Internet Banking News

October 15, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - FBI still investigating Bethel server hacking - UAF police asked the FBI to investigate the hacking at the Bethel campus in April, but answers remain illusive into who illegally accessed a server containing personal information for 38,941 current and former students and employees. http://www.uaf.edu/sunstar/archives/20060926/hacking.html

FYI - New Laws Further Protect New York Consumers from Becoming Victims of Identity Theft - Governor George E. Pataki announced today that he signed three measures into law that will further protect New York's consumers and their privacy. These bills establish the Consumer Communication Records Privacy Act, place limits on the use and disclosure of Social Security account numbers, and further clarify and define what is considered a computer crime. http://www.state.ny.us/governor/press/06/0926061.html

FYI - Attacks on IM networks continue to rise - Researchers with Akonix Systems' Security Center said that they tracked the highest number of attacks on instant messenger (IM) networks in September than in any month of the year. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20061002/596092/

FYI - Poll says few firms encrypt data on mobile devices - Results for a new survey released today found that even though the majority of IT organizations store large amounts of sensitive customer information on their mobile devices, less than a quarter of them have implemented anything beyond basic encryption on these devices. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20061002/595595/

FYI - Benefit checks are put at risk - Computer viruses hit; needy clients might miss payments - Viruses have crippled state computers used to track and distribute welfare benefits, sending officials scrambling to fix the equipment and raising concerns among advocates that needy clients could be left without assistance. http://www.baltimoresun.com/news/local/bal-md.virus30sep30,0,2137404.story?coll=bal-local-headlines

FYI - Credit data stolen at Indian call centres - CREDIT card data, along with passport and driving licence numbers, are being stolen from call centres in India and sold to the highest bidder, an investigation has found. http://www.timesonline.co.uk/article/0,,2087-2383227,00.html

FYI - UI warns research subjects of possible security breach - The University of Iowa is contacting subjects in research studies following attacks on a computer in which personal information about those subjects was stored. The computer, used by UI psychology professor Michael O'Hara and UI psychiatry professor Scott Stuart, contained the Social Security numbers of some 14,500 subjects who were participants in research studies on maternal and child health from 1995 until the present. http://www.press-citizen.com/apps/pbcs.dll/article?AID=/20060929/NEWS01/60929003/1079

STOLEN COMPUTERS

FYI - Computer, data stolen from DMV - A Louisburg driver's license office had personal information on thousands of motorists - The state Division of Motor Vehicles is notifying 16,000 motorists that someone broke into the agency's driver's license office in Louisburg and took a computer containing their personal information. http://www.newsobserver.com/102/story/491642.html

FYI - Workplace files tempt ID thieves - Officials say data theft by a contract worker at Stevens Hospital is part of a growing trend. A manager for a billing company hired on a contract basis by doctors at the Edmonds hospital stole patients' credit card numbers. http://www.heraldnet.com/stories/06/09/28/100loc_a1files001.cfm

FYI - Watchdog bar ks over laptop theft - Alberta's privacy watchdog rapped the knuckles of a financial services company yesterday after a laptop computer was stolen containing the personal information of 8,000 Alberta physicians. http://www.edmontonsun.com/News/Alberta/2006/09/27/1905123-sun.html

FYI - Laptop with personal info of 55,000 GE workers stolen - A laptop containing the names and Social Security numbers of about 50,000 General Electric (GE) employees was stolen from a locked hotel room earlier this month. http://www.scmagazine.com/us/newsletter/dailyupdate/article/20061002/595224/

Return to the top of the newsletter

WEB SITE COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques." (Part 8 of 10)

B. RISK MANAGEMENT TECHNIQUES

Implementing Weblinking Relationships

The strategy that financial institutions choose when implementing weblinking relationships should address ways to avoid customer confusion regarding linked third-party products and services. This includes disclaimers and disclosures to limit customer confusion and a customer service plan to address confusion when it occurs.

Disclaimers and Disclosures

Financial institutions should use clear and conspicuous webpage disclosures to explain their limited role and responsibility with respect to products and services offered through linked third-party websites. The level of detail of the disclosure and its prominence should be appropriate to the harm that may ensue from customer confusion inherent in a particular link. The institution might post a disclosure stating it does not provide, and is not responsible for, the product, service, or overall website content available at a third-party site. It might also advise the customer that its privacy polices do not apply to linked websites and that a viewer should consult the privacy disclosures on that site for further information. The conspicuous display of the disclosure, including its placement on the appropriate webpage, by effective use of size, color, and graphic treatment, will help ensure that the information is noticeable to customers. For example, if a financial institution places an otherwise conspicuous disclosure at the bottom of its webpage (requiring a customer to scroll down to read it), prominent visual cues that emphasize the information's importance should point the viewer to the disclosure.

In addition, the technology used to provide disclosures is important. While many institutions may simply place a disclaimer notice on applicable webpages, some institutions use "pop-ups," or intermediate webpages called "speedbumps," to notify customers they are leaving the institution's website. For the reasons described below, financial institutions should use speedbumps rather than pop-ups if they choose to use this type of technology to deliver their online disclaimers.

A "pop up" is a screen generated by mobile code, for example Java or Active X, when the customer clicks on a particular hyperlink. Mobile code is used to send small programs to the user's browser. Frequently, those programs cause unsolicited messages to appear automatically on a user's screen. At times, the programs may be malicious, enabling harmful viruses or allowing unauthorized access to a user's personal information. Consequently, customers may reconfigure their browsers or install software to block disclosures delivered via mobile codes.

In contrast, an intermediate webpage, or "speedbump," alerts the customer to the transition to the third-party website. Like a pop-up, a speedbump is activated when the customer clicks on a particular weblink. However, use of a speedbump avoids the problems of pop-up technology, because the speedbump is not generated externally using mobile code, but is created within the institution's operating system, and cannot be disabled by the customer.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

EXAMPLES OF ENCRYPTION USES

Asymmetric encryption is the basis of PKI, or public key infrastructure. In theory, PKI allows two parties who do not know each other to authenticate each other and maintain the confidentiality, integrity, and accountability for their messages. PKI rests on both communicating parties having a public and a private key, and keeping their public keys registered with a third party they both trust, called the certificate authority, or CA. The use of and trust in the third party is a key element in the authentication that takes place. For example, assume individual A wants to communicate with individual B. A first hashes the message, and encrypts the hash with A's private key. Then A obtains B's public key from the CA, and encrypts the message and the hash with B's public key. Obtaining B's public key from the trusted CA provides A assurance that the public key really belongs to B and not someone else. Using B's public key ensures that the message will only be able to be read by B. When B receives the message, the process is reversed. B decrypts the message and hash with B's private key, obtains A's public key from the trusted CA, and decrypts the hash again using A's public key. At that point, B has the plain text of the message and the hash performed by A. To determine whether the message was changed in transit, B must re - perform the hashing of the message and compare the newly computed hash to the one sent by A. If the new hash is the same as the one sent by A, B knows that the message was not changed since the original hash was created (integrity). Since B obtained A's public key from the trusted CA and that key produced a matching hash, B is assured that the message came from A and not someone else (authentication).

Various communication protocols use both symmetric and asymmetric encryption. Transaction layer security (TLS, the successor to SSL) uses asymmetric encryption for authentication, and symmetric encryption to protect the remainder of the communications session. TLS can be used to secure electronic banking and other transmissions between the institution and the customer. TLS may also be used to secure e - mail, telnet, and FTP sessions. A wireless version of TLS is called WTLS, for wireless transaction layer security.

Virtual Private Networks (VPNs) are used to provide employees, contractors, and customers remote access over the Internet to institution systems. VPN security is provided by authentication and authorization for the connection and the user, as well as encryption of the traffic between the institution and the user. While VPNs can exist between client systems, and between servers, the typical installation terminates the VPN connection at the institution firewall. VPNs can use many different protocols for their communications. Among the popular protocols are PPTP (point - to - point tunneling protocol), L2F, L2TP, and IPSec. VPNs can also use different authentication methods, and different components on the host systems. Implementations between vendors, and between products, may differ. Currently, the problems with VPN implementations generally involve interfacing a VPN with different aspects of the host systems, and reliance on passwords for authentication.

IPSec is a complex aggregation of protocols that together provide authentication and confidentiality services to individual IP packets. It can be used to create a VPN over the Internet or other untrusted network, or between any two computers on a trusted network. Since IPSec has many configuration options, and can provide authentication and encryption using different protocols, implementations between vendors and products may differ. Secure Shell is frequently used for remote server administration. SSH establishes an encrypted tunnel between a SSH client and a server, as well as authentication services.

Disk encryption is typically used to protect data in storage.

Return to the top of the newsletter

IT SECURITY QUESTION:

F. PERSONNEL SECURITY

2. Determine if the institution includes in its terms and conditions of employment the employee's responsibilities for information security.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Opt Out Notice

19. If the institution discloses nonpublic personal information about a consumer to a nonaffiliated third party, and the exceptions under ��13-15 do not apply, does the institution provide the consumer with a clear and conspicuous opt out notice that accurately explains the right to opt out? [�7(a)(1)]

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.