|June is the 10th anniversary of the Internet Banking
News. The 520 weekend editions is a labor of love,
which we enjoy bringing you. We look forward to your
continued readership and hope you will send us your
suggestions to make the newsletter better during our
second decade. Thanks - R. Kinney Williams, President of
P. S. If you know someone
that would like to receive the newsletter, please let us
There is no charge.
GAO - Federal Reserve
Banks: Areas for Improvement in Information Security Controls.
Savvis faces bank lawsuit over CardSystems data breach - Merrick
Bank has launched a multi-million dollar lawsuit against Savvis,
accusing the vendor of erroneously telling it that CardSystems
Solutions complied with Visa and MasterCard security regulations
less than a year before the payment processor's systems were hacked,
compromising up to 40 million credit card accounts.
Anti-U.S. Hackers Infiltrate Army Servers - Defense Department
investigators subpoena records from Google, Microsoft, and Yahoo in
connection with ongoing probe. A known computer hacking clan with
anti-American leanings has successfully broken into at least two
sensitive Web servers maintained by the U.S. Army, InformationWeek
has learned exclusively.
Privacy watchdog cracks down on NHS breaches - The Information
Commissioner's Office is putting pressure on the NHS to improve data
security at its facilities, following a string of breaches.
Water utility auditor resigns, transfers $9m offshore - California
and federal officials are searching for a former employee of a large
water utility who is suspected of trying to transfer more than $9m
to an offshore account after quitting the company. Abdirahman Ismail
Abdi made the brazen transfers on April 27, just hours after
resigning from the California Water Services Company, according to
documents filed in federal court in Northern California.
Identity theft ring busted in New York - Using financial information
purchased from crooked bank insiders, a ring of thieves compromised
the checking accounts of nearly 350 New York-based corporations,
religious institutions, hospitals and schools, as well as city and
state government agencies, to steal millions of dollars, prosecutors
said this week.
Study finds IT security pros cheat on audits- IT security
professionals might think of auditing as a pain, but some are
actually cheating to get audits passed, according to a study
released by security vendor Tufin Technologies.
Feds quiz former worker over Texas power plant hack - A former
employee at a Texas power utility was arrested late last week over
accusations he crippled its energy forecast system after launching a
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Department of Interior Computers Missing, Report Finds - According
to a report, the U.S. Department of Interior can't locate nearly 20
percent of the computers that are supposed to be in its care. The
report also finds that many PCs are not encrypted, and the disposal
process for computers is not uniform.
Lost laptop exposes thousands of pension records - A lost laptop
containing the personal data of 109,000 Pensions Trust members has
sparked the latest in a growing list of information security breach
alerts. The missing machine was stolen from the offices of
NorthgateArinso, suppliers of the Pensions Trust's computerised
pensions administration system, where it was being used "as a
database for development, training and performance testing."
Aetna warns 65,000 about Web site data breach - Insurance company
Aetna has contacted 65,000 current and former employees whose Social
Security numbers (SSNs) may have been compromised in a Web site data
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
We continue covering some of the issues discussed in the "Risk
Management Principles for Electronic Banking" published by the Basel
Committee on Bank Supervision.
Banking organizations have been delivering electronic services to
consumers and businesses remotely for years. Electronic funds
transfer, including small payments and corporate cash management
systems, as well as publicly accessible automated machines for
currency withdrawal and retail account management, are global
fixtures. However, the increased world-wide acceptance of the
Internet as a delivery channel for banking products and services
provides new business opportunities for banks as well as service
benefits for their customers.
Continuing technological innovation and competition among existing
banking organizations and new market entrants has allowed for a much
wider array of electronic banking products and services for retail
and wholesale banking customers. These include traditional
activities such as accessing financial information, obtaining loans
and opening deposit accounts, as well as relatively new products and
services such as electronic bill payment services, personalized
financial "portals," account aggregation and
business-to-business market places and exchanges.
Notwithstanding the significant benefits of technological
innovation, the rapid development of e-banking capabilities carries
risks as well as benefits and it is important that these risks are recognized
and managed by banking institutions in a prudent manner. These
developments led the Basel Committee on Banking Supervision to
conduct a preliminary study of the risk management implications of
e-banking and e-money in 1998. This early study demonstrated a clear
need for more work in the area of e-banking risk management and that
mission was entrusted to a working group comprised of bank
supervisors and central banks, the Electronic Banking Group (EBG),
which was formed in November 1999.
The Basel Committee released the EBG's Report on risk management
and supervisory issues arising from e-banking developments in
October 2000. This Report inventoried and assessed the major risks
associated with e-banking, namely strategic risk, reputational risk,
operational risk (including security and legal risks), and credit,
market, and liquidity risks. The EBG concluded that e-banking
activities did not raise risks that were not already identified by
the previous work of the Basel Committee. However, it noted that
e-banking increase and modifies some of these traditional risks,
thereby influencing the overall risk profile of banking. In
particular, strategic risk, operational risk, and reputational risk
are certainly heightened by the rapid introduction and underlying
technological complexity of e-banking activities.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
We continue our series on the FFIEC interagency Information Security
LOGGING AND DATA COLLECTION (Part 2 of 2)
When evaluating whether and what data to log, institutions
should consider the importance of the related system or information,
the importance of monitoring the access controls, the value of
logged data in restoring a compromised system, and the means to
effectively analyze the data. Generally, logs should capture source
identification information; session ID; terminal ID; and the date,
time, and the nature of the access attempt, service request, or
process. Many hardware and software products come with logging
disabled and may have inadequate log analysis and reporting
capabilities. Institutions may have to enable the logging
capabilities and then verify that logging remains enabled after
rebooting. In some cases, additional software will provide the only
means to analyze the log files effectively.
Many products such as firewall and intrusion detection software can
simplify the security monitoring by automating the analysis of the
logs and alerting the appropriate personnel of suspicious activity.
Log files are critical to the successful investigation and
prosecution of security incidents and can potentially contain
sensitive information. Intruders will often attempt to conceal any
unauthorized access by editing or deleting log files. Therefore,
institutions should strictly control and monitor access to log
files. Some considerations for securing the integrity of log files
! Encrypting log files that contain sensitive data or that are
transmitting over the network,
! Ensuring adequate storage capacity to avoid gaps in data
! Securing backup and disposal of log files,
! Logging the data to a separate, isolated computer,
! Logging the data to write - only media like a write - once/read -
many (WORM) disk or drive,
! Utilizing centralized logging, such as the UNIX "SYSLOG" utility,
! Setting logging parameters to disallow any modification to
previously written data.
The financial institution should have an effective means of tracing
a security event through their system. Synchronized time stamps on
network devices may be necessary to gather consistent logs and a
consistent audit trail. Additionally, logs should be available, when
needed, for incident detection, analysis and response.
When using logs to support personnel actions, management should
consult with counsel about whether the logs are sufficiently
reliable to support the action.
Return to the top of the
1. Determine if adequate physical security and access controls exist
over data back-ups and program libraries throughout their life
cycle, including when they are created, transmitted/taken to
storage, stored, retrieved and loaded, and destroyed.
! Review the risk assessment to identify key control points in
a data set's life cycle.
! Verify controls are in place consistent with the level of
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Content of Privacy Notice
10) Does the institution list the following categories of
nonpublic personal information that it discloses, as applicable, and
a few examples of each, or alternatively state that it reserves the
right to disclose all the nonpublic personal information that it
a) information from the consumer;
b) information about the consumer's transactions with the
institution or its affiliates;
c) information about the consumer's transactions with
nonaffiliated third parties; and
d) information from a consumer reporting agency? [§6(c)(2)]