R. Kinney Williams - Yennik, Inc.®
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

August 10, 2008

CONTENT Internet Compliance Information Systems Security
IT Security Question
 		 Internet Privacy
 		 Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Web site design flaws make banking riskier - Study found design flaws in 76 percent of the 214 U.S. banking sites - Many U.S. banks are unwittingly training their online customers to take risks with their passwords and other sensitive account information, leaving them more vulnerable to fraud, new research shows.
http://www.msnbc.msn.com/id/25819973/
http://www.scmagazineus.com/Study-Security-flaws-threaten-online-banking/article/113010/?DCMP=EMC-SCUS_Newswire

FYI - Bank Back On Hook For Data Theft At BJ's Wholesale - An appeals court reversed a lower court ruling absolving Fifth Third Bancorp from paying damages associated with replacing credit cards. A federal appeals court last week reversed a lower court's order that credit card processor Fifth Third Bancorp did not have to pay for new credit cards for some cardholders whose data was stolen during a 2004 hacking incident at BJ's Wholesale Club. http://www.informationweek.com/shared/printableArticle.jhtml?articleID=209400073

FYI - San Francisco Computer Tech Set Booby Trap In City Network - Prosecutors say Childs set the network to delete numerous files during a scheduled maintenance of the system. A computer technician accused of hijacking San Francisco's network built a booby trap that was set to delete numerous files during a scheduled maintenance of the system, prosecutors say. http://www.informationweek.com/news/security/vulnerabilities/showArticle.jhtml?articleID=209600496

FYI - 'Hijacked' SF passwords made public - Posted by Jennifer Guevin 18 commentsShare Email Print Only days after the city of San Francisco regained control of its computer network after an alleged hijacking, a new vulnerability has come to light--this time brought on by the city itself. The San Francisco district attorney's office has apparently made public nearly 150 usernames and passwords used by city officials to gain access to the city's network.
http://news.cnet.com/8301-1009_3-10000342-83.html?tag=cd.blog
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9110758&source=rss_topic17

FYI - GAO - Electronic Health Records: DOD and VA Have Increased Their Sharing of Health Information, but More Work Remains.
Release - http://www.gao.gov/cgi-bin/getrpt?GAO-08-954
Highlights - http://www.gao.gov/highlights/d08954high.pdf
 
FYI - GAO - Federal Agency Efforts to Encrypt Sensitive Information Are Under Way, but Work Remains.
Release - http://www.gao.gov/cgi-bin/getrpt?GAO-08-525
Highlights - http://www.gao.gov/highlights/d08525high.pdf

FYI - Veterans Affairs: Health Information System Modernization Far from Complete; Improved Project Planning and Oversight Needed.
Release - http://www.gao.gov/cgi-bin/getrpt?GAO-08-805
Highlights - http://www.gao.gov/highlights/d08805high.pdf

FYI - GAO - Federal Information System Controls Audit Manual (FISCAM)
Exposure Draft - http://www.gao.gov/cgi-bin/getrpt?GAO-08-1029G

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Fraud probe shuts airport kiosks - Ottawa wants answers about misuse of credit-card information at self-service counters - WestJet has stopped allowing customers to check in with their credit cards at the self-service kiosks in 28 Canadian airports, as the federal Transport Minister seeks answers in the wake of an investigation into the security of the kiosks. http://www.theglobeandmail.com/servlet/story/LAC.20080724.RCREDITCARDS24/TPStory/National

FYI - 9 Mil. Stolen Files Traded by Loan Ring - Some 9 million files of Korean credit information stolen by a Chinese hacker ended up back in Korea and were illegally sold and distributed to Korean loan firms, police say. http://english.chosun.com/w21data/html/news/200807/200807280013.html

FYI - Local Medical Clinic Patients Among 500 Victimized In Major Identity Theft Ring - Sheriff's detectives are looking for a Fort Bend County medical clinic employee believed to have contributed patient information to a major area identity theft ring.
http://www.fortbendnow.com/pages/full_story?page_label=home&id=119590&article-Local-Medical-Clinic-Patients-Among-500-Victimized-In-Major-Identity-Theft-Ring%20=&widget=push&instance=home_news_bullets&open=&
http://www.chron.com/disp/story.mpl/front/5906582.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation and Response Guidance for Web Site Spoofing Incidents (Part 5 of 5)  Next week we will begin our series on the FFIEC Authentication in an Internet Banking Environment

 PROCEDURES TO ADDRESS SPOOFING - Contact the OCC and Law Enforcement Authorities

If a bank is the target of a spoofing incident, it should promptly notify its OCC supervisory office and report the incident to the FBI and appropriate state and local law enforcement authorities.  Banks can also file complaints with the Internet Fraud Complaint Center (see http://www.ic3.gov), a partnership of the FBI and the National White Collar Crime Center.

In order for law enforcement authorities to respond effectively to spoofing attacks, they must be provided with information necessary to identify and shut down the fraudulent Web site and to investigate and apprehend the persons responsible for the attack.  The data discussed under the "Information Gathering" section should meet this need.

In addition to reporting to the bank's supervisory office and law enforcement authorities, there are other less formal mechanisms that a bank can use to report these incidents and help combat fraudulent activities.  For example, banks can use "Digital Phishnet" (http://www.digitalphishnet.com/), which is a joint initiative of industry and law enforcement designed to support apprehension of perpetrators of phishing-related crimes, including spoofing.  Members of Digital Phishnet include ISPs, online auction services, financial institutions, and financial service providers.  The members work closely with the FBI, Secret Service, U.S. Postal Inspection Service, Federal Trade Commission (FTC), and several electronic crimes task forces around the country to assist in identifying persons involved in phishing-type crimes.

Finally, banks can forward suspicious e-mails to the FTC at spam@uce.gov.  For more information on how the FTC can assist in combating phishing and spoofing, see http://www.consumer.gov/idtheft.

Return to the top of the newsletter
 
INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Network security requires effective implementation of several control mechanisms to adequately secure access to systems and data. Financial institutions must evaluate and appropriately implement those controls relative to the complexity of their network.  Many institutions have increasingly complex and dynamic networks stemming from the growth of distributed computing.

Security personnel and network administrators have related but distinct responsibilities for ensuring secure network access across a diverse deployment of interconnecting network servers, file servers, routers, gateways, and local and remote client workstations.  Security personnel typically lead or assist in the development of policies, standards, and procedures, and monitor compliance. They also lead or assist in incident-response efforts.  Network administrators implement the policies, standards, and procedures in their day-to-day operational role.

Internally, networks can host or provide centralized access to mission-critical applications and information, making secure access an organizational priority. Externally, networks integrate institution and third-party applications that grant customers and insiders access to their financial information and Web-based services. Financial institutions that fail to restrict access properly expose themselves to increased transaction, reputation, and compliance risk from threats including the theft of customer information, data alteration, system misuse, or denial-of-service attacks.

Return to the top of the newsletter

IT SECURITY QUESTION:

B. NETWORK SECURITY

17. Determine whether remote access devices and network access points for remote equipment are appropriately controlled.

• Remote access is disabled by default, and enabled only by management authorization.

• Management authorization is required for each user who accesses sensitive components or data remotely.

• Authentication is of appropriate strength (e.g., two - factor for sensitive components).

• Modems are authorized, configured and managed to appropriately mitigate risks.

• Appropriate logging and monitoring takes place.

• Remote access devices are appropriately secured and controlled by the institution.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

44.  If the institution receives information from a nonaffiliated financial institution under an exception in §14 or §15, does the institution refrain from using or disclosing the information except:

a.  to disclose the information to the affiliates of the financial institution from which it received the information; [§11(a)(1)(i)]

b.  to disclose the information to its own affiliates, which are in turn limited by the same disclosure and use restrictions as the recipient institution; [§11(a)(1)(ii)] and

c.  to disclose and use the information pursuant to an exception in §14 or §15 in the ordinary course of business to carry out the activity covered by the exception under which the information was received? [§11(a)(1)(iii)]

(Note: the disclosure or use described in section c of this question need not be directly related to the activity covered by the applicable exception. For instance, an institution receiving information for fraud-prevention purposes could provide the information to its auditors. But "in the ordinary course of business" does not include marketing. [§11(a)(2)])

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated