FFIEC Guidance - Authentication in an Internet Banking Environment -
The Federal Financial Institutions Examination Council has issued
the attached guidance, "Authentication in an Internet Banking
Environment." For banks offering Internet-based financial services,
the guidance describes enhanced authentication methods that
regulators expect banks to use when authenticating the identity of
customers using the on-line products and services. Examiners will
review this area to determine a financial institution's progress in
complying with this guidance during upcoming examinations. Financial
Institutions will be expected to achieve compliance with the
guidance no later than year-end 2006.
Security risks overwhelming IT departments - System failures and
hacking hitting the balance sheet, says EIU survey.
Hold developers liable for flaws - Software developers should be
held personally accountable for the security of the code they write,
said Howard Schmidt, a former White House cybersecurity adviser.
Phishers Plant Fake Google Toolbar Oct. 6, 2005 - Phishers are
playing off Google's brand name, a security researcher said
Wednesday, by flooding IM and IRC with messages that lead to a
download of a bogus Google toolbar whose sole purpose is to steal
credit card information.
Bank of America notifying customers after laptop theft - Users of
the Bank of America Corp.'s Visa Buxx prepaid debit cards are being
warned that they may have had sensitive information compromised
after the theft of an unencrypted laptop computer.
How to Foil a Phish - What happens after phishers strike? We provide
an inside look at one midsize bank's cutting-edge incident response
Wireless policies lag laptop usage - A survey of US companies shows
that wireless networks have created new holes in security policies.
Barbarians Inside the Gate - Organizations can reduce insider
threats by incorporating computer security management and network
compliance tools into their risk management processes.
Return to the top
of the newsletter
WEB SITE COMPLIANCE -
Electronic Fund Transfer Act, Regulation E (Part 2 of 2)
The Federal Reserve Board Official Staff Commentary
(OSC) also clarifies that terminal receipts are unnecessary for
transfers initiated on-line. Specifically, OSC regulations provides
that, because the term "electronic terminal" excludes a
telephone operated by a consumer, financial institutions need not
provide a terminal receipt when a consumer initiates a transfer by a
means analogous in function to a telephone, such as by a personal
computer or a facsimile machine.
Additionally, the regulations clarifies that a written authorization
for preauthorized transfers from a consumer's account includes an
electronic authorization that is not signed, but similarly
authenticated by the consumer, such as through the use of a security
code. According to the OSC, an example of a consumer's authorization
that is not in the form of a signed writing but is, instead,
"similarly authenticated" is a consumer's authorization
via a home banking system. To satisfy the regulatory requirements,
the institution must have some means to identify the consumer (such
as a security code) and make a paper copy of the authorization
available (automatically or upon request). The text of the
electronic authorization must be displayed on a computer screen or
other visual display that enables the consumer to read the
communication from the institution.
Only the consumer may authorize the transfer and not, for example, a
third-party merchant on behalf of the consumer.
Pursuant to the regulations, timing in reporting an unauthorized
transaction, loss, or theft of an access device determines a
consumer's liability. A financial institution may receive
correspondence through an electronic medium concerning an
unauthorized transaction, loss, or theft of an access device.
Therefore, the institution should ensure that controls are in place
to review these notifications and also to ensure that an
investigation is initiated as required.
the top of the newsletter
INFORMATION TECHNOLOGY SECURITY - We
continue our series on the FFIEC interagency Information Security
INFORMATION SECURITY RISK ASSESSMENT
KEY RISK ASSESSMENT PRACTICES (1 of 2)
A risk assessment is the key driver of the information security
process. Its effectiveness is directly related to the following key
and Knowledge - based Approach - A consensus evaluation of the risks
and risk mitigation practices followed by the institution requires
the involvement of a broad range of users, with a range of expertise
and business knowledge. Not all users may have the same opinion of
the severity of various attacks, the importance of various controls,
and the importance of various data elements and information system
components. Management should apply a sufficient level of expertise
to the assessment.
2) Systematic and
Central Control - Defined procedures and central control and
coordination help to ensure standardization, consistency, and
completeness of risk assessment policies and procedures, as well as
coordination in planning and performance. Central control and
coordination will also facilitate an organizational view of risks
and lessons learned from the risk assessment process.
3) Integrated Process -
A risk assessment provides a foundation for the remainder of the
security process by guiding the selection and implementation of
security controls and the timing and nature of testing those
controls. Testing results, in turn, provide evidence to the risk
assessment process that the controls selected and implemented are
achieving their intended purpose. Testing can also validate the
basis for accepting risks.
the top of the newsletter
IT SECURITY QUESTION:
A. AUTHENTICATION AND ACCESS CONTROLS
6. Determine if unauthorized attempts to access
authentication mechanisms (e.g., password storage location) are
appropriately monitored, reported and followed up.
Attacks on shared secret mechanisms, for instance, could
involve multiple log-in attempts using the same username and
multiple passwords or multiple usernames and the same password.
Return to the top of
INTERNET PRIVACY - We continue
our series listing the regulatory-privacy examination questions.
When you answer the question each week, you will help ensure
compliance with the privacy regulations.
Does the institution refrain from disclosing,
directly or through affiliates, account numbers or similar forms of
access numbers or access codes for a consumer's credit card account,
deposit account, or transaction account to any nonaffiliated third
party (other than to a consumer reporting agency) for telemarketing,
direct mail or electronic mail marketing to the consumer, except:
a. to the institution's agents or service providers solely to
market the institution's own products or services, as long as the
agent or service provider is not authorized to directly initiate
charges to the account; [§12(b)(1)] or
b. to a participant in a private label credit card program or
an affinity or similar program where the participants in the program
are identified to the customer when the customer enters into the
(Note: an "account number or similar form of access
number or access code" does not include numbers in encrypted
form, so long as the institution does not provide the recipient with
a means of decryption. [§12(c)(1)] A transaction account does not
include an account to which third parties cannot initiate charges. [§12(c)(2)])
VISTA - Does
Your Financial Institution need an affordable Internet security
Our clients in 41 states rely on
to ensure their IT security settings, as well as
meeting the independent diagnostic test
requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides
Gramm-Leach Bliley Act 501(b).
The VISTA penetration study and
Internet security test is an affordable-sophisticated process than
goes far beyond the simple
scanning of ports and
testing focuses on
a hacker's perspective, which will help
you identify real-world weaknesses. For more information, give Kinney Williams a call
today at 806-798-7119 or visit