Internet Banking News

June 17, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - U.S. government still lacks data protection, study says - Many agencies still don't have plans for dealing with teleworkers - More than half of U.S. government employees unofficially work at home on nights or weekends, raising concerns about the security of the data they're working on, according to a study released. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyName=government&articleId=9023098&taxonomyId=13&intsrc=kc_top

FYI - GAO - Information Security: Agencies Report Progress, but Sensitive Data Remain at Risk.
Release - http://www.gao.gov/cgi-bin/getrpt?GAO-07-935T
Highlights - http://www.gao.gov/highlights/d07935thigh.pdf

FYI - ChoicePoint Settles With 43 States, D.C. - AdvertisementChoicePoint Inc. has agreed to implement more safeguards as part of a settlement with 43 states and the District of Columbia over allegations it failed to adequately secure consumers' personal information related to a breach of its database it disclosed in 2005. http://www.smh.com.au/news/Technology/ChoicePoint-Settles-With-43-States-DC/2007/06/01/1180205461106.html

FYI - Ex-San Jose medical manager pleads guilty to stealing personal data - A former San Jose medical manager has pleaded guilty to stealing a computer and a CD that contained personal medical information of about 200,000 patients.
http://www.mercurynews.com/ci_6029308?source=most_viewed&nclick_check=1
http://sanfrancisco.fbi.gov/dojpressrel/2006/sf011906.htm
http://sanfrancisco.fbi.gov/dojpressrel/2007/sf053107.htm

MISSING COMPUTERS/DATA

FYI - The Breach Blog: Hacker steals $450,000 from city of Carson, Nev. - A hacker used keylogger technology to steal the passwords of Carson, Nev. Treasurer Karen Avila, then wired nearly $450,000 to North Carolina and Michigan in the next two days. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070604/661572/

FYI - Fresno Co. loses track of sensitive dataInformation on thousands of health workers, clients on missing disk. - Fresno County officials are desperately searching for a missing computer disk that contains the names, addresses, Social Security numbers and other personal information for thousands of home health care workers and the thousands of clients they serve. http://www.fresnobee.com/263/story/51168.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 1 of 5)

BACKGROUND

Web-site spoofing is a method of creating fraudulent Web sites that look similar, if not identical, to an actual site, such as that of a bank. Customers are typically directed to these spoofed Web sites through phishing schemes or pharming techniques. Once at the spoofed Web site, the customers are enticed to enter information such as their Internet banking username and password, credit card information, or other information that could enable a criminal to use the customers' accounts to commit fraud or steal the customers' identities. Spoofing exposes a bank to strategic, operational, and reputational risks; jeopardizes the privacy of bank customers; and exposes banks and their customers to the risk of financial fraud.

PROCEDURES TO ADDRESS SPOOFING

Banks can mitigate the risks of Web-site spoofing by implementing the identification and response procedures discussed in this bulletin. A bank also can help minimize the impact of a spoofing incident by assigning certain bank employees responsibility for responding to such incidents and training them in the steps necessary to respond effectively. If a bank's Internet activities are outsourced, the bank can address spoofing risks by ensuring that its contracts with its technology service providers stipulate appropriate procedures for detecting and reporting spoofing incidents, and that the service provider's process for responding to such incidents is integrated with the bank's own internal procedures.

Banks can improve the effectiveness of their response procedures by establishing contacts with the Federal Bureau of Investigation (FBI) and local law enforcement authorities in advance of any spoofing incident. These contacts should involve the appropriate departments and officials responsible for investigating computer security incidents. Effective procedures should also include appropriate time frames to seek law enforcement involvement, taking note of the nature and type of information and resources that may be available to the bank, as well as the ability of law enforcement authorities to act rapidly to protect the bank and its customers.

Additionally, banks can use customer education programs to mitigate some of the risks associated with spoofing attacks. Education efforts can include statement stuffers and Web-site alerts explaining various Internet-related scams, including the use of fraudulent e-mails and Web-sites in phishing attacks. In addition, because the attacks can exploit vulnerabilities in Web browsers and/or operating systems, banks should consider reminding their customers of the importance of safe computing practices.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY TESTING - OUTSOURCED SYSTEMS

Management is responsible for ensuring institution and customer data is protected, even when that data is transmitted, processed, or stored by a service provider. Service providers should have appropriate security testing based on the risk to their organization, their customer institutions, and the institution's customers. Accordingly, management and auditors evaluating TSPs providers should use the above testing guidance in performing initial due diligence, constructing contracts, and exercising ongoing oversight or audit responsibilities. Where indicated by the institution's risk assessment, management is responsible for monitoring the testing performed at the service provider through review of timely audits and test results or other equivalent evaluations.

Return to the top of the newsletter

IT SECURITY QUESTION: DATA SECURITY

1. Obtain an understanding of the data security strategy.

• Identify the financial institution's approach to protecting data (e.g., protect all data similarly, protect data based upon risk of loss).
• Obtain and review the risk assessment covering financial institution data. Determine if the risk assessment classifies data sensitivity in a reasonable manner and consistent with the financial institution's strategic and business objectives.
• Consider whether policies and procedures address the protections for data that is sent outside the institution.
• Identify processes to periodically review data sensitivity and update corresponding risk assessments.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 1 of 6)

The regulations establish specific duties and limitations for a financial institution based on its activities. Financial institutions that intend to disclose nonpublic personal information outside the exceptions will have to provide opt out rights to their customers and to consumers who are not customers. All financial institutions have an obligation to provide an initial and annual notice of their privacy policies to their customers. All financial institutions must abide by the regulatory limits on the disclosure of account numbers to nonaffiliated third parties and on the redisclosure and reuse of nonpublic personal information received from nonaffiliated financial institutions.

A brief summary of financial institution duties and limitations appears below. A more complete explanation of each appears in the regulations.

Notice and Opt Out Duties to Consumers:

If a financial institution intends to disclose nonpublic personal information about any of its consumers (whether or not they are customers) to a nonaffiliated third party, and an exception does not apply, then the financial institution must provide to the consumer:

1) an initial notice of its privacy policies;

2) an opt out notice (including, among other things, a reasonable means to opt out); and

3) a reasonable opportunity, before the financial institution discloses the information to the nonaffiliated third party, to opt out.

The financial institution may not disclose any nonpublic personal information to nonaffiliated third parties except under the enumerated exceptions unless these notices have been provided and the consumer has not opted out. Additionally, the institution must provide a revised notice before the financial institution begins to share a new category of nonpublic personal information or shares information with a new category of nonaffiliated third party in a manner that was not described in the previous notice.

Note that a financial institution need not comply with the initial and opt-out notice requirements for consumers who are not customers if the institution limits disclosure of nonpublic personal information to the exceptions.