Internet Banking News

May 27, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - GAO - Federal Deposit Insurance Corporation Needs to Sustain Progress Improving Its Program.
Report - http://www.gao.gov/cgi-bin/getrpt?GAO-07-351
Highlights - http://www.gao.gov/highlights/d07351high.pdf

FYI - Union sues TSA over data breach - TSA loses hard drive with personal information of 100,000 employees - A federal employee union has filed suit against the Transportation Security Administration over a lost external hard drive that contained the personal information of some 100,000 workers. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070514/656868/

FYI - Six in California indicted for online bank fraud - Six California men accused of breaking in to online bank accounts and funneling out the proceeds have been indicted for bank and wire fraud and money laundering. The 53-count indictment could carry a sentence of as much as 30 years in prison and a fine of $1m. http://www.theregister.co.uk/2007/05/09/bank_fraud_indictment/print.html

FYI - Wireless identity thieves - According to an article in the Wall Street Journal (subscription required), the seeds of the nation's largest identity theft operation involving customers of TJX Companies (owners of TJ Maxx, Marshalls, and other discount stores) began in the parking lot outside a Marshalls discount clothing store in St. Paul, Minnesota. http://reviews.cnet.com/4520-3513_7-6733602-1.html?tag=nl.e757

FYI - Computer Economics study: Insiders top IT pros' worries - Researchers have pointed their fingers at insiders as the main security bugaboos facing enterprises. Insider misuse and unauthorized access to information by insiders are the No. 1 and No. 2 security threats worrying IT security professionals, according to Computer Economics' "Trends in IT Security Threats: 2007" report, released this week. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070514/656883/

FYI - NIST puts its security guidelines in one basket - The National Institute of Standards and Technology has released a database to help agencies collect data needed to assess information technology security programs and produce reports for action plans.
http://www.gcn.com/print/26_10/44216-1.html
http://prisma.nist.gov/

FYI - Military puts MySpace, other sites off limits - No more using the military's computer system to socialize and trade videos on MySpace, YouTube and nine other Web sites, the Pentagon says. http://www.cnn.com/2007/TECH/internet/05/14/military.sites.blocked.ap/index.html

FYI - IDS in Mid-Morph - Intrusion detection systems (IDS) technology isn't dead -- it's just gradually being retooled, according to an IDS/IPS expert who will present his findings at an upcoming conference. http://www.darkreading.com/document.asp?doc_id=123822&WT.svl=news2_1

MISSING COMPUTERS/DATA

FYI - Hackers steal 22,000 Social Security numbers from University of Missouri database - The University of Missouri is the latest university to fall victim to cybercrime, after hackers breached a database and lifted more than 20,000 Social Security numbers.
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070514/656468/

FYI - Eurocard swaps thousand cards over security worry - Over 1,000 Swedish Eurocard holders are being issued with new cards following suspicions that fraudsters have got hold of some people's card details. http://www.thelocal.se/7239/20070508/

FYI - Indiana State site reveals personal data - The state Department of Administration may have inadvertently disclosed the Social Security numbers of dozens of people involved with women- or minority-owned businesses, officials said today. http://www.indystar.com/apps/pbcs.dll/article?AID=/20070507/BREAK/705070433/1196/LOCAL

FYI - Bank tape lost with data on 90,000 customers - People's Bank in Connecticut said the tape was lost in transit - A computer tape from a Connecticut bank containing personal data on 90,000 customers was lost in transit recently, the bank reported. http://www.computerworld.com/securitytopics/security/story/0,10801,107661,00.html

FYI - Goshen College reports computer security breach - Goshen College joined the ranks of other notable colleges and universities as the latest victim of compromised computer security by hackers. From May 5 to 7, a college computer was remotely accessed with the suspected motivation of using the system to send spam e-mails. http://www.goshen.edu/news/pressarchive/05-11-07-security.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Disclosures/Notices (Part 1 of 2)

Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form. Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING - TESTING CONCEPTS AND APPLICATION

Measurement and Interpretation of Test Results. Institutions should design tests to produce results that are logical and objective. Results that are reduced to metrics are potentially more precise and less subject to confusion, as well as being more readily tracked over time. The interpretation and significance of test results are most useful when tied to threat scenarios. Traceability. Test results that indicate an unacceptable risk in an institution's security should be traceable to actions subsequently taken to reduce the risk to an acceptable level.

Thoroughness. Institutions should perform tests sufficient to provide a high degree of assurance that their security plan, strategy and implementation is effective in meeting the security objectives. Institutions should design their test program to draw conclusions about the operation of all critical controls. The scope of testing should encompass all systems in the institution's production environment and contingency plans and those systems within the institution that provide access to the production environment.

Frequency. Test frequency should be based on the risk that critical controls are no longer functioning. Factors to consider include the nature, extent, and results of prior tests, the value and sensitivity of data and systems, and changes to systems, policies and procedures, personnel, and contractors. For example, network vulnerability scanning on highrisk systems can occur at least as frequently as significant changes are made to the network.

Return to the top of the newsletter

IT SECURITY QUESTION: ENCRYPTION

5. Determine if cryptographic keys expire and are replaced at appropriate time intervals.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

The Exceptions

Exceptions to the opt out right are detailed in sections 13, 14, and 15 of the regulations. Financial institutions need not comply with opt-out requirements if they limit disclosure of nonpublic personal information:

1) To a nonaffiliated third party to perform services for the financial institution or to function on its behalf, including marketing the institution's own products or services or those offered jointly by the institution and another financial institution. The exception is permitted only if the financial institution provides notice of these arrangements and by contract prohibits the third party from disclosing or using the information for other than the specified purposes. In a contract for a joint marketing agreement, the contract must provide that the parties to the agreement are jointly offering, sponsoring, or endorsing a financial product or service. However, if the service or function is covered by the exceptions in section 14 or 15 (discussed below), the financial institution does not have to comply with the additional disclosure and confidentiality requirements of section 13. Disclosure under this exception could include the outsourcing of marketing to an advertising company. (Section 13)

2) As necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or under certain other circumstances relating to existing relationships with customers. Disclosures under this exception could be in connection with the audit of credit information, administration of a rewards program, or to provide an account statement. (Section 14)

3) For specified other disclosures that a financial institution normally makes, such as to protect against or prevent actual or potential fraud; to the financial institution's attorneys, accountants, and auditors; or to comply with applicable legal requirements, such as the disclosure of information to regulators. (Section 15)