Internet Banking News

August 17, 2008

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Beijing Olympic ticket scam shut down - The U.S. federal courts shut down two websites that claimed to sell tickets to the Beijing Olympics, but instead scammed unsuspecting sports fans. http://www.scmagazineus.com/Beijing-Olympic-ticket-scam-shut-down/article/113433/?DCMP=EMC-SCUS_Newswire

FYI - Seven in 10 government mobile devices unencrypted - Print this | Email this Digg De.licio.us Slashdot Technorati Only 30 percent of laptop computers and handheld devices are encrypted at 24 major federal agencies, while six federal agencies' encryption installations may not work as intended, according to the Government Accountability Office. http://www.gcn.com/online/vol1_no1/46758-1.html?topic=security&CMP=OTC-RSS

FYI - Missing: 4,000 laptops a week in European airports - Research released today by the Ponemon Institute on behalf of Dell reveals that nearly 4,000 laptops are lost or go missing in Europe's major airports every week. http://www.siliconrepublic.com/news/article/11124/cio/missing-4-000-laptops-a-week-in-european-airports

FYI - Online threats materializing faster, study shows - The bad guys on the Internet are narrowing the time frame they need to unleash computer attacks that take advantage of publicly disclosed security holes, new research shows. http://news.smh.com.au/technology/online-threats-materializing-faster-study-shows-20080729-3mhx.html

FYI - Firewall vendors scramble to fix problem with DNS patch - Some programs don't play nice with others - Nearly a month after a critical flaw in the Internet's Domain Name System was first reported, vendors of some of the most widely used firewall software packages are scrambling to fix a problem that can essentially undo portions of the patches that address this bug. http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9111500&intsrc=hm_ts_head

FYI - Ring responsible for TJX mega-breach, eight others, busted - Federal authorities have busted the criminal ring responsible for the largest hacking and identity theft case in history. On Tuesday, authorities charged 11 people with stealing more than 40 million credit and debit card numbers from Framingham, Mass.-based TJX and eight other retailers. These included some of the largest reported hacks of all time, including BJ's Wholesale Club and DSW. http://www.scmagazineus.com/Ring-responsible-for-TJX-mega-breach-eight-others-busted/article/113415/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Computer breach at UT Dallas may have exposed students' personal info - A computer network attack at the University of Texas at Dallas may have exposed Social Security numbers and other personal information for 9,100 individuals, school officials said. http://www.dallasnews.com/sharedcontent/dws/dn/latestnews/stories/080108dnmetUTD.1f0bd372.html

FYI - DNS exploit haunts researcher - A security researcher who helped to develop a DNS exploit is seeing the implications firsthand after an attack on a local ISP resulted in traffic redirections for his company. http://www.vnunet.com/vnunet/news/2222925/dns-exploit-comes-back

FYI - Countrywide insider stole mortgage applicants' data, FBI says - The former employee and a suspected accomplice are arrested. As many as 2 million customers' information was allegedly targeted. The FBI on Friday arrested a former Countrywide Financial Corp. employee and another man in an alleged scheme to steal and sell sensitive personal information, including Social Security numbers, of as many as 2 million mortgage applicants.
http://www.latimes.com/business/la-fi-arrest2-2008aug02,0,7330731.story
http://www.sfgate.com/cgi-bin/article.cgi?f=/n/a/2008/08/01/state/n171240D95.DTL

FYI - Los Gatos Police Arrest Lunardi's ATM Suspect - San Jose man held on $1 million bail- Los Gatos/Monte Sereno Police arrested Raymond Kurt Fisher, 37, on July 31 in connection with a compromised ATM card reader at Lunardi's Supermarket, 720 Blossom Hill Rd. Some 250 ATM card PIN numbers were stolen in March and April of this year. Cash was withdrawn from many of those accounts, mostly in Southern California, and the total loss currently stands at approximately $300,000.
http://losgatosobserver.com/los-gatos/Article.php?article_id=0957
http://www.mercurynews.com/crime/ci_10077253

Return to the top of the newsletter

WEB SITE COMPLIANCE - Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes (Part 1 of 3)

E-mail and Internet-related fraudulent schemes, such as "phishing" (pronounced "fishing"), are being perpetrated with increasing frequency, creativity and intensity. Phishing involves the use of seemingly legitimate e-mail messages and Internet Web sites to deceive consumers into disclosing sensitive information, such as bank account information, Social Security numbers, credit card numbers, passwords, and personal identification numbers (PINs). The perpetrator of the fraudulent e-mail message may use various means to convince the recipient that the message is legitimate and from a trusted source with which the recipient has an established business relationship, such as a bank. Techniques such as a false "from" address or the use of seemingly legitimate bank logos, Web links and graphics may be used to mislead e-mail recipients.

In most phishing schemes, the fraudulent e-mail message will request that recipients "update" or "validate" their financial or personal information in order to maintain their accounts, and direct them to a fraudulent Web site that may look very similar to the Web site of the legitimate business. These Web sites may include copied or "spoofed" pages from legitimate Web sites to further trick consumers into thinking they are responding to a bona fide request. Some consumers will mistakenly submit financial and personal information to the perpetrator who will use it to gain access to financial records or accounts, commit identity theft or engage in other illegal acts.

The Federal Deposit Insurance Corporation (FDIC) and other government agencies have also been "spoofed" in the perpetration of e-mail and Internet-related fraudulent schemes. For example, in January 2004, a fictitious e-mail message that appeared to be from the FDIC was widely distributed, and it told recipients that their deposit insurance would be suspended until they verified their identity. The e-mail message included a hyperlink to a fraudulent Web site that looked similar to the FDIC's legitimate Web site and asked for confidential information, including bank account information.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Network Configuration

Computer networks often extend connectivity far beyond the financial institution and its data center. Networks provide system access and connectivity between business units, affiliates, TSPs, business partners, customers, and the public. This increased connectivity requires additional controls to segregate and restrict access between various groups and information users.

A typical approach to securing a large network involves dividing the network into logical security domains. A logical security domain is a distinct part of a network with security policies that differ from other domains. The differences may be far broader than network controls, encompassing personnel, host, and other issues.

Typical network controls that distinguish security domains include access control software permissions, dedicated lines, filtering routers, firewalls, remote-access servers, and virtual private networks. This booklet will discuss additional access controls within the applications and operating systems residing on the network in other sections. Before selecting the appropriate controls, financial institutions should map and configure the network to identify and control all access control points. Network configuration considerations could include the following actions:

! Identifying the various applications and user-groups accessed via the network;

! Identifying all access points to the network including various telecommunications channels (e.g., wireless, Ethernet, frame relay, dedicated lines, remote dial - up access, extranets, Internet);

! Mapping the internal and external connectivity between various network segments;

! Defining minimum access requirements for network services (i.e., most often referenced as a network services access policy); and

! Determining the most appropriate network configuration to ensure adequate security and performance.

With a clear understanding of network connectivity, the financial institution can avoid introducing security vulnerabilities by minimizing access to less - trusted domains and employing encryption for less secure connections. Institutions can then determine the most effective deployment of protocols, filtering routers, firewalls, gateways, proxy servers, and/or physical isolation to restrict access. Some applications and business processes may require complete segregation from the corporate network (e.g., no connectivity between corporate network and wire transfer system). Others may restrict access by placing the services that must be accessed by each zone in their own security domain, commonly called a "demilitarized zone" (DMZ).

Return to the top of the newsletter

IT SECURITY QUESTION:

B. NETWORK SECURITY

18. Determine whether an appropriate archive of boot disks, distribution media, and security patches exists.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

45. If the institution receives information from a nonaffiliated financial institution other than under an exception in §14 or §15, does the institution refrain from disclosing the information except:

a. to the affiliates of the financial institution from which it received the information; [§11(b)(1)(i)]

b. to its own affiliates, which are in turn limited by the same disclosure restrictions as the recipient institution; [§11(b)(1)(ii)] and

c. to any other person, if the disclosure would be lawful if made directly to that person by the institution from which the recipient institution received the information? [§11(b)(1)(iii)]