Internet Banking News

August 12, 2007

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Consumer advocates to fight NZ Banking code - Internet advocacy group InternetNZ and the NZ Consumers' Institute have both come out swinging over the New Zealand Bankers Association's decision to allow victims of Internet banking fraud to be potentially held liable for losses. http://www.zdnet.com.au/news/security/soa/Consumer-advocates-to-fight-NZ-Banking-code/0,130061744,339280486,00.htm

FYI - Jared Ilovar's statement - Text of his e-mail to 'The Dispatch' - I would like to respond to the recent articles in various newspapers regarding the data tape theft, data breach, and the decision to terminate my employment as an intern. http://www.dispatch.com/dispatch/content/local_news/stories/2007/07/25/ilovar_email.html

FYI - Tutor sent to jail over ID fraud - Eni Oyegoke has been told he faces deportation after prison release - A university tutor who taught students about computer security and identity theft has been jailed for two years for identity fraud offences. http://news.bbc.co.uk/2/hi/uk_news/wales/south_east/6917965.stm

FYI - Software engineer held for cyber crime - The Cyber Crime Cell of the CID Crime Branch on Friday arrested a former employee of an information technology (IT) company on charges of hacking into the server and stealing confidential data. http://www.hinduonnet.com/thehindu/thscrip/print.pl?file=2007072959470300.htm&date=2007/07/29/&prd=th&

MISSING COMPUTERS/DATA

FYI - Auditors can't locate VA computer equipment - More than a quarter of the computer equipment at the Veterans Affairs Medical Center in Washington could not be found by investigators, government auditors reported. http://www.govexec.com/story_page.cfm?articleid=37563

FYI - Newcastle council credit card file lifted - Newcastle City Council has compromised private details of up to 54,000 people who made payments to it by credit or debit card between February 2006 and April 2007. http://www.theregister.co.uk/2007/07/26/newcastle_council_credit_card_leak/print.html

FYI - Fidelity Nat'l widens scope of theft - Fidelity National Information Services Inc. believes a former employee stole 8.5 million consumer records from the check authorizing company, more than 3 times the original estimate, according to a regulatory filing.
http://money.cnn.com/news/newsfeeds/articles/newstex/AFX-0013-18404346.htm
http://www.pcworld.com/article/id,135117/article.html?tk=nl_dnxnws

FYI - Yuba County data stolen - Child-services computer had private info on 70,000 people - Yuba County scrambled this week to contact 70,000 people whose names and personal information were on a laptop computer stolen from the new Child Support Services office in Linda. http://www.appeal-democrat.com/news/county_51837___article.html/information_brown.html

FYI - 5,000 student loan customers' info on stolen laptop - The theft of one laptop computer has resulted in compromising the personal information of more than 5,000 student loan customers. http://www.post-gazette.com/pg/07208/804836-96.stm

FYI - Virginia Beach Employees' Identities Compromised After Fraud Investigation - Virginia Beach investigators are urging certain school and city employees to be on the look out for any sign of identity theft after a police investigation revealed compromised personal information from a benefit plan. http://www.wtkr.com/Global/story.asp?S=6850947

FYI - Aflac Reports Laptop Detailing 152,000 Clients Stolen - Aflac Inc., the world's largest seller of supplemental health insurance, said a laptop containing information on 152,000 customers in Japan was stolen from an employee of an insurance agency there. http://www.bloomberg.com/apps/news?pid=20601101&sid=afw8zxz12Koo

FYI - City Harvest Says Donor Information Could Be At Risk After Security Breach - It's a charitable organization dedicated to reaching out to hungry New Yorkers, but after a potential breach of the organization's information system City Harvest is also reaching out to its donors with a warning that their personal information may have been compromised. http://www.ny1.com/ny1/content/index.jsp?stid=8&aid=72018

FYI - Marines' personal data exposed on Web - Some Marines' personal information, including names and Social Security numbers, was inadvertently posted online recently, exposing more than 10,000 leathernecks to potential identity theft, the Corps announced. http://www.marinecorpstimes.com/news/2007/07/marine_data_exposed_070726/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We begin this week reviewing the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 1 of 10)

A. RISK DISCUSSION

Introduction

A significant number of financial institutions regulated by the financial institution regulatory agencies (Agencies) maintain sites on the World Wide Web. Many of these websites contain weblinks to other sites not under direct control of the financial institution. The use of weblinks can create certain risks to the financial institution. Management should be aware of these risks and take appropriate steps to address them. The purpose of this guidance is to discuss the most significant risks of weblinking and how financial institutions can mitigate these risks.

When financial institutions use weblinks to connect to third-party websites, the resulting association is called a "weblinking relationship." Financial institutions with weblinking relationships are exposed to several risks associated with the use of this technology. The most significant risks are reputation risk and compliance risk.

Generally, reputation risk arises when a linked third party adversely affects the financial institution's customer and, in turn, the financial institution, because the customer blames the financial institution for problems experienced. The customer may be under a misimpression that the institution is providing the product or service, or that the institution recommends or endorses the third-party provider. More specifically, reputation risk could arise in any of the following ways:

customer confusion in distinguishing whether the financial institution or the linked third party is offering products and services;
customer dissatisfaction with the quality of products or services obtained from a third party; and
customer confusion as to whether certain regulatory protections apply to third-party products or services.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Part II. Risks Associated with Wireless Internet Devices

As wireless Internet devices become more prevalent in the marketplace, financial institutions are adopting wireless application technologies as a channel for reaching their customers. Wireless Internet services are becoming available in major cities across the United States. Through wireless banking applications, a financial institution customer could access account information and perform routine non-cash transactions without having to visit a branch or ATM.

The wireless Internet devices available today present attractive methods for offering and using financial services. Customers have access to financial information from anywhere they can receive wireless Internet access. Many of the wireless devices have built-in encryption through industry-standard encryption methods. This encryption has its limits based on the processing capabilities of the device and the underlying network architecture.

A popular standard for offering wireless applications is through the use of the Wireless Application Protocol (WAP). WAP is designed to bring Internet application capabilities to some of the simplest user interfaces. Unlike the Web browser that is available on most personal computer workstations, the browser in a wireless device (such as a cell phone) has a limited display that in many cases can provide little, if any, graphical capabilities. The interface is also limited in the amount of information that can be displayed easily on the screen. Further, the user is limited by the keying capabilities of the device and often must resort to many key presses for simple words.

The limited processing capabilities of these devices restrict the robustness of the encryption network transmissions. Effective encryption is, by nature, processing-intensive and often requires complex calculations. The time required to complete the encryption calculations on a device with limited processing capabilities may result in unreasonable delays for the device's user. Therefore, simpler encryption algorithms and smaller keys may be used to speed the process of obtaining access.

WAP is an evolving protocol. The most recent specification of WAP (WAP 2.0 - July 2001) offers the capability of encrypting network conversations all the way from the WAP server (at the financial institution) to the WAP client (the financial institution customer). Unfortunately, WAP 2.0 has not yet been fully adopted by vendors that provide the building blocks for WAP applications. Previous versions of WAP provide encryption between the WAP client and a WAP gateway (owned by the Wireless Provider). The WAP gateway then must re-encrypt the information before it is sent across the Internet to the financial institution. Therefore, sensitive information is available at the wireless provider in an unencrypted form. This limits the financial institution's ability to provide appropriate security over customer information.

Return to the top of the newsletter

IT SECURITY QUESTION: Internet connection to the network:

a. Is there an Internet use policy?
b. Are employees required to sign that they have read the Internet use policy?
c. Is there an Internet security policy?
d. Is Internet access given to all employees?
e. Is a password required to access the Internet?
f. Is Internet access analog?
g. Is Internet access DSL, cable, or secure T1 line?
h. Is there a firewall (hardware or software) between the Internet and the network?
i. Is there an intrusion detection system?
j. Do all employees have e-mail privileges?
k. Is penetration-vulnerability testing performed?
l. Is there an anti-virus program on the network servers and is the program current?
m. Is there an Internet activity report that is regularly review?

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Examination Procedures (Part 1 of 3)

A. Through discussions with management and review of available information, identify the institution's information sharing practices (and changes to those practices) with affiliates and nonaffiliated third parties; how it treats nonpublic personal information; and how it administers opt-outs. Consider the following as appropriate:

1) Notices (initial, annual, revised, opt out, short-form, and simplified);

2) Institutional privacy policies and procedures, including those to:
     a) process requests for nonpublic personal information, including requests for aggregated data;
     b) deliver notices to consumers; manage consumer opt out directions (e.g., designating files, allowing a reasonable time to opt out, providing new opt out and privacy notices when necessary, receiving opt out directions, handling joint account holders);
     c) prevent the unlawful disclosure and use of the information received from nonaffiliated financial institutions; and
     d) prevent the unlawful disclosure of account numbers;

3) Information sharing agreements between the institution and affiliates and service agreements or contracts between the institution and nonaffiliated third parties either to obtain or provide information or services;

4) Complaint logs, telemarketing scripts, and any other information obtained from nonaffiliated third parties (Note: review telemarketing scripts to determine whether the contractual terms set forth under section 13 are met and whether the institution is disclosing account number information in violation of section 12);

5) Categories of nonpublic personal information collected from or about consumers in obtaining a financial product or service (e.g., in the application process for deposit, loan, or investment products; for an over-the-counter purchase of a bank check; from E-banking products or services, including the data collected electronically through Internet cookies; or through ATM transactions);

6) Categories of nonpublic personal information shared with, or received from, each nonaffiliated third party; and

7) Consumer complaints regarding the treatment of nonpublic personal information, including those received electronically.

8) Records that reflect the bank's categorization of its information sharing practices under Sections 13, 14, 15, and outside of these exceptions.

9) Results of a 501(b) inspection (used to determine the accuracy of the institution's privacy disclosures regarding data security).