Internet Banking News

July 6, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Court protects privacy of work emails, texts - A federal appeals court in San Francisco has made it more difficult for employers to legally access emails and text messages sent by their workers on company accounts. Under Wednesday's ruling by the 9th U.S. Circuit Court of Appeals, employers that contract an outside business to transmit text messages can't read them unless the worker agrees. http://www.usatoday.com/tech/news/techpolicy/2008-06-19-privacy-work-communications_N.htm?csp=34

FYI - FSA fines stockbrokers for poor data security - A firm of stockbrokers has been fined for failing to adequately protect its customers from the risk of identity fraud. The Financial Services Authority (FSA) said its mistakes included failing to manage the risks introduced by staff using instant messaging and web-based email. http://www.theregister.co.uk/2008/06/19/fsa_fines_msgl/print.html

FYI - If you can't trust the compliance officer, whom can you trust? - I often wonder if I'll get to an age where I'm not disillusioned by the world around me. After having thought I'd seen it all, I just found out that compliance officers cannot be trusted! http://www.scmagazineus.com/If-you-cant-trust-the-compliance-officer-whom-can-you-trust/article/111536/?DCMP=EMC-SCUS_Newswire

FYI - PCI standard 'ignores' insider threat - Database security firm warns of gaping holes - PCI is generally inadequate for addressing the sort of internal threat that can be exploited easily - New measures implemented in section 6.6 of the Payment Card Industry (PCI) standard, which come into force on 30 June, do nothing to address the threat of insiders, according to a database security firm.
News article - http://www.vnunet.com/vnunet/news/2219820/pci-standard-lacking-secerno
PCI standard - https://www.pcisecuritystandards.org/pdfs/infosupp_6_6_applicationfirewalls_codereviews.pdf

FYI - On the tracks of medical data: Electronic records pressure - Privacy breaches related to electronic medical records seem to appear in the news regularly. The Walter Reed Army Medical Center started to notify 1,000 patients of a privacy breach in June. A few days earlier, the University of California San Francisco (UCSF) disclosed that it had to notify more than 3,000 patients of a privacy breach in the Department of Pathology. http://www.scmagazineus.com/On-the-tracks-of-medical-data-Electronic-records-pressure/article/111447/?DCMP=EMC-SCUS_Newswire

FYI - Laptop searches in airports draw fire at Senate hearing - Advocacy groups and some legal experts told Congress on Wednesday that it was unreasonable for federal officials to search the laptops of United States citizens when they re-enter the country from traveling abroad. http://news.cnet.com/Laptop-searches-in-airports-draw-fire-at-Senate-hearing/2100-7348_3-6242603.html?tag=cd.top

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Fraudulent ATM transactions overseas could be tied to Indiana bank breach - A server intrusion at 1st Source Bank in South Bend took place in May - A flurry of fraudulent ATM transactions in recent days in countries such as Russia, Ukraine, Turkey and the Czech Republic may be tied to a server intrusion at 1st Source Bank in South Bend, Ind. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9101158&source=rss_topic17

FYI - Citibank Hack Blamed for Alleged ATM Crime Spree - A computer intrusion into a Citibank server that processes ATM withdrawals led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines in February, pocketing at least $750,000 in cash, according to federal prosecutors.
http://blog.wired.com/27bstroke6/2008/06/citibank-atm-se.html
http://www.scmagazineus.com/ATM-hackers-net-millions-using-stolen-information/article/111499/?DCMP=EMC-SCUS_Newswire

FYI - Photobucket tipped over by Turkish hacker - Photobucket, the popular photo sharing website, became the target of a DNS hack. As a result of the attack some (but not all) surfers hoping to check out pictures were involuntarily redirected to a greeting from hacker NetDeliz and a message in Turkish. http://www.theregister.co.uk/2008/06/18/photobucket_dns_hack/print.html

FYI - Thousands of confidential patient records lost - Courier company TNT loses disc containing details of 900,000 calls to Scottish Ambulance ServiceLorraine Davidson - Nicola Sturgeon, the Scottish Health Secretary, was under pressure last night to make an emergency statement to MSPs after the embarrassing loss of confidential patient data from the Scottish Ambulance Service. http://www.timesonline.co.uk/tol/news/uk/scotland/article4201288.ece

FYI - CNET Employees Notified After Data Breach - More than 6,500 CNET Networks employees and relatives are being notified of a possible data breach after burglars stole computer systems from the offices of the company that administers the Internet publisher's benefit plans. http://www.pcworld.com/businesscenter/article/147460/cnet_employees_notified_after_data_breach.html

FYI - Data breach at Bay Area bank - Customers of one Bay Area bank should check their bank statements and apply for a new debit card after a data breach last week. Bank Atlantic confirms they had a data loss, involving their MasterCard debit cards. http://www.myfoxtampabay.com/myfox/pages/News/Detail?contentId=6830565&version=1&locale=EN-US&layoutCode=TSTY&pageId=3.2.1

Return to the top of the newsletter

WEB SITE COMPLIANCE - We conclude the series regarding FDIC Supervisory Insights regarding Incident Response Programs. (12 of 12)

What the Future Holds

In addition to meeting regulatory requirements and addressing applicable industry best practices, several characteristics tend to differentiate banks. The most successful banks will find a way to integrate incident response planning into normal operations and business processes. Assimilation efforts may include expanding security awareness and training initiatives to reinforce incident response actions, revising business continuity plans to incorporate security incident responses, and implementing additional security monitoring systems and procedures to provide timely incident notification. Ultimately, the adequacy of a bank's IRP reflects on the condition of the information security program along with management's willingness and ability to manage information technology risks. In essence, incident response planning is a management process, the comprehensiveness and success of which provide insight into the quality and attentiveness of management. In this respect, the condition of a bank's IRP, and the results of examiner review of the incident response planning process, fit well within the objectives of the information technology examination as described in the Information Technology-Risk Management Program.

An IRP is a critical component of a well-formed and effective information security program and has the potential to provide tangible value and benefit to a bank. Similar to the importance of a business continuity planning program as it relates to the threat of natural and man-made disasters, sound IRPs will be necessary to combat new and existing data security threats facing the banking community. Given the high value placed on the confidential customer information held within the financial services industry, coupled with the publicized success of known compromises, one can reasonably assume that criminals will continue to probe an organization's defenses in search of weak points. The need for response programs is real and has been recognized as such by not only state and Federal regulatory agencies (through passage of a variety of legal requirements), but by the banking industry itself. The challenges each bank faces are to develop a reasonable IRP providing protections for the bank and the consumer and to incorporate the IRP into a comprehensive, enterprise-wide information security program. The most successful banks will exceed regulatory requirements to leverage the IRP for business advantages and, in turn, improved protection for the banking industry as a whole.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL

AUTHENTICATION - Biometrics (Part 1 of 2)

Biometrics can be implemented in many forms, including tokens. Biometrics verifies the identity of the user by reference to unique physical or behavioral characteristics. A physical characteristic can be a thumbprint or iris pattern. A behavioral characteristic is the unique pattern of key depression strength and pauses made on a keyboard when a user types a phrase. The strength of biometrics is related to the uniqueness of the physical characteristic selected for verification. Biometric technologies assign data values to the particular characteristics associated with a certain feature. For example, the iris typically provides many more characteristics to store and compare, making it more unique than facial characteristics. Unlike other authentication mechanisms, a biometric authenticator does not rely on a user's memory or possession of a token to be effective. Additional strengths are that biometrics do not rely on people to keep their biometric secret or physically secure their biometric. Biometrics is the only authentication methodology with these advantages.

Enrollment is a critical process for the use of biometric authentication. The user's physical characteristics must be reliably recorded. Reliability may require several samples of the characteristic and a recording device free of lint, dirt, or other interference. The enrollment device must be physically secure from tampering and unauthorized use.

When enrolled, the user's biometric is stored as a template. Subsequent authentication is accomplished by comparing a submitted biometric against the template, with results based on probability and statistical confidence levels. Practical usage of biometric solutions requires consideration of how precise systems must be for positive identification and authentication. More precise solutions increase the chances a person is falsely rejected. Conversely, less precise solutions can result in the wrong person being identified or authenticated as a valid user (i.e., false acceptance rate). The equal error rate (EER) is a composite rating that considers the false rejection and false acceptance rates. Lower EERs mean more consistent operations. However, EER is typically based upon laboratory testing and may not be indicative of actual results due to factors that can include the consistency of biometric readers to capture data over time, variations in how a user presents their biometric sample (e.g., occasionally pressing harder on a finger scanner), and environmental factors.

Return to the top of the newsletter

INFORMATION SECURITY QUESTION:

B. NETWORK SECURITY

12. Determine whether logs of security-related events are sufficient to affix accountability for network activities, as well as support intrusion forensics and IDS. Additionally, determine that adequate clock synchronization takes place.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

39. Does the institution use an appropriate means to ensure that notices may be retained or obtained later, such as:

a. hand-delivery of a printed copy of the notice; [§9(e)(2)(i)]

b. mailing a printed copy to the last known address of the customer; [§9(e)(2)(ii)] or

c. making the current privacy notice available on the institution's web site (or via a link to the notice at another site) for the customer who agrees to receive the notice at the web site? [§9(e)(2)(iii)]