R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

June 19, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - MasterCard International Identifies Security Breach at CardSystems Solutions, A Third Party Processor of Payment Card Data - MasterCard International reported that it is notifying its member financial institutions of a breach of payment card data, which potentially exposed more than 40 million cards of all brands to fraud, of which approximately 13.9 million are MasterCard-branded cards. http://biz.yahoo.com/bw/050617/175525.html?.v=1

FYI - Phishers going after small fry - Phishers are widening their net to take in credit unions, according to a new report.
While most of the fraud schemes still focus on big businesses such as major banks, smaller financial companies are increasingly being hit said the report, published by the Anti-Phishing Working Group. http://news.com.com/2102-7349_3-5731174.html?tag=st.util.print

FYI - Federal Bank, Thrift and Credit Union Regulatory Agencies Provide Brochure with Information on Internet "Phishing" - The federal bank, thrift and credit union agencies today announced the publication of a brochure with information to help consumers identify and combat a new type of Internet scam known as "phishing."
Press Release: www.occ.treas.gov/toolkit/newsrelease.aspx?JNR=1&Doc=CYVFS1NN.xml 
Attachment: www.occ.treas.gov/consumer/PhishBrochFINAL-SCREEN.pdf 

FYI - Bank loses 3.9 million customers' data - Tapes including payment histories, Social Security numbers were on their way to a credit reporting bureau. CitiFinancial, the consumer finance division of Citigroup said it had begun notifying some 3.9 million U.S. customers that computer tapes containing information about their accounts -- including Social Security numbers and payment histories -- have been lost. http://moneycentral.msn.com/content/invest/extra/P120179.asp?Printer

FYI - Denial of service attack victim speaks out - The founder of an online payment system has spoken to silicon.com about his experience of being targeted by Russian gangsters who threatened to destroy his website and his business if he didn't pay them $10,000 to leave him alone. http://management.silicon.com/smedirector/print.htm?TYPE=story&AT=39130810-39024679t-40000034c

FYI - Laptop with credit card info for 80,000 DOJ workers stolen - The FBI and Fairfax, Va., police are investigating the theft of a laptop containing the names and credit card numbers of about 80,000 U.S. Department of Justice workers. http://www.computerworld.com/printthis/2005/0,4814,102146,00.html

FYI - UBS lose disk that might hold sensitive client data - The Tokyo branch of the investment banking giant UBS has launched an internal inquiry into the disappearance of a computer disk thought to contain highly sensitive client information. http://business.timesonline.co.uk/article/0,,13133-1633534,00.html

FYI - Companies ramping up e-mail monitoring - The boss is getting serious about e-mail snooping. A new study has found that 63 percent of corporations with 1,000 or more employees either employ or plan to employ staff to read or otherwise analyze outbound e-mail. http://news.com.com/2102-1022_3-5738134.html?tag=st.util.print

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 2 of 2)

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code.  According to the Official Staff Commentary (OSC,) an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated," is a consumer's authorization via a home banking system.  To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request).  The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution. Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability.  A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device.  Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required.
Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITYWe continue the series  from the FDIC "Security Risks Associated with the Internet." 

SECURITY MEASURES

Certificate Authorities and Digital Certificates 

Certificate authorities and digital certificates are emerging to further address the issues of authentication, non‑repudiation, data privacy, and cryptographic key management.  A certificate authority (CA) is a trusted third party that verifies the identity of a party to a transaction . To do this, the CA vouches for the identity of a party by attaching the CA's digital signature to any messages, public keys, etc., which are transmitted.  Obviously, the CA must be trusted by the parties involved, and identities must have been proven to the CA beforehand.  Digital certificates are messages that are signed with the CA's private key.  They identify the CA, the represented party, and could even include the represented party's public key. 

The responsibilities of CAs and their position among emerging technologies continue to develop.  They are likely to play an important role in key management by issuing, retaining, or distributing  public/private key pairs. 

Implementation 

The implementation and use of encryption technologies, digital signatures, certificate authorities, and digital certificates can vary.  The technologies and methods can be used individually, or in combination with one another.  Some techniques may merely encrypt data in transit from one location to another.  While this keeps the data confidential during transmission, it offers little in regard to authentication and non-repudiation.  Other techniques may utilize digital signatures, but still require the encrypted submission of sensitive information, like credit card numbers.  Although protected during transmission, additional measures would need to be taken to ensure the sensitive information remains protected once received and stored. 

The protection afforded by the above security measures will be governed by the capabilities of the technologies, the appropriateness of the technologies for the intended use, and the administration of the technologies utilized.  Care should be taken to ensure the techniques  utilized are sufficient to meet the required needs of the institution.  All of the technical and  implementation differences should be explored when determining the most appropriate package.
Return to the top of the newsletter

IT SECURITY QUESTION:  IT Steering Committee responsibilities:

a. Purchase of new computer equipment and software?
b. Reviewing IT examinations reports?
c. Reviewing internal and external IT auditing reports?
d. Hiring IT management personnel?
e. Recommendations to the Board for IT policy changes?
f. Reviewing IT security issues?
g. Reports to the Board of Directors?

 Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

25. Does the institution permit each of the joint consumers in a joint relationship to opt out? [§7(d)(2)]

26. Does the opt out notice to joint consumers state that either: 

a. the institution will consider an opt out by a joint consumer as applying to all associated joint consumers; [§7(d)(2)(i)] or

b. each joint consumer is permitted to opt out separately? [§7(d)(2)(ii)]
VISTA - Does {custom4} need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated