August 27, 2000
FYI - Three arrested in Briton's first internet bank robbery - http://www.independent.co.uk/news/Digital/Update/2000-08/first230800.shtml
FYI - There are no regulations regarding changing customer passwords. In fact, most businesses do not "require" customers to change their passwords; however, businesses recommend that the customer change their password at least every 90 days and more often is preferred. This is done to protect the business from liability and from any security problems that might arise because the customer's password was used improperly.
None of the ISP (AOL, ATT, Swbell, Mindspring, MSN, etc) "require" customers to change their password.
Regularly changing passwords is an excellent security procedure. The reason for "requiring" the change of passwords is because users will not change their passwords if given a choice. It is easy to "require" employees to change passwords, but "requiring" customers to change passwords is another issue.
INTERNET SECURITY - Over the next few weeks, we will bring you the OCC Bulletin about Infrastructure Threats and Intrusion Risks dated May 15, 2000. This bulletin provides guidance to financial institutions on how to prevent, detect, and respond to intrusions into bank computer systems. Intrusions can originate either inside or outside of the bank and can result in a range of damaging outcomes, including the theft of confidential information, unauthorized transfer of funds, and damage to an institution's reputation.
The prevalence and risk of computer intrusions are increasing as information systems become more connected and interdependent and as banks make greater use of Internet banking services and other remote access devices. Recent e-mail-based computer viruses and the distributed denial of service attacks earlier this year revealed that the security of all Internet-connected networks are increasingly intertwined. The number of reported incidences of intrusions nearly tripled from 1998 to 1999, according to Carnegie Mellon University's CERT/CC.
Management can reduce a bank's risk exposure by adopting and regularly reviewing its risk assessment plan, risk mitigation controls, intrusion response policies and procedures, and testing processes. This bulletin provides guidance in each of these critical areas and also highlights information-sharing mechanisms banks can use to keep abreast of current attack techniques and potential vulnerabilities.
INTERNET COMPLIANCE - Advertisements
Generally, Internet web sites are considered advertising by the regulatory agencies. In some cases, the regulations contain special rules for multiple-page advertisements. It is not yet clear what would constitute a single "page" in the context of the Internet or on-line text. Thus, institutions should carefully review their on-line advertisements in an effort to minimize compliance risk.
In addition, Internet or other systems in which a credit application can be made on-line may be considered "places of business" under HUD's rules prescribing lobby notices. Thus, institutions may want to consider including the "lobby notice," particularly in the case of interactive systems that accept applications.
PRIVACY STATEMENT - Just a reminder that the new privacy regulations go into effect July 1, 2001.
IN CLOSING - Last month, we had over 10,000 visitors to our web sites. We want to thank you for your continued support.