Internet Banking News

July 22, 2012

CONTENT	Internet Compliance	Web Site Audits
IT Security	Internet Privacy	Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

Community Bank Technology Conference - If you have nothing on your plate, plan to attend the Independent Community Bankers of America’s Community Bank Technology Conference, September 12-14, 2012 in Las Vegas. I will be speaking Thursday on auditing community banks. For more information please visit http://www.icba.org/events/eventdetail.cfm?EventID=199421.

FYI - The Federal Financial Institution Examination Council Agencies consider cloud computing to be another form of outsourcing with the same basic risk characteristics and risk management requirements as traditional forms of outsourcing. http://ithandbook.ffiec.gov/media/153119/06-28-12_-_external_cloud_computing_-_public_statement.pdf

FYI - Homeland Security warns of hackers targeting popular Niagara software - The Department of Homeland Security on Friday warned that a popular system used by organizations around the world to manage millions of machines and devices over the Internet is vulnerable to attack from hackers. http://www.washingtonpost.com/investigations/homeland-security-warns-of-hackers-targeting-popular-niagara-software/2012/07/13/gJQA0l7NiW_story.html

FYI - FBI Investigating Major Chinese Firm for Selling Spy Gear to Iran - The FBI has launched an investigation into allegations that a top Chinese maker of phone equipment supplied Iran with U.S.-made hardware and software, including a powerful surveillance system, in violation of federal laws and a trade embargo, according to The Smoking Gun. http://www.wired.com/threatlevel/2012/07/fbi-zte/

FYI - Chemical giant foils infected USB stick espionage bid - Malware-laden drive falls into the right hands - An attempt to infiltrate the corporate systems of Dutch chemical giant DSM by leaving malware-riddled USB sticks in the corporation's car park has failed. http://www.theregister.co.uk/2012/07/11/infected_usb_spyware/

FYI - Yahoo closes security hole that led to password breach - Yahoo said Friday that it has fixed a security vulnerability that allowed hackers to seize roughly 450,000 unencrypted email addresses and passwords belonging to members of its content-sharing platform. http://www.scmagazine.com/yahoo-closes-security-hole-that-led-to-password-breach/article/250426/?DCMP=EMC-SCUS_Newswire

FYI - Rap artist busted on credit card fraud charges - A California rapper has been charged with buying 27,257 stolen credit card numbers and making fraudulent purchases, the U.S. attorney's office in Seattle said Thursday. http://www.scmagazine.com/rap-artist-busted-on-credit-card-fraud-charges/article/250201/?DCMP=EMC-SCUS_Newswire

FYI - GAO - Cybersecurity: Challenges in Securing the Electricity Grid - The threats to systems supporting critical infrastructures are evolving and growing.
http://www.gao.gov/products/GAO-12-926T

FYI - Data sharing, standards pose challenges to power grid - Better coordination, actionable information, and risk awareness are needed to protect the country's critical infrastructure, especially the power grid, according a congressional watchdog report. http://www.scmagazine.com/data-sharing-standards-pose-challenges-to-power-grid/article/250888/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers post 450K credentials pilfered from Yahoo - Credentials posted in plain text appear to have originated from the Web company's Yahoo Voices platform. The hackers say they intended the data dump as a "wake-up call." http://news.cnet.com/8301-1009_3-57470786-83/hackers-post-450k-credentials-pilfered-from-yahoo/

FYI - Formspring springs a leak: 28 MILLION passwords reset after raid - At least OUR hashes were salted, says CEO - Formspring has told its 28 million users to change their passwords following the discovery of a security breach. http://www.theregister.co.uk/2012/07/11/formspring_security_breach/

FYI - Billabong is latest password breach victim, 21k exposed - More than 21,000 unencrypted usernames and passwords have been stolen from Australian surfwear company Billabong and posted online to CodePaste.net. http://www.scmagazine.com/billabong-is-latest-password-breach-victim-21k-exposed/article/250203/?DCMP=EMC-SCUS_Newswire

FYI - Yahoo session hijacking likely culprit of Android spam - Researchers have turned up new evidence that the spam messages originally suspected to have been sent by an Android botnet may actually have been the result of a vulnerability in the Yahoo Android mail client. http://www.scmagazine.com/yahoo-session-hijacking-likely-culprit-of-android-spam/article/250454/?DCMP=EMC-SCUS_Newswire

FYI - FDA investigates how confidential files went public - The Food and Drug Administration is investigating how a document-management company apparently inadvertently made public 75,000 pages of confidential files about how medical devices were approved at the agency, the Wall Street Journal reports. http://www.nextgov.com/cio-briefing/2012/07/fda-investigates-how-confidential-files-went-public/56812/?oref=ng-channelriver

FYI - Oil Companies Spring a Leak, Courtesy of Anonymous - Five top multinational oil companies have been targeted by members of Anonymous, who published about 1,000 email addresses for accounts belonging to the firms, as well as hashed and unencrypted passwords. http://www.wired.com/threatlevel/2012/07/oil-companies-hacked/

FYI - Nvidia probes breach of hashed passwords - Nvidia said the information released about users, however, was already public in its forum - Nvidia said it is investigating the release of encrypted passwords from its user forums, another significant data breach following recent compromises at Yahoo and LinkedIn. http://www.computerworld.com/s/article/9229202/Nvidia_probes_breach_of_hashed_passwords?taxonomyId=17

FYI - Personal data of 2.4 million Ontario voters at risk - Two USB drives holding personal information of 2.4 million voters living in electoral districts in the Waterloo region in Southern Ontario, Canada, were reported missing for the past three months by Elections Ontario, a non-partisan agency that oversees general elections in Ontario. http://www.scmagazine.com/personal-data-of-24-million-ontario-voters-at-risk/article/250794/?DCMP=EMC-SCUS_Newswire

FYI - Estonian hacker sentenced for Dave and Buster's card theft - A member of hacking ring that embarked on a daring cyber crime spree from 2005 to 2008 has been sentenced to seven years in prison, federal prosecutors announced Wednesday. http://www.scmagazine.com/estonian-hacker-sentenced-for-dave-and-busters-card-theft/article/250968/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 9: Banks should take appropriate measures to ensure adherence to customer privacy requirements applicable to the jurisdictions to which the bank is providing e-banking products and services.

Maintaining a customer's information privacy is a key responsibility for a bank. Misuse or unauthorized disclosure of confidential customer data exposes a bank to both legal and reputation risk. To meet these challenges concerning the preservation of privacy of customer information, banks should make reasonable endeavors to ensure that:

1) The bank's customer privacy policies and standards take account of and comply with all privacy regulations and laws applicable to the jurisdictions to which it is providing e-banking products and services.

2) Customers are made aware of the bank's privacy policies and relevant privacy issues concerning use of e-banking products and services.

3) Customers may decline (opt out) from permitting the bank to share with a third party for cross-marketing purposes any information about the customer's personal needs, interests, financial position or banking activity.

4) Customer data are not used for purposes beyond which they are specifically allowed or for purposes beyond which customers have authorized.

5) The bank's standards for customer data use must be met when third parties have access to customer data through outsourcing relationships.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

INSURANCE (Part 1 of 2)

Insurance coverage is rapidly evolving to meet the growing number of security-related threats. Coverage varies by insurance company, but currently available insurance products may include coverage for the following risks:

! Vandalism of financial institution Web sites,
! Denial - of - service attacks,
! Loss of income,
! Computer extortion associated with threats of attack or disclosure of data,
! Theft of confidential information,
! Privacy violations,
! Litigation (breach of contract),
! Destruction or manipulation of data (including viruses),
! Fraudulent electronic signatures on loan agreements,
! Fraudulent instructions through e - mail,
! Third - party risk from companies responsible for security of financial institution systems or information,
! Insiders who exceed system authorization, and
! Incident response costs related to the use of negotiators, public relations consultants, security and computer forensic consultants, programmers, replacement systems, etc.

Financial institutions can attempt to insure against these risks through existing blanket bond insurance coverage added on to address specific threats. It is important that financial institutions understand the extent of coverage and the requirements governing the reimbursement of claims. For example, financial institutions should understand the extent of coverage available in the event of security breaches at a third - party service provider. In such a case, the institution may want to consider contractual requirements that require service providers to maintain adequate insurance to cover security incidents.

When considering supplemental insurance coverage for security incidents, the institution should assess the specific threats in light of the impact these incidents will have on its financial, operational, and reputation risk profiles. Obviously, when a financial institution contracts for additional coverage, it should ensure that it is aware of and prepared to comply with any required security controls both at inception of the coverage and over the term of the policy.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

25. Does the institution permit each of the joint consumers in a joint relationship to opt out? [§7(d)(2)]

26. Does the opt out notice to joint consumers state that either:

a. the institution will consider an opt out by a joint consumer as applying to all associated joint consumers; [§7(d)(2)(i)] or

b. each joint consumer is permitted to opt out separately? [§7(d)(2)(ii)]