June 3, 2001
FYI - June 1, 2001 - FORMER FDIC EMPLOYEE SENTENCED IN IDENTITY FRAUD
SCHEME - FDIC Inspector General Gaston L. Gianni, Jr., announced today
that former FDIC employee Theresa A. Hill of Seat Pleasant, MD, was
sentenced on May 29, 2001, to five years of probation, including six
months of home confinement, in connection with an identity fraud scheme.
Ms. Hill was also ordered to pay $87,531 in restitution. http://www.fdic.gov/news/news/press/2001/pr4101.html
FYI - May 31, 2001 - Standards for Safeguarding Customer
Information - The federal banking agencies jointly issued guidelines
establishing standards for safeguarding customer information (Guidelines),
which will become effective July 1, 2001. www.federalreserve.gov/BoardDocs/SRLetters/2001/Sr0115.htm
FYI - A glitch in the online version of bookkeeping software Quicken
has caused some accounts to duplicate transactions and may have resulted
in incorrect information being displayed, Intuit confirmed Tuesday. http://news.cnet.com/news/0-1007-200-5933941.html?tag=dd.ne.dht.nl-sty.0
INTERNET COMPLIANCE - Advertisements
Generally, Internet web sites are considered advertising by the
regulatory agencies. In some cases, the regulations contain special rules
for multiple-page advertisements. It is not yet clear what would
constitute a single "page" in the context of the Internet or
on-line text. Thus, institutions should carefully review their on-line
advertisements in an effort to minimize compliance risk.
In addition, Internet or other systems in which a credit application
can be made on-line may be considered "places of business" under
HUD's rules prescribing lobby notices. Thus, institutions may want to
consider including the "lobby notice," particularly in the case
of interactive systems that accept applications.
INTERNET SECURITY - We continue the series from the FDIC "Security
Risks Associated with the Internet." While this Financial Institution
Letter was published in December 1997, the issues still are relevant.
The next number of weeks we will discuss the primary interrelated
technologies, standards, and controls that presently exist to manage the
risks of data privacy and confidentiality, data integrity, authentication,
Encryption, Digital Signatures, and Certificate Authorities
Encryption techniques directly address the security issues surrounding
data privacy, confidentiality, and data integrity. Encryption technology
is also employed in digital signature processes, which address the issues
of authentication and non-repudiation. Certificate authorities and digital
certificates are emerging to address security concerns, particularly in
the area of authentication. The function of and the need for encryption,
digital signatures, certificate authorities, and digital certificates
differ depending on the particular security issues presented by the bank's
activities. The technologies, implementation standards, and the necessary
legal infrastructure continue to evolve to address the security needs
posed by the Internet and electronic commerce.
Encryption, or cryptography, is a method of converting information to
an unintelligible code. The process can then be reversed, returning the
information to an understandable form. The information is encrypted
(encoded) and decrypted (decoded) by what are commonly referred to as
"cryptographic keys." These "keys" are actually
values, used by a mathematical algorithm to transform the data. The
effectiveness of encryption technology is determined by the strength of
the algorithm, the length of the key, and the appropriateness of the
encryption system selected.
Because encryption renders information unreadable to any party without
the ability to decrypt it, the information remains private and
confidential, whether being transmitted or stored on a system.
Unauthorized parties will see nothing but an unorganized assembly of
characters. Furthermore, encryption technology can provide assurance of
data integrity as some algorithms offer protection against forgery and
tampering. The ability of the technology to protect the information
requires that the encryption and decryption keys be properly managed by
IN CLOSING - We hope everyone had a safe and enjoyable Memorial Day
weekend. I apologize for not publishing the e-newsletter last week, but I
took a few days off.