July 8, 2001
FYI - Online financial services provider S1 acknowledged Friday that it
suffered an electronic break-in last month, when an unknown attacker exploited a
security flaw to access one of the company's servers. http://news.cnet.com/news/0-1003-200-6476215.html?tag=mn_hd
FYI - OCC Issues Guidance for National Banks on Internet Weblinking
- The Office of the Comptroller of the Currency (OCC) today issued guidance on
the risks that arise when national banks establish web links to the web sites of
other companies that allow bank customers to purchase products and services from
the linked companies.
Press Release - www.occ.treas.gov/ftp/release/2001-63.txt
Attachment - www.occ.treas.gov/ftp/bulletin/2001-31.txt`
INTERNET COMPLIANCE - Reserve Requirements of Depository Institutions (Regulation D)
Pursuant to the withdrawal and transfer restrictions imposed on savings deposits, electronic transfers, electronic withdrawals (paid electronically) or payments to third parties initiated by a depositor from a personal computer are included as a type of transfer subject to the six transaction limit imposed on passbook savings and MMDA accounts.
Institutions also should note that, to the extent stored value or other electronic money represents a demand deposit or transaction account, the provisions of Regulation D would apply to such obligations.
Consumer Leasing Act (Regulation M)
The regulation provides examples of advertisements that clarify the definition of an advertisement under Regulation M. The term advertisement includes messages inviting, offering, or otherwise generally announcing to prospective customers the availability of consumer leases, whether in visual, oral, print, or electronic media. Included in the examples are on-line messages, such as those on the Internet. Therefore, such messages are subject to the general advertising requirements.
INTERNET SECURITY - We continue the series from the FDIC "Security Risks Associated with the Internet" about the primary technical and procedural security measures necessary to properly govern access control and system security.
Firewalls - Description, Configuration, and Placement
A firewall is a combination of hardware and software placed between two networks which all traffic, regardless of the direction, must pass through. When employed properly, it is a primary security measure in governing access control and protecting the internal system from compromise.
The key to a firewall's ability to protect the network is its configuration and its location within the system. Firewall products do not afford adequate security protection as purchased. They must be set up, or configured, to permit or deny the appropriate traffic. To provide the most security, the underlying rule should be to deny all traffic unless expressly permitted. This requires system administrators to review and evaluate the need for all permitted activities, as well as who may need to use them. For example, to protect against Internet protocol (IP) spoofing, data arriving from an outside network that claims to be originating from an internal computer should be denied access. Alternatively, systems could be denied access based on their IP address, regardless of the origination point. Such requests could then be evaluated based on what information was requested and where in the internal system it was requested from. For instance, incoming FTP requests may be permitted, but outgoing FTP requests denied.
Often, there is a delicate balance between what is necessary to perform business operations and the need for security. Due to the intricate details of firewall programming, the configuration should be reassessed after every system change or software update. Even if the system or application base does not change, the threats to the system do. Evolving risks and threats should be routinely monitored and considered to ensure the firewall remains an adequate security measure. If the firewall system should ever fail, the default should deny all access rather than permit the information flow to continue. Ideally, firewalls should be installed at any point where a computer system comes into contact with another network. The firewall system should also include alerting mechanisms to identify and record successful and attempted attacks and intrusions. In addition, detection mechanisms and procedures should include the generation and routine review of security logs.
INTERNET PRIVACY - Scores of online companies could find themselves in violation of new financial privacy rules that take effect Sunday amid widespread uncertainties over their scope, legal experts say.
IN CLOSING - The E-mail Banking News is in a new format for easier
viewing. If you have any problems, please let us know.