Internet Banking News

August 21, 2011

CONTENT	Internet Compliance	Information Systems Security
IT Security	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security audit? Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports. The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

Spending less than 5 minutes a week along with a cup of coffee, you can monitor your IT security as required by the FDIC, OCC, FRB FFIEC, NCUA, NIST, GLBA, HIPAA, and IT best practices. For more information visit http://www.yennik.com/it-review/.

REMINDER - This newsletter is available for the Android smart phones and tablets. Go to the Market Store and search for yennik.

FYI - GAO - Federal Deposit Insurance Corporation Has Made Progress, but Further Actions Are Needed to Protect Financial Data.
Releases - http://www.gao.gov/products/GAO-11-708
Highlights - http://www.gao.gov/highlights/d11708high.pdf

FYI - SF Bay Area transit police cut mobile service to thwart protest - Agency said safety concerns drove decision to shut down services - The agency that runs the commuter trains that rumble beneath San Francisco each day hit the panic button Thursday night, cutting off mobile-phone service to hundreds of thousands of commuters in an effort to thwart a protest that was expected to snarl up the evening commute. http://www.computerworld.com/s/article/9219158/SF_Bay_Area_transit_police_cut_mobile_service_to_thwart_protest?taxonomyId=17

FYI - AT&T sues two over scheme to steal customer data - AT&T has accused two Utah men of carrying out a data mining scheme, using automatic dialing programs to harvest information from its customer database and costing the company more than $6.5 million. http://www.scmagazineus.com/att-sues-two-over-scheme-to-steal-customer-data/article/209763/?DCMP=EMC-SCUS_Newswire

FYI - Voicemail hacking: Does the current technology make it too easy? - In the past few weeks, there has been a tremendous amount of news coverage of alleged voicemail hacking in both England and the United States by reporters and associates purportedly helping them gather information for stories. http://www.scmagazineus.com/voicemail-hacking-does-the-current-technology-make-it-too-easy/article/209729/?DCMP=EMC-SCUS_Newswire

ATTACKS, INTRUSIONS, DATA THEFT & LOSS

FYI - Hackers steal, sell 92,000 Citigroup accounts - More than 92,000 accounts held by Citigroup's Citi Cards Japan have been stolen and sold illegally to a third party. http://www.scmagazine.com.au/News/266471,hackers-steal-sell-92000-citigroup-accounts.aspx

FYI - Hack on Hong Kong Stock Exchange disrupts trading - 'Malicious attack' keeps traders in dark - Hackers took down a website belonging to the Hong Kong stock Exchange, prompting Asia's third-largest securities exchange to suspend trading in the shares of London-based HSBC and six other companies. http://www.theregister.co.uk/2011/08/10/hong_kong_stock_exchange_hack/

FYI - UWM computers hacked; data on 75,000 exposed - A computer system at the University of Wisconsin-Milwaukee was hacked and bugged with malicious software, potentially exposing the names and Social Security numbers of about 75,000 students, faculty and staff, the school announced Wednesday.
http://www.jsonline.com/news/milwaukee/127459128.html
http://www.scmagazineus.com/college-server-infected-possibly-to-steal-research-data/article/209528/?DCMP=EMC-SCUS_Newswire

FYI - Fraudster jailed for stealing $57,000 by leveraging Facebook - a 33-year-old stole Ł35,000 ($57,000) over two years from his neighbors by figuring out the answers to security questions on their bank accounts. http://www.zdnet.com/blog/facebook/fraudster-jailed-for-stealing-57000-by-leveraging-facebook/2652

FYI - Software maker fingered in Korean hackocalypse - ESTsoft flub spawns nation's worst breach - A devastating attack that exposed the personal information of 35 million South Koreans was perpetrated after hackers breached the security of popular software provider ESTsoft and planted malicious code on one of its update servers, it was widely reported Thursday. http://www.theregister.co.uk/2011/08/12/estsoft_korean_megahack/

FYI - FTC fines children's app maker $50K for privacy violation - In its first settlement related to deceptive mobile applications, the Federal Trade Commission has ordered an app maker to pay $50,000 to settle claims that its program illegally collected and disclosed the personal data of tens of thousands of children. http://www.scmagazineus.com/ftc-fines-childrens-app-maker-50k-for-privacy-violation/article/209707/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week continues our series on the FDIC's Supervisory Policy on Identity Theft. (Part 2 of 6)

Characteristics of Identity Theft

At this time, the majority of identity theft is committed using hard-copy identification or other documents obtained from the victim without his or her permission. A smaller, but significant, amount of identity theft is committed electronically via phishing, spyware, hacking and computer viruses. Financial institutions are among the most frequent targets of identity thieves since they store sensitive information about their customers and hold customer funds in accounts that can be accessed remotely and transferred electronically.

Identity theft may harm consumers in several ways. First, an identity thief may gain access to existing accounts maintained by consumers and either transfer funds out of deposit accounts or incur charges to credit card accounts. Identity thieves may also open new accounts in the consumer's name, incur expenses, and then fail to pay. This is likely to prompt creditors to attempt to collect payment from the consumer for debts the consumer did not incur. In addition, inaccurate adverse information about the consumer's payment history may prevent the consumer from obtaining legitimate credit when he or she needs it. An identity theft victim can spend months or years attempting to correct errors in his or her credit record.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SECURITY CONTROLS - IMPLEMENTATION - NETWORK ACCESS

Stateful Inspection Firewalls

Stateful inspection firewalls are packet filters that monitor the state of the TCP connection. Each TCP session starts with an initial handshake communicated through TCP flags in the header information. When a connection is established the firewall adds the connection information to a table. The firewall can then compare future packets to the connection or state table. This essentially verifies that inbound traffic is in response to requests initiated from inside the firewall.

Proxy Server Firewalls

Proxy servers act as an intermediary between internal and external IP addresses and block direct access to the internal network. Essentially, they rewrite packet headers to substitute the IP of the proxy server for the IP of the internal machine and forward packets to and from the internal and external machines. Due to that limited capability, proxy servers are commonly employed behind other firewall devices. The primary firewall receives all traffic, determines which application is being targeted, and hands off the traffic to the appropriate proxy server. Common proxy servers are the domain name server (DNS), Web server (HTTP), and mail (SMTP) server. Proxy servers frequently cache requests and responses, providing potential performance benefits. Additionally, proxy servers provide another layer of access control by segregating the flow of Internet traffic to support additional authentication and logging capability, as well as content filtering. Web and e-mail proxy servers, for example, are capable of filtering for potential malicious code and application-specific commands.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our review of the issues in the "Privacy of Consumer Financial Information" published by the financial regulatory agencies.

Opt Out Right and Exceptions:

The Right

Consumers must be given the right to "opt out" of, or prevent, a financial institution from disclosing nonpublic personal information about them to a nonaffiliated third party, unless an exception to that right applies. The exceptions are detailed in sections 13, 14, and 15 of the regulations and described below.

As part of the opt out right, consumers must be given a reasonable opportunity and a reasonable means to opt out. What constitutes a reasonable opportunity to opt out depends on the circumstances surrounding the consumer's transaction, but a consumer must be provided a reasonable amount of time to exercise the opt out right. For example, it would be reasonable if the financial institution allows 30 days from the date of mailing a notice or 30 days after customer acknowledgement of an electronic notice for an opt out direction to be returned. What constitutes a reasonable means to opt out may include check-off boxes, a reply form, or a toll-free telephone number, again depending on the circumstances surrounding the consumer's transaction. It is not reasonable to require a consumer to write his or her own letter as the only means to opt out.

NEW The Weekly IT Security Review NEW
A weekly email that lets you continuously review
your IT operations throughout the year.
Purchase now for the special inaugural price.