R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

July 3, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing

FYI - Data Breach Hits FDIC, Credit Union - Banking regulators now have personal experience with something for which they have cracked down on the industry lately - data security breaches. The Federal Deposit Insurance Corp. sent a letter to more than 6,000 current and former employees alerting them to a breach at the agency that has resulted in at least 28 cases of identity theft.

I would be secure if it weren't for those pesky laptops - Laptops are the most difficult IT devices to keep secure, a survey has revealed. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=34b199ee-aa22-4ab8-a33c-9bb72fb00708&newsType=Latest%20News&s=n

FYI - BJ's settles case with FTC over customer data security - FTC alleges weak security at wholesale club led to fraudulent sales valued in the millions - After credit card data for thousands of customers was used to make fraudulent purchases in other stores, BJ's Wholesale Club Inc. has agreed to implement a comprehensive data-security system and undergo biannual security audits for the next 20 years under a settlement with the Federal Trade Commission. http://www.computerworld.com/printthis/2005/0,4814,102602,00.html

FYI - Banks to spend more on IT security, survey says - Privacy regulations and other compliance issues are behind the spending uptick - Investment in security has topped the banking sector's IT spending priority list for 2005, according to a study by the Info-Tech Research Group. http://www.computerworld.com/printthis/2005/0,4814,102642,00.html

FYI - Credit-card issuers focus too much on ID theft resolution, rather than prevention and detection. - Despite all the headlines about the growing problem of identity theft, most financial institutions that provide credit cards are doing an inadequate job of attacking the problem, focusing on resolution rather than prevention and detection, according to a report released this week by Javelin Strategy & Research. http://www.informationweek.com/showArticle.jhtml?articleID=164303598

FYI - Security tools face increased attack - As the pool of easily exploitable Windows security bugs dries up, hackers are looking for holes in security software to break into PCs, analysts said. http://news.com.com/2102-1002_3-5754773.html?tag=st.util.print

Online banking use widespread, study finds - A majority of adults are comfortable monitoring their finances and paying bills over the Internet, while older people remain more cautious, according to a Yahoo-commissioned study released Thursday. http://news.com.com/2102-1038_3-5759890.html?tag=st.util.print

FYI - IRS probing possible data security breaches - The Internal Revenue Service is investigating whether unauthorized people gained access to sensitive taxpayer and bank account information but has not yet exposed any privacy breaches, an official said on Friday. http://reuters.myway.com/article/20050624/2005-06-24T203656Z_01_N24203433_RTRIDST_0_NEWS-SECURITY-USA-DATA-DC.html

FYI - Details emerge on credit card breach - More details emerged on the cyberbreak-in at a payment processing company that exposed more than 40 million credit card accounts to fraud. http://www.zdnetasia.com/news/security/printfriendly.htm?AT=39237905-39000005c

Return to the top of the newsletter

The Role Of Consumer Compliance In Developing And Implementing Electronic Services from FDIC:

When violations of the consumer protection laws regarding a financial institution's electronic services have been cited, generally the compliance officer has not been involved in the development and implementation of the electronic services.  Therefore, it is suggested that management and system designers consult with the compliance officer during the development and implementation stages in order to minimize compliance risk.  The compliance officer should ensure that the proper controls are incorporated into the system so that all relevant compliance issues are fully addressed.  This level of involvement will help decrease an institution's compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.

The compliance officer should develop a compliance risk profile as a component of the institution's online banking business and/or technology plan.  This profile will establish a framework from which the compliance officer and technology staff can discuss specific technical elements that should be incorporated into the system to ensure that the online system meets regulatory requirements.  For example, the compliance officer may communicate with the technology staff about whether compliance disclosures/notices on a web site should be indicated or delivered by the use of "pointers" or "hotlinks" to ensure that required disclosures are presented to the consumer.  The compliance officer can also be an ongoing resource to test the system for regulatory compliance.

Return to the top of the newsletter

We continue the series  from the FDIC "Security Risks Associated with the Internet." 


Firewalls  - Description, Configuration, and Placement 

A firewall is a combination of hardware and software placed between two networks which all traffic, regardless of the direction, must pass through. When employed properly, it is a primary security measure in governing access control and protecting the internal system from compromise. 

The key to a firewall's ability to protect the network is its configuration and its location within the system. Firewall products do not afford adequate security protection as purchased. They must be set up, or configured, to permit or deny the appropriate traffic. To provide the most security, the underlying rule should be to deny all traffic unless expressly permitted. This requires system administrators to review and evaluate the need for all permitted activities, as well as who may need to use them. For example, to protect against Internet protocol (IP) spoofing, data arriving from an outside network that claims to be originating from an internal computer should be denied access. Alternatively, systems could be denied access based on their IP address, regardless of the origination point. Such requests could then be evaluated based on what information was requested and where in the internal system it was requested from. For instance, incoming FTP requests may be permitted, but outgoing FTP requests denied.

Often, there is a delicate balance between what is necessary to perform business operations and the need for security. Due to the intricate details of firewall programming, the configuration should be reassessed after every system change or software update. Even if the system or application base does not change, the threats to the system do. Evolving risks and threats should be routinely monitored and considered to ensure the firewall remains an adequate security measure. If the firewall system should ever fail, the default should deny all access rather than permit the information flow to continue. Ideally, firewalls should be installed at any point where a computer system comes into contact with another network. The firewall system should also include alerting mechanisms to identify and record successful and attempted attacks and intrusions. In addition, detection mechanisms and procedures should include the generation and routine review of security logs.

Return to the top of the newsletter

IT SECURITY QUESTION:  Workstations: (Part 1 of 2)

a. Are the workstations personal computers, and are the personal computers connected to the network?
b. What is the workstation operating system(s)?
c. Is access to workstations restricted?
d. Will workstation access allow network viewing to other workstations and servers?
e. Do any workstations have modems?

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

28. Does the institution refrain from requiring all joint consumers to opt out before implementing any opt out direction with respect to the joint account? [7(d)(4)]

29. Does the institution comply with a consumer's direction to opt out as soon as is reasonably practicable after receiving it? [7(e)]

VISTA - Does {custom4} need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated