July 29, 2001
A cybercrime researcher at the FBI slipped up while
handling a virulent Internet worm, allowing it to e-mail official
documents to outsiders. http://news.cnet.com/news/0-1003-200-6671080.html?tag=dd.ne.dht.nl-sty.0
COMPLIANCE - "Member FDIC" Logo - When is it required?
The FDIC believes that every bank's home page is to some
extent an advertisement. Accordingly, bank web site home pages
should contain the official advertising statement unless the
advertisement is subject to exceptions such as advertisements for
loans, securities, trust services and/or radio or television
advertisements that do not exceed thirty seconds.
Whether subsidiary web pages require the official advertising
statement will depend upon the content of the particular page.
Subsidiary web pages that advertise deposits must contain the
official advertising statement.
Conversely, subsidiary web pages that relate to loans do not
require the official advertising statement.
INTERNET SECURITY - We continue the series from the FDIC
“Security Risks Associated with the Internet” about the primary
technical and procedural security measures necessary to properly
govern access control and system security.
Logical Access Controls
If passwords are used for access control or authentication measures,
users should be properly educated in password selection. Strong
passwords consist of at least six to eight alpha numeric characters,
with no resemblance to any personal data. PINs should also be
unique, with no resemblance to personal data. Neither passwords nor
PINs should ever be reduced to writing or shared with others.
Other security measures should include the adoption of one-time
passwords, or password aging measures that require periodic changes.
Encryption technology can also be employed in the entry and
transmission of passwords, PINs, user IDs, etc. Any password
directories or databases should be properly protected, as
Password guessing programs can be run against a system. Some can run
through tens of thousands of password variations based on personal
information, such as a user's name or address. It is preferable to
test for such vulnerabilities by running this type of program as a
preventive measure, before an unauthorized party has the opportunity
to do so. Incorporating a brief delay requirement after each
incorrect login attempt can be very effective against these types of
programs. In cases where a potential attacker is monitoring a
network to collect passwords, a system utilizing one-time passwords
would render any data collected useless.
When additional measures are necessary to confirm that passwords or
PINs are entered by the user, technologies such as tokens, smart
cards, and biometrics can be useful. Utilizing these technologies
adds another dimension to the security structure by requiring the
user to possess something physical.
PRIVACY - At the request of our readers, we will
cover various issues in the "Privacy of Consumer Financial
Information" published by the financial regulatory agencies in
On November 12, 1999, President Clinton signed into law the
Gramm-Leach-Bliley Act (the "Act"). Title V, Subtitle A of
the Act governs the treatment of nonpublic personal information
about consumers by financial institutions. Section 502 of the
Subtitle, subject to certain exceptions, prohibits a financial
institution from disclosing nonpublic personal information about a
consumer to nonaffiliated third parties, unless the institution
satisfies various notice and opt-out requirements, and provided that
the consumer has not elected to opt out of the disclosure. Section
503 requires the institution to provide notice of its privacy
policies and practices to its customers. Section 504 authorizes the
issuance of regulations to implement these provisions.
Accordingly, on June 1, 2000, the four federal bank and thrift
regulators published substantively identical regulations
implementing provisions of the Act governing the privacy of consumer
financial information. The regulations establish rules governing
duties of a financial institution to provide particular notices and
limitations on its disclosure of nonpublic personal information, as
1) A financial institution must provide a notice of its
privacy policies, and allow the consumer to opt out of the
disclosure of the consumer's nonpublic personal information, to a
nonaffiliated third party if the disclosure is outside of the
exceptions in sections 13, 14 or 15 of the regulations.
2) Regardless of whether a financial institution shares
nonpublic personal information, the institution must provide notices
of its privacy policies to its customers.
3) A financial institution generally may not disclose customer
account numbers to any nonaffiliated third party for marketing
4) A financial institution must follow reuse and redisclosure
limitations on any nonpublic personal information it receives from a
nonaffiliated financial institution.