R. Kinney Williams
Brought to you by
Yennik, Inc. the acknowledged leader in Internet auditing for financial
August 10, 2008
Your Financial Institution need an affordable Internet security
Yennik, Inc. has clients in 42 states
that rely on
our penetration testing audits
to ensure proper Internet security settings and
meet the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The penetration audit and
Internet security testing is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports. The audit
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give
R. Kinney Williams a call
today at 806-798-7119 or visit
Web site design flaws make banking riskier - Study found design
flaws in 76 percent of the 214 U.S. banking sites - Many U.S. banks
are unwittingly training their online customers to take risks with
their passwords and other sensitive account information, leaving
them more vulnerable to fraud, new research shows.
Bank Back On Hook For Data Theft At BJ's Wholesale - An appeals
court reversed a lower court ruling absolving Fifth Third Bancorp
from paying damages associated with replacing credit cards. A
federal appeals court last week reversed a lower court's order that
credit card processor Fifth Third Bancorp did not have to pay for
new credit cards for some cardholders whose data was stolen during a
2004 hacking incident at BJ's Wholesale Club.
San Francisco Computer Tech Set Booby Trap In City Network -
Prosecutors say Childs set the network to delete numerous files
during a scheduled maintenance of the system. A computer technician
accused of hijacking San Francisco's network built a booby trap that
was set to delete numerous files during a scheduled maintenance of
the system, prosecutors say.
'Hijacked' SF passwords made public - Posted by Jennifer Guevin 18
commentsShare Email Print Only days after the city of San Francisco
regained control of its computer network after an alleged hijacking,
a new vulnerability has come to light--this time brought on by the
city itself. The San Francisco district attorney's office has
apparently made public nearly 150 usernames and passwords used by
city officials to gain access to the city's network.
GAO - Electronic Health Records: DOD and VA Have Increased Their
Sharing of Health Information, but More Work Remains.
GAO - Federal Agency Efforts to Encrypt Sensitive Information Are
Under Way, but Work Remains.
Veterans Affairs: Health Information System Modernization Far from
Complete; Improved Project Planning and Oversight Needed.
GAO - Federal Information System Controls Audit Manual (FISCAM)
Exposure Draft -
ATTACKS, INTRUSIONS, DATA THEFT & LOSS
Fraud probe shuts airport kiosks - Ottawa wants answers about misuse
of credit-card information at self-service counters - WestJet has
stopped allowing customers to check in with their credit cards at
the self-service kiosks in 28 Canadian airports, as the federal
Transport Minister seeks answers in the wake of an investigation
into the security of the kiosks.
9 Mil. Stolen Files Traded by Loan Ring - Some 9 million files of
Korean credit information stolen by a Chinese hacker ended up back
in Korea and were illegally sold and distributed to Korean loan
firms, police say.
Local Medical Clinic Patients Among 500 Victimized In Major Identity
Theft Ring - Sheriff's detectives are looking for a Fort Bend County
medical clinic employee believed to have contributed patient
information to a major area identity theft ring.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
OCC - Threats from Fraudulent Bank Web Sites - Risk Mitigation
and Response Guidance for Web Site Spoofing Incidents (Part 5 of
5) Next week
we will begin our series on the FFIEC Authentication in an
Internet Banking Environment.
PROCEDURES TO ADDRESS SPOOFING - Contact the
OCC and Law Enforcement Authorities
If a bank is the target of a spoofing incident, it should promptly
notify its OCC supervisory office and report the incident to the FBI
and appropriate state and local law enforcement authorities. Banks
can also file complaints with the Internet Fraud Complaint Center
a partnership of the FBI and the National White Collar Crime Center.
In order for law enforcement authorities to respond effectively to
spoofing attacks, they must be provided with information necessary
to identify and shut down the fraudulent Web site and to investigate
and apprehend the persons responsible for the attack. The data
discussed under the "Information Gathering" section should meet this
In addition to reporting to the bank's supervisory office and law
enforcement authorities, there are other less formal mechanisms that
a bank can use to report these incidents and help combat fraudulent
activities. For example, banks can use "Digital Phishnet" (http://www.digitalphishnet.com/),
which is a joint initiative of industry and law enforcement designed
to support apprehension of perpetrators of phishing-related crimes,
including spoofing. Members of Digital Phishnet include ISPs,
online auction services, financial institutions, and financial
service providers. The members work closely with the FBI, Secret
Service, U.S. Postal Inspection Service, Federal Trade Commission
(FTC), and several electronic crimes task forces around the country
to assist in identifying persons involved in phishing-type crimes.
Finally, banks can forward suspicious e-mails to the FTC at
email@example.com. For more
information on how the FTC can assist in combating phishing and
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY -
continue our series on the FFIEC interagency Information Security
CONTROLS - IMPLEMENTATION -
Network security requires effective implementation of several
control mechanisms to adequately secure access to systems and data.
Financial institutions must evaluate and appropriately implement
those controls relative to the complexity of their network. Many institutions have increasingly complex and dynamic
networks stemming from the growth of distributed computing.
Security personnel and network administrators have related but
distinct responsibilities for ensuring secure network access across
a diverse deployment of interconnecting network servers, file
servers, routers, gateways, and local and remote client
workstations. Security personnel typically lead or assist in the development
of policies, standards, and procedures, and monitor compliance. They
also lead or assist in incident-response efforts.
Network administrators implement the policies, standards, and
procedures in their day-to-day operational role.
Internally, networks can host or provide centralized access to
mission-critical applications and information, making secure
access an organizational priority. Externally, networks integrate
institution and third-party applications that grant customers and
insiders access to their financial information and Web-based
services. Financial institutions that fail to restrict access
properly expose themselves to increased transaction, reputation, and
compliance risk from threats including the theft of customer
information, data alteration, system misuse, or denial-of-service attacks.
Return to the top of the
17. Determine whether remote access devices and network access
points for remote equipment are appropriately controlled.
• Remote access is disabled by default, and enabled only by
• Management authorization is required for each user who accesses
sensitive components or data remotely.
• Authentication is of appropriate strength (e.g., two - factor
for sensitive components).
• Modems are authorized, configured and managed to appropriately
• Appropriate logging and monitoring takes place.
• Remote access devices are appropriately secured and controlled
by the institution.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
institution receives information from a nonaffiliated financial
institution under an exception in §14 or §15, does the institution
refrain from using or disclosing the information except:
a. to disclose the information to the affiliates of the
financial institution from which it received the information; [§11(a)(1)(i)]
b. to disclose the information to its own affiliates, which
are in turn limited by the same disclosure and use restrictions as
the recipient institution; [§11(a)(1)(ii)] and
c. to disclose and use the information pursuant to an
exception in §14 or §15 in the ordinary course of business to
carry out the activity covered by the exception under which the
information was received? [§11(a)(1)(iii)]
(Note: the disclosure or use described in section c of
this question need not be directly related to the activity covered
by the applicable exception. For instance, an institution receiving
information for fraud-prevention purposes could provide the
information to its auditors. But "in the ordinary course of
business" does not include marketing. [§11(a)(2)])
|PLEASE NOTE: Some
of the above links may have expired, especially those from news
organizations. We may have a copy of the article, so please e-mail
us at firstname.lastname@example.org if we
can be of assistance.