the military academies recently came under cyberattack. Fortunately, it was from a network attack team composed of National Security Agency and Defense personnel during an intense, four-day competition-the sixth annual Cyber Defense Exercise. http://appserv.gcn.com/cgi-bin/udt/im.display.printable?client.id=gcn&story.id=40574

FYI - Ohio University reports two separate security breaches - Ohio University this week disclosed two separate but apparently unrelated incidents of data theft involving its computers. http://www.computerworld.com/printthis/2006/0,4814,111113,00.html

FYI - Gone in 20 Minutes: using laptops to steal cars - High-tech thieves are becoming increasingly savvy when it comes to stealing automobiles equipped with keyless entry and ignition systems. http://www.leftlanenews.com/2006/05/03/gone-in-20-minutes-using-laptops-to-steal-cars/

FYI - Schools scramble to safeguard computer systems - Private industry long ago adopted safeguards against hacking, but public schools, which just began putting student records online in recent years, are only starting to recognize their vulnerability. http://www.boston.com/news/local/massachusetts/articles/2006/04/29/schools_scramble_to_safeguard_computer_systems/

FYI - Wells Fargo warns of possible data theft - Wells Fargo, the second-largest U.S. mortgage lender, said a computer containing confidential data about mortgage customers and prospective customers is missing and may have been stolen. http://news.com.com/2102-7348_3-6069367.html?tag=st.util.print

FYI - Idaho utility hard drives -- and data -- turn up on eBay - The company is now scrambling to get the drives back - Anybody with five bucks and a little patience may be able to score sensitive corporate or customer data on eBay. If your organization has engaged in the common practice of disk drive recycling -- selling unneeded disk drives directly or through a service -- company data might wind up for sale on eBay Inc.'s auction site, even if the drives have been wiped first. http://www.computerworld.com/securitytopics/security/story/0,10801,111148,00.html

FYI - Webroot Uncovers Thousands of Stolen Identities - Company believes the info--which includes names and social security numbers--was collected by a Trojan horse. Spyware researchers at Webroot Software have uncovered a stash of tens of thousands of stolen identities from 125 countries that they believe were collected by a new variant of a Trojan horse program the company is calling Trojan-Phisher-Rebery. http://www.pcworld.com/news/article/0,aid,125673,tk,dn051006X,00.asp

FYI - Keylogger spying at work on the rise, survey says - The number of companies reporting a spyware infestation has increased by almost half in the past 12 months, according to a new survey. http://news.com.com/2102-7355_3-6072948.html?tag=st.util.print

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 5 of 5)  Next week we will begin our series on the FFIEC Authentication in an Internet Banking Environment

PROCEDURES TO ADDRESS SPOOFING - Contact the OCC and Law Enforcement Authorities

If a bank is the target of a spoofing incident, it should promptly notify its OCC supervisory office and report the incident to the FBI and appropriate state and local law enforcement authorities.  Banks can also file complaints with the Internet Fraud Complaint Center (see http://www.ifccfbi.gov/), a partnership of the FBI and the National White Collar Crime Center.

In order for law enforcement authorities to respond effectively to spoofing attacks, they must be provided with information necessary to identify and shut down the fraudulent Web site and to investigate and apprehend the persons responsible for the attack.  The data discussed under the "Information Gathering" section should meet this need.

In addition to reporting to the bank's supervisory office and law enforcement authorities, there are other less formal mechanisms that a bank can use to report these incidents and help combat fraudulent activities.  For example, banks can use "Digital Phishnet" (http://www.digitalphishnet.com/), which is a joint initiative of industry and law enforcement designed to support apprehension of perpetrators of phishing-related crimes, including spoofing.  Members of Digital Phishnet include ISPs, online auction services, financial institutions, and financial service providers.  The members work closely with the FBI, Secret Service, U.S. Postal Inspection Service, Federal Trade Commission (FTC), and several electronic crimes task forces around the country to assist in identifying persons involved in phishing-type crimes.

Finally, banks can forward suspicious e-mails to the FTC at spam@uce.gov.  For more information on how the FTC can assist in combating phishing and spoofing, see http://www.consumer.gov/idtheft.

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  



A firewall is a collection of components (computers, routers, and software) that mediate access between different security domains. All traffic between the security domains must pass through the firewall, regardless of the direction of the flow. Since the firewall serves as a choke point for traffic between security domains, they are ideally situated to inspect and block traffic and coordinate activities with network IDS systems.

Financial institutions have four primary firewall types from which to choose: packet filtering, stateful inspection, proxy servers, and application-level firewalls. Any product may have characteristics of one or more firewall types. The selection of firewall type is dependent on many characteristics of the security zone, such as the amount of traffic, the sensitivity of the systems and data, and applications.  Over the next few weeks we will discussed the different types of firewalls.

Return to the top of the newsletter



6. Determine whether an appropriate process exists to authorize access to host systems and that authentication and authorization controls on the host appropriately limit access to and control the access of authorized individuals.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Redisclosure of nonpublic personal information received from a nonaffiliated financial institution outside of Sections 14 and 15.

A. Through discussions with management and review of the institution's procedures, determine whether the institution has adequate practices to prevent the unlawful redisclosure of the information where the institution is the recipient of nonpublic personal information (11(b)). 

B. Select a sample of data received from nonaffiliated financial institutions and shared with others to evaluate the financial institution's compliance with redisclosure limitations.

1.  Verify that the institution's redisclosure of the information was only to affiliates of the financial institution from which the information was obtained or to the institution's own affiliates, except as otherwise allowed in the step b below (11(b)(1)(i) and (ii)).

2.  If the institution shares information with entities other than those under step a above, verify that the institution's information sharing practices conform to those in the nonaffiliated financial institution's privacy notice (11(b)(1)(iii)).

3.  Also, review the procedures used by the institution to ensure that the information sharing reflects the opt out status of the consumers of the nonaffiliated financial institution (10, 11(b)(1)(iii)).  

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test.  With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network.  For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated