June 18, 2000
FYI - On June 1, 2000, the U.S. Department of the Treasury's Office of Foreign Assets Control (OFAC) updated its listing of specially designated nationals and blocked persons to include the names of significant foreign narcotics traffickers identified by President Clinton pursuant to the Foreign Narcotics Kingpin Designation Act.
INTERNET SECURITY - Continuation from last week - The following topics represent potential areas of vulnerability related to access control and system design as outlined in the FDIC paper "Security Risks Associated with the Internet."
3) Logical Access Controls
A primary concern in controlling system access is the safeguarding of user IDs and passwords. The Internet presents numerous issues to consider in this regard. Passwords can be obtained through deceptive "spoofing" techniques such as redirecting users to false Web sites where passwords or user names are entered, or creating shadow copies of Web sites where attackers can monitor all activities of a user. Many "spoofing" techniques are hard to identify and guard against, especially for an average user, making authentication processes an important defense mechanism.
The unauthorized or unsuspected acquisition of data such as passwords, user IDs, e-mail addresses, phone numbers, names, and addresses, can facilitate an attempt at unauthorized access to a system or application. If passwords and user IDs are a derivative of someone's personal information, malicious parties could use the information in software programs specifically designed to generate possible passwords. Default files on a computer, sometimes called "cache" files, can automatically retain images of such data received or sent over the Internet, making them a potential target for a system intruder.
4) Security Flaws and Bugs / Active Content Languages
Vulnerabilities in software and hardware design also represent an area of concern. Security problems are often identified after the release of a new product, and solutions to correct security flaws commonly contain flaws themselves. Such vulnerabilities are usually widely publicized, and the identification of new bugs is constant. These bugs and flaws are often serious enough to compromise system integrity. Security flaws and exploitation guidelines are also frequently available on hacker Web sites. Furthermore, software marketed to the general public may not contain sufficient security controls for financial institution applications.
Newly developed languages and technologies present similar security concerns, especially when dealing with network software or active content languages which allow computer programs to be attached to Web pages (e.g., Java, ActiveX). Security flaws identified in Web browsers (i.e., application software used to navigate the Internet) have included bugs which, theoretically, may allow the installation of programs on a Web server, which could then be used to back into the bank's system. Even if new technologies are regarded as secure, they must be managed properly. For example, if controls over active content languages are inadequate, potentially hostile and malicious programs could be automatically downloaded from the Internet and executed on a system.
5) Viruses / Malicious Programs
Viruses and other malicious programs pose a threat to systems or networks that are connected to the Internet, because they may be downloaded directly. Aside from causing destruction or damage to data, these programs could open a communication link with an external network, allowing unauthorized system access, or even initiating the transmission of data.
INTERNET COMPLIANCE - EQUAL CREDIT OPPORTUNITY (REGULATION B)
If you accept applications or make credit applications available on your web site you need to comply with Regulation B. The purpose of this regulation is to promote the availability of credit to all creditworthy applicants without regard to race, color, religion, national origin, sex, marital status, or age (provided the applicant has the capacity to contract); to the fact that all or part of the applicant's income derives from a public assistance program; or to the fact that the applicant has in good faith exercised any right under the Consumer Credit Protection Act. The regulation prohibits creditor practices that discriminate on the basis of any of these factors. The regulation also requires creditors to notify applicants of action taken on their applications; to report credit history in the names of both spouses on an account; to retain records of credit applications; and to collect information about the applicant's race and other personal characteristics in applications for certain dwelling-related loans; and to provide applicants with copies of appraisal reports used in connection with credit transactions.
Permissible inquiries. A creditor may request any information concerning an applicant's spouse (or former spouse) that may be requested about the applicant if:
(i) The spouse will be permitted to use the account;
(ii) The spouse will be contractually liable on the account;
(iii) The applicant is relying on the spouse's income as a basis for repayment of the credit requested;
(iv) The applicant resides in a community property state or property on which the applicant is relying as a basis for repayment of the credit requested is located in such a state; or
(v) The applicant is relying on alimony, child support, or separate maintenance payments from a spouse or former spouse as a basis for repayment of the credit requested.
Other accounts of the applicant. A creditor may request an applicant to list any account upon which the applicant is liable and to provide the name and address in which the account is carried. A creditor may also ask the names in which an applicant has previously received credit.
Other limitations on information requests. (1) Marital status. If an applicant applies for individual unsecured credit, a creditor shall not inquire about the applicant's marital status unless the applicant resides in a community property state or is relying on property located in such a state as a basis for repayment of the credit requested. If an application is for other than individual unsecured credit, a creditor may inquire about the applicant's marital status, but shall use only the terms "married," "unmarried," and "separated." A creditor may explain that the category "unmarried" includes single, divorced, and widowed persons.
(2) Disclosure about income from alimony, child support, or separate maintenance. A creditor shall not inquire whether income stated in an application is derived from alimony, child support, or separate maintenance payments unless the creditor discloses to the applicant that such income need not be revealed if the applicant does not want the creditor to consider it in determining the applicant's creditworthiness.
(3) Sex. A creditor shall not inquire about the sex of an applicant. An applicant may be requested to designate a title on an application form (such as Ms., Miss, Mr., or Mrs.) if the form discloses that the designation of a title is optional. An application form shall otherwise use only terms that are neutral as to sex.
(4) Childbearing, childrearing. A creditor shall not inquire about birth control practices, intentions concerning the bearing or rearing of children, or capability to bear children. A creditor may inquire about the number and ages of an applicant's dependents or about dependent-related financial obligations or expenditures, provided such information is requested without regard to sex, marital status, or any other prohibited basis.
(5) Race, color, religion, national origin. A creditor shall not inquire about the race, color, religion, or national origin of an applicant or any other person in connection with a credit transaction. A creditor may inquire about an applicant's permanent residence and immigration status.