R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

August 7, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing

FYI - FDIC Issues Guidance to Banks On Risks of "Spyware" - The Federal Deposit Insurance Corporation today issued guidance to financial institutions on how they can protect themselves against "spyware" - an increasingly prevalent form of software that collects personal or confidential information about a person or organization without their prior knowledge or informed consent, and reports it to a third party. http://www.fdic.gov/news/news/press/2005/pr6805.html

FYI - Cost of computer attacks down, says survey by CSI, FBI - While the cost of fending off hackers appears to be dropping for U.S. companies, attacks that involved unauthorized access to information are becoming much more costly, according to a survey by the Computer Security Institute (CSI) and the FBI. http://www.computerworld.com/printthis/2005/0,4814,103301,00.html

FYI - British hacker shines light on poor IT security - He claims that in one system he found that the local system administrator's password was blank. http://www.zdnet.co.uk/print/?TYPE=story&AT=39208859-39020375t-10000025c

FYI - Microsoft said two people who helped identify the creator of last year's Sasser worm will share a reward of $250,000. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=cb0bdf3c-0cc1-495a-bb33-fc3474bc76d2&newsType=Latest%20News&s=n

FYI - Feds lay down draft rules on system security - The U.S. Commerce Department's National Institute of Standards and Technology, or NIST, has released a draft version of the minimal security requirements for federal agencies. The report comes one month after government auditors found that the agencies are not prepared to deal with the triple Internet menaces of spam, phishing and spyware. http://msn-cnet.com.com/Feds+lay+down+draft+rules+on+system+security/2100-7348_3-5793815.html?part=msn-cnet&subj=ns_2510&tag=mymsn

FYI - Hackers get into USC database - A University of Southern California database containing about 270,000 records of past applicants was hacked last month. http://news.com.com/2102-7349_3-5795373.html?tag=st.util.print

"Home Mortgage Disclosure," Comptroller's Handbook for Consumer Compliance Revised booklet incorporates Federal Reserve Board changes to Regulation C requiring lenders to include additional information on their HMDA loan application register. www.occ.treas.gov/handbook/hmda.pdf 

Return to the top of the newsletter

Disclosures/Notices (Part 1 of 2)

Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form. Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed.

Return to the top of the newsletter

We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Logical Access Controls (Part 2 of 2)


Token technology relies on a separate physical device, which is retained by an individual, to verify the user's identity. The token resembles a small hand-held card or calculator and is used to generate passwords. The device is usually synchronized with security software in the host computer such as an internal clock or an identical time based mathematical algorithm. Tokens are well suited for one‑time password generation and access control. A separate PIN is typically required to activate the token.

Smart Cards

Smart cards resemble credit cards or other traditional magnetic stripe cards, but contain an embedded computer chip. The chip includes a processor, operating system, and both read only memory (ROM) and random access memory (RAM). They can be used to generate one-time passwords when prompted by a host computer, or to carry cryptographic keys. A smart card reader is required for their use.


Biometrics involves identification and verification of an individual based on some physical characteristic, such as fingerprint analysis, hand geometry, or retina scanning. This technology is advancing rapidly, and offers an alternative means to authenticate a user.

Return to the top of the newsletter

IT SECURITY QUESTION:  Core application user access controls: (Part 1 of 2)

a. Is there a written procedure for password administration?
b. If a username is required, does the system automatically enter the username?
c. Is the password length six or greater?
d. Is the use of proper nouns and dictionary words discouraged?
e. Is the password required to include upper and lower case letters, special characters, and numbers?
f. Are passwords required to be changed at least every 30 days?

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

34. Does the institution deliver a revised privacy notice when it: 

a. discloses a new category of nonpublic personal information to a nonaffiliated third party; [8(b)(1)(i)]

b. discloses nonpublic personal information to a new category of nonaffiliated third party; [8(b)(1)(ii)] or

c. discloses nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure? [8(b)(1)(iii)]

Note: a revised notice is not required if the institution adequately described the nonaffiliated third party or information to be disclosed in the prior privacy notice. [8(b)(2)])

VISTA - Does {custom4} need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated