Internet Banking News

July 30, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - When two factor fails - Online security is only as secure as its weakest link. Most Web sites require only a user ID and password for access. This is secure unless someone else gets a hold of this information. That's why some financial institutions have started issuing hardware tokens with randomly generated numbers synced up to a server at the bank; in addition to providing a username and ID, the customer must also provide the numbers currently displayed on the token. This too is secure--unless someone gets in the middle.
http://reviews.cnet.com/4520-3513-6552837.html?tag=nl.e757
http://www.vnunet.com/articles/print/2160250

FYI - NCUA - Letter to Credit Unions 06-CU-12 - Disaster Preparedness & Response Examination Procedures. www.ncua.gov/letters/2006/CU/06-CU-12.pdf

FYI - Ohio University CIO resigns in wake of data breaches - William Sams, the CIO of Ohio University in Athens, Ohio, has submitted his resignation weeks after the university disclosed a series of information security breaches that exposed the personal information of tens of thousands of students and alumni. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001777

FYI - Outsourced data must be protected, says privacy chief - Companies are still liable for data protection breaches that happen on third party premises thousands of miles away, the Information Commissioner has warned. http://www.theregister.co.uk/2006/07/12/outsourced_data_protection/print.html

FYI - University removes outer firewall to improve security - Sydney's Macquarie University recently spent AU$1 million upgrading its network security and found the best solution was to remove the perimeter firewall. Last year, the university performed an audit of its security systems and found several weaknesses in its network infrastructure. It immediately issued a tender and eventually chose a solution that would remove the university's perimeter firewall and instead fence off the network core. http://www.zdnet.com.au/news/hardware/print.htm?TYPE=story&AT=39262966-2000061702t-10000001c

FYI - OMB tightens IT security incident rules - Agencies must now report all security incidents involving personally identifiable information within one hour of discovering the incident, the Office of Management and Budget said in a memo tightening information security notification procedures. http://www.gcn.com/online/vol1_no1/41334-1.html

FYI - Identity details found on state site - Social Security numbers among information available in online filings - Until Friday morning, the secretary of state's Web site was a potential gold mine for would-be identity thieves. More than 2 million documents - thousands containing individuals' Social Security numbers - called Uniform Commercial Code filings had been available for public perusal. http://www.clarionledger.com/apps/pbcs.dll/article?aid=/20060716/news/607160386/1001

FYI - Unsecured email sparks dispute - A LARGE Melbourne hospital has sparked a dispute among doctors by sending out sensitive health information as email. http://australianit.news.com.au/articles/0,7204,19822430%5E15306%5E%5Enbv%5E,00.html

FYI - Agencies to Teach Cybersecurity Protection - Federal scientists who study how hackers try to break into computer-based controls for nuclear reactors and other automated industrial systems are passing the secrets on to the private operators of such facilities. The U.S. Department of Energy and U.S. Department of Homeland Security will sponsor free classes in protecting remote controls of critical infrastructure during an international cybersecurity summit in Las Vegas Sept. 28-30. http://www.foxnews.com/wires/2006Jul19/0,4670,CybersecurityProtection,00.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our series on the FFIEC Authentication in an Internet Banking Environment. (Part 10 of 13)

Biometrics

Biometric technologies identify or authenticate the identity of a living person on the basis of a physiological or physical characteristic (something a person is). Physiological characteristics include fingerprints, iris configuration, and facial structure. Physical characteristics include, for example, the rate and flow of movements, such as the pattern of data entry on a computer keyboard. The process of introducing people into a biometrics-based system is called "enrollment." In enrollment, samples of data are taken from one or more physiological or physical characteristics; the samples are converted into a mathematical model, or template; and the template is registered into a database on which a software application can perform analysis.

Once enrolled, customers interact with the live-scan process of the biometrics technology. The live scan is used to identify and authenticate the customer. The results of a live scan, such as a fingerprint, are compared with the registered templates stored in the system. If there is a match, the customer is authenticated and granted access.
Biometric identifiers are most commonly used as part of a multifactor authentication system, combined with a password (something a person knows) or a token (something a person has).

Various biometric techniques and identifiers are being developed and tested, these include:

• fingerprint recognition;
• face recognition;
• voice recognition;
• keystroke recognition;
• handwriting recognition;
• finger and hand geometry;
• retinal scan; and
• iris scan.

Two biometric techniques that are increasingly gaining acceptance are fingerprint recognition and face recognition.

Fingerprint Recognition

Fingerprint recognition technologies analyze global pattern schemata on the fingerprint, along with small unique marks known as minutiae, which are the ridge endings and bifurcations or branches in the fingerprint ridges. The data extracted from fingerprints are extremely dense and the density explains why fingerprints are a very reliable means of identification. Fingerprint recognition systems store only data describing the exact fingerprint minutiae; images of actual fingerprints are not retained. Fingerprint scanners may be built into computer keyboards or pointing devices (mice), or may be stand-alone scanning devices attached to a computer.
Fingerprints are unique and complex enough to provide a robust template for authentication. Using multiple fingerprints from the same individual affords a greater degree of accuracy. Fingerprint identification technologies are among the most mature and accurate of the various biometric methods of identification.

Although end users should have little trouble using a fingerprint-scanning device, special hardware and software must be installed on the user's computer. Fingerprint recognition implementation will vary according to the vendor and the degree of sophistication required. This technology is not portable since a scanning device needs to be installed on each participating user's computer. However, fingerprint biometrics is generally considered easier to install and use than other, more complex technologies, such as iris scanning. Enrollment can be performed either at the financial institution's customer service center or remotely by the customer after he or she has received setup instructions and passwords. According to fingerprint technology vendors, there are several scenarios for remote enrollment that provide adequate security, but for large-dollar transaction accounts, the institution should consider requiring that customers appear in person.

Face Recognition

Most face recognition systems focus on specific features on the face and make a two-dimensional map of the face. Newer systems make three-dimensional maps. The systems capture facial images from video cameras and generate templates that are stored and used for comparisons. Face recognition is a fairly young technology compared with other biometrics like fingerprints.

Facial scans are only as good as the environment in which they are collected. The so-called "mug shot" environment is ideal. The best scans are produced under controlled conditions with proper lighting and proper placement of the video device. As part of a highly sensitive security environment, there may be several cameras collecting image data from different angles, producing a more exact scan. Certain facial scanning applications also include tests for liveness, such as blinking eyes. Testing for liveness reduces the chance that the person requesting access is using a photograph of an authorized individual.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - APPLICATION ACCESS (Part 1 of 2)

Sensitive or mission - critical applications should incorporate appropriate access controls that restrict which application functions are available to users and other applications. The most commonly referenced applications from an examination perspective support the information processing needs of the various business lines. These computer applications allow authorized users or other applications to interface with the related database. Effective application access control can enforce both segregation of duties and dual control. Access rights to sensitive or critical applications and their database should ensure that employees or applications have the minimum level of access required to perform their business functions. Effective application access control involves a partnership between the security administrators, the application programmers (including TSPs and vendors), and the business owners.

Some security software programs will integrate access control for the operating system and some applications. That software is useful when applications do not have their own access controls, and when the institution wants to rely on the security software instead of the application's access controls. Examples of such security software products for mainframe computers include RACF, CA - ACF2, and CA - TopSecret. Institutions should understand the functionality and vulnerabilities of their application access control solutions and consider those issues in their risk assessment process.

Return to the top of the newsletter

IT SECURITY QUESTION:

D. USER EQUIPMENT SECURITY (E.G. WORKSTATION, LAPTOP, HANDHELD)

2. Determine whether workstations are configured either for secure remote administration or for no remote administration.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Content of Privacy Notice

8) Do the initial, annual, and revised privacy notices include each of the following, as applicable: (Part 2 of 2)

e) if the institution discloses nonpublic personal information to a nonaffiliated third party under §13, and no exception under §14 or §15 applies, a separate statement of the categories of information the institution discloses and the categories of third parties with whom the institution has contracted; [§6(a)(5)]

f) an explanation of the opt out right, including the method(s) of opt out that the consumer can use at the time of the notice; [§6(a)(6)]

g) any disclosures that the institution makes under §603(d)(2)(A)(iii) of the Fair Credit Reporting Act (FCRA); [§6(a)(7)]

h) the institution's policies and practices with respect to protecting the confidentiality and security of nonpublic personal information; [§6(a)(8)] and

i) a general statement--with no specific reference to the exceptions or to the third parties--that the institution makes disclosures to other nonaffiliated third parties as permitted by law? [§6(a)(9), (b)]

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.