August 20, 2000
FYI - August 17, 2000 - The FBI is investigating a password-stealing scam that may affect online-banking software according to an article at
INTERNET SECURITY - The is the last of three installments covering the NCUA's "best practice" suggestions dealing with Identity Theft prevention. This guidance is based on experience from actual identity theft. Evaluate each suggestion and balance the privacy protection risk with the institution's resources and products to develop privacy protection strategies and policies that are right for your credit union, savings and loans, or bank.
17. Ensure the credit union protects itself from "business identity theft, " such as mimic websites that entice your members to believe they are interacting online with the credit union.
18. Adopt secure methods of disposing of sensitive personal information. Consider industrial shredders, locked garbage bins, etc. If disposal is outsourced, assure such companies have strict security procedures. Consider shredding software to delete confidential information from electronic data files.
19. Train designated staff about security procedures in sending sensitive personal information via fax. Such faxes should have a confidential cover letter (prohibiting re-disclosure), and the recipient should be called before ending, and called after, to confirm receipt.
20. Prohibit the transmission of sensitive personal information by voicemail, cellular phones, pagers, answering machines, or e-mail, unless encrypted or sent via a secure network. None of these means of transmission is private or secure.
21. Train customer service or fraud department staff how to work with identity theft victims. By helping the victim clear their record, you will limit your legal exposure to the victim.
22. Don't share, sell, or transmit data about members without their permission. Guarding that information will limit your legal exposure if that information subjects your member to identity theft.
23. Allow your members to inspect and correct their personal information. This practice will not only increase member's trust in your information handling practices, it will improve the accuracy of your files.
24. Take every opportunity to become informed about financial fraud and identity theft. Join a local financial crimes group. Your local police or sheriff's department can inform you of such groups.
INTERNET COMPLIANCE - The biggest problem we are encountering auditing web site audits has to do with the posting or not posting "Member FDIC." The FDIC and NCUA consider every insured depository institution's online system top level page, or "home page", to be an advertisement. Therefore, according to these agencies' interpretation of their rules, financial institutions should display the official advertising statement on their home pages unless subject to one of the exceptions described. Furthermore, each subsidiary page of an on-line system that contains an advertisement should display the official advertising statement unless subject to one of the exceptions.
The official advertising statement should be on all web pages except those web pages that advertise non-deposit products such as stocks, bonds, mutual funds, trust activities, bill paying, etc.
OUR RECOMMENDATION - If Your Bank has not already written a terms and use statement, we recommend that you write a terms and use statements. The terms and use statement is an understanding between the bank and the visitors to the bank’s web site. The statement should cover various issues such as the insecurity of e-mail, copyright information, trade area, financial calculator disclaimer, non-bank link disclaimer, and other information and/or disclaimers recommended by the bank’s legal counsel. The terms and use statement should be a link off every web page along with your privacy statement.