R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

October 23, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing

FFIEC Guidance - Authentication in an Internet Banking Environment - The Federal Financial Institutions Examination Council has issued the attached guidance, "Authentication in an Internet Banking Environment." For banks offering Internet-based financial services, the guidance describes enhanced authentication methods that regulators expect banks to use when authenticating the identity of customers using the on-line products and services. Examiners will review this area to determine a financial institution's progress in complying with this guidance during upcoming examinations. Financial Institutions will be expected to achieve compliance with the guidance no later than year-end 2006.
Press Release: www.fdic.gov/news/news/financial/2005/fil10305.html 
Press Release: www.ffiec.gov/press/pr101205.htm 
Press Release: www.ncua.gov/news/press_releases/2005/FFIEC05-1012.pdf 
Press Release: www.ots.treas.gov/docs/7/77537.html 

FYI - Security risks overwhelming IT departments - System failures and hacking hitting the balance sheet, says EIU survey. http://software.silicon.com/security/0,39024655,39153094,00.htm

FYI - Hold developers liable for flaws - Software developers should be held personally accountable for the security of the code they write, said Howard Schmidt, a former White House cybersecurity adviser. http://news.com.com/2102-1002_3-5893849.html?tag=st.util.print

FYI - Phishers Plant Fake Google Toolbar Oct. 6, 2005 - Phishers are playing off Google's brand name, a security researcher said Wednesday, by flooding IM and IRC with messages that lead to a download of a bogus Google toolbar whose sole purpose is to steal credit card information. http://www.informationweek.com/story/showArticle.jhtml?articleID=171203727

FYI - Bank of America notifying customers after laptop theft - Users of the Bank of America Corp.'s Visa Buxx prepaid debit cards are being warned that they may have had sensitive information compromised after the theft of an unencrypted laptop computer. http://www.computerworld.com/printthis/2005/0,4814,105246,00.html

FYI - How to Foil a Phish - What happens after phishers strike? We provide an inside look at one midsize bank's cutting-edge incident response plan. http://www.csoonline.com/read/100105/phish.html

FYI - Wireless policies lag laptop usage - A survey of US companies shows that wireless networks have created new holes in security policies. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=94903600-7ef2-4755-853f-3b399c3dba7e&newsType=Latest%20News&s=n

FYI - Barbarians Inside the Gate - Organizations can reduce insider threats by incorporating computer security management and network compliance tools into their risk management processes. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5649

Return to the top of the newsletter

Electronic Fund Transfer Act, Regulation E  (Part 2 of 2)

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated on-line. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the OSC, an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated" is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution.

Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required. 

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.  



A risk assessment is the key driver of the information security process. Its effectiveness is directly related to the following key practices:

1)  Multidisciplinary and Knowledge - based Approach - A consensus evaluation of the risks and risk mitigation practices followed by the institution requires the involvement of a broad range of users, with a range of expertise and business knowledge. Not all users may have the same opinion of the severity of various attacks, the importance of various controls, and the importance of various data elements and information system components. Management should apply a sufficient level of expertise to the assessment.

2)  Systematic and Central Control - Defined procedures and central control and coordination help to ensure standardization, consistency, and completeness of risk assessment policies and procedures, as well as coordination in planning and performance. Central control and coordination will also facilitate an organizational view of risks and lessons learned from the risk assessment process.

3)  Integrated Process - A risk assessment provides a foundation for the remainder of the security process by guiding the selection and implementation of security controls and the timing and nature of testing those controls. Testing results, in turn, provide evidence to the risk assessment process that the controls selected and implemented are achieving their intended purpose. Testing can also validate the basis for accepting risks.

Return to the top of the newsletter


6. Determine if unauthorized attempts to access authentication mechanisms (e.g., password storage location) are appropriately monitored, reported and followed up.  Attacks on shared secret mechanisms, for instance, could involve multiple log-in attempts using the same username and multiple passwords or multiple usernames and the same password.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Does the institution refrain from disclosing, directly or through affiliates, account numbers or similar forms of access numbers or access codes for a consumer's credit card account, deposit account, or transaction account to any nonaffiliated third party (other than to a consumer reporting agency) for telemarketing, direct mail or electronic mail marketing to the consumer, except:

a.  to the institution's agents or service providers solely to market the institution's own products or services, as long as the agent or service provider is not authorized to directly initiate charges to the account; [12(b)(1)] or

b.  to a participant in a private label credit card program or an affinity or similar program where the participants in the program are identified to the customer when the customer enters into the program? [12(b)(2)]

(Note: an "account number or similar form of access number or access code" does not include numbers in encrypted form, so long as the institution does not provide the recipient with a means of decryption. [12(c)(1)] A transaction account does not include an account to which third parties cannot initiate charges. [12(c)(2)])

VISTA - Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and testing focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated