Yennik, Inc.®
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

July 22, 2007

CONTENT Internet Compliance Information Systems Security
IT Security Question
 		 Internet Privacy
 		 Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - A reader brought to our attention that we had a inoperable link to the Internet Fraud Complaint Center. We believe that the correct link is http://www.ic3.gov.  We apologize for the inconvenience.

 FYI - 77 percent of security professionals want EU data breach laws - Around three out of four IT security professionals think companies should be legally obliged to inform customers and regulators of data security breaches, a survey reveals. http://www.computerworlduk.com/management/government-law/legislation/news/index.cfm?newsid=3924

FYI - Phishing Tool Builds Sites in Seconds - Security experts have identified a development kit that can set up a scam site in as little as two seconds on a compromised server. Software developers like to make installation of their programs simple and quick. So do hackers. http://www.pcworld.com/article/id,134322/article.html?tk=nl_dnxnws

FYI - Few breaches lead to identity theft, GAO finds - Published on July 5, 2007 Although data breaches in the public and private sectors are frequent, few incidents of identity theft have occurred as a result of the loss or unauthorized exposure of personal information, the Government Accountability Office said. http://www.fcw.com/article103156-07-05-07-Web&printLayout

MISSING COMPUTERS/DATA

FYI - Database admin steals 2.3M consumer records at Fidelity National subsidiary - The data included names, addresses, birth dates, bank account and credit card information - Call it the case of hiring a fox to guard the hen house. A senior database administrator at a subsidiary of Fidelity National Information Services Inc. who was responsible for defining and enforcing data access rights at the company instead took data belonging to about 2.3 million consumers and sold it to a data broker. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9026166&source=rss_topic17

FYI - Report finds fault in IT employee, director in Birmingham VA breach - A dishonest IT specialist, lack of encryption and insufficient physical security controls may have contributed to the disappearance of a U.S. Department of Veterans Affairs (VA) external hard drive that contained the personal information of 1.8 million people, an Office of Inspector General (OIG) report has concluded. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070709/669379/

FYI - Fidelity: Employee stole, sold 2.3 million consumer records - In one of this year's largest data breaches, financial processing company Fidelity National Information Services revealed that a subsidiary's employee stole 2.3 million consumer records containing credit card, bank account and other personal information. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20070709/668983/

FYI - Girl Scouts council loses personal info in theft of tapes - The Girl Scouts Mile Hi Council has notified its members and their parents that they might be at risk for identity theft because of tapes stolen from a car. http://www.rockymountainnews.com/drmn/local/article/0,1299,DRMN_15_5621147,00.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 1 of 3)

E-mail and Internet-related fraudulent schemes, such as "phishing" (pronounced "fishing"), are being perpetrated with increasing frequency, creativity and intensity. Phishing involves the use of seemingly legitimate e-mail messages and Internet Web sites to deceive consumers into disclosing sensitive information, such as bank account information, Social Security numbers, credit card numbers, passwords, and personal identification numbers (PINs). The perpetrator of the fraudulent e-mail message may use various means to convince the recipient that the message is legitimate and from a trusted source with which the recipient has an established business relationship, such as a bank. Techniques such as a false "from" address or the use of seemingly legitimate bank logos, Web links and graphics may be used to mislead e-mail recipients.

In most phishing schemes, the fraudulent e-mail message will request that recipients "update" or "validate" their financial or personal information in order to maintain their accounts, and direct them to a fraudulent Web site that may look very similar to the Web site of the legitimate business. These Web sites may include copied or "spoofed" pages from legitimate Web sites to further trick consumers into thinking they are responding to a bona fide request. Some consumers will mistakenly submit financial and personal information to the perpetrator who will use it to gain access to financial records or accounts, commit identity theft or engage in other illegal acts.

The Federal Deposit Insurance Corporation (FDIC) and other government agencies have also been "spoofed" in the perpetration of e-mail and Internet-related fraudulent schemes. For example, in January 2004, a fictitious e-mail message that appeared to be from the FDIC was widely distributed, and it told recipients that their deposit insurance would be suspended until they verified their identity. The e-mail message included a hyperlink to a fraudulent Web site that looked similar to the FDIC's legitimate Web site and asked for confidential information, including bank account information.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITYWe continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Risk Mitigation

Security should not be compromised when offering wireless financial services to customers or deploying wireless internal networks. Financial institutions should carefully consider the risks of wireless technology and take appropriate steps to mitigate those risks before deploying either wireless networks or applications. As wireless technologies evolve, the security and control features available to financial institutions will make the process of risk mitigation easier. Steps that can be taken immediately in wireless implementation include:

1)  Establishing a minimum set of security requirements for wireless networks and applications;

2)  Adopting proven security policies and procedures to address the security weaknesses of the wireless environment;

3)  Adopting strong encryption methods that encompass end-to-end encryption of information as it passes throughout the wireless network;

4)  Adopting authentication protocols for customers using wireless applications that are separate and distinct from those provided by the wireless network operator;

5)  Ensuring that the wireless software includes appropriate audit capabilities (for such things as recording dropped transactions);

6)  Providing appropriate training to IT personnel on network, application and security controls so that they understand and can respond to potential risks; and

9)  Performing independent security testing of wireless network and application implementations.
Return to the top of the newsletter

IT SECURITY QUESTION:  Computer operations:

a. Is the core application in-house or outsourced to a data center?
b. What type of network configuration is used?
c. What are the servers' operating systems?
d. What are the workstations' operating systems?
e. Is there a telephone-banking server?
f.  Is there a server hosting Internet banking?
g. Are there system logs maintained and reviewed regularly?
h. Are there modem connections to the network?
i.  Is a modem log maintained?
j.  Is there IT job descriptions?
k. Is there an anti-virus program on all workstations and is the program current?
l.  Are there software license agreements for all software?
m. Does the IT department program applications?
n. Are programming requirements outsourced? Vender?
o. Are unauthorized programs such as screen savers prohibited?
p. Does the Board of Directors annually approval the IT policies?
q. If individual computers are not backed up, is important data saved to network server?
r. Are stand-alone computers with critical data backed up?
s. Are there written IT procedures?
t. Are there network activity reports?
u. Does the personnel manual inform personnel of the Bank's policies and acceptable computer use?
v. Is a network problem log maintained?

 Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Financial Institution Duties ( Part 6 of 6)

Redisclosure and Reuse Limitations on Nonpublic Personal Information Received:

If a financial institution receives nonpublic personal information from a nonaffiliated financial institution, its disclosure and use of the information is limited.

A)  For nonpublic personal information received under a section 14 or 15 exception, the financial institution is limited to:

     1)  Disclosing the information to the affiliates of the financial institution from which it received the information; 

     2)  Disclosing the information to its own affiliates, who may, in turn, disclose and use the information only to the extent that the financial institution can do so; and 

     3)  Disclosing and using the information pursuant to a section 14 or 15 exception (for example, an institution receiving information for account processing could disclose the information to its auditors). 

B)  For nonpublic personal information received other than under a section 14 or 15 exception, the recipient's use of the information is unlimited, but its disclosure of the information is limited to:

     1)  Disclosing the information to the affiliates of the financial institution from which it received the information;

     2)  Disclosing the information to its own affiliates, who may, in turn disclose the information only to the extent that the financial institution can do so; and

     3)  Disclosing the information to any other person, if the disclosure would be lawful if made directly to that person by the financial institution from which it received the information. For example, an institution that received a customer list from another financial institution could disclose the list (1) in accordance with the privacy policy of the financial institution that provided the list, (2) subject to any opt out election or revocation by the consumers on the list, and (3) in accordance with appropriate exceptions under sections 14 and 15.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated