R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

October 28, 2012

CONTENT Internet Compliance Web Site Audits
IT Security
Internet Privacy
Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

REMINDER - This newsletter is available for the Android smart phones and tablets.  Go to the Market Store and search for yennik.

FYI - Computer viruses and malware 'rampant' in medical tech, experts warn - High-risk medical technology has been found to be infected by computer viruses and malware, health and security experts have said. http://www.bbc.co.uk/news/technology-19979936

FYI - The Pirate Bay ditches its servers, sets sail for the cloud - The Pirate Bay's home page announces the site's move to the cloud. The Pirate Bay is getting rid of its physical servers and exchanging them for virtual machines spread across multiple cloud services. http://news.cnet.com/8301-1009_3-57535500-83/hsbc-hit-by-broad-denial-of-service-attack/

FYI - Small organizations confident they're secure, yet lack plans - A new study of small businesses shows that while a majority believe they have a good handle on protecting sensitive data, most lack back security measures, notably policies and procedures. http://www.scmagazine.com/small-organizations-confident-theyre-secure-yet-lack-plans/article/264724/?DCMP=EMC-SCUS_Newswire

FYI - Retired OMB IT chiefs urge federal cyber policy rewrite - Veteran White House information technology leaders going back to the Nixon administration on Tuesday are pressing the Obama administration to overhaul federal cybersecurity policy now, without legislation, according to a report reviewed by Nextgov. http://www.nextgov.com/cybersecurity/2012/10/retired-omb-it-chiefs-urge-federal-cyber-policy-rewrite/58945/

FYI - White House orders spy agencies to share cyberthreat intel with companies - A new White House executive order would direct U.S. spy agencies to share the latest intelligence about cyberthreats with companies operating electric grids, water plants, railroads and other vital industries to help protect them from electronic attacks, according to a copy obtained by The Associated Press. http://www.nbcnews.com/technology/technolog/white-house-orders-spy-agencies-share-cyberthreat-intel-companies-1C6578275

FYI - VA Computers Remain Unencrypted, Years After Breach - Following a high-profile data breach six years ago, the U.S. Department of Veterans Affairs spent almost $6 million on encryption software for its PCs and laptops. But an investigation by the department's inspector general determined that the encryption software has been installed on only 16% of its computers. http://www.informationweek.com/government/security/va-computers-remain-unencrypted-years-af/240009408


FYI - HSBC hit by broad denial-of-service attack - The multinational bank confirms attack, saying it "did not affect any customer data, but did prevent customers using HSBC online services." If you haven't been able to log into your HSBC online banking account today, you're not alone. http://news.cnet.com/8301-1009_3-57535500-83/hsbc-hit-by-broad-denial-of-service-attack/

FYI - Pacemaker hack can deliver deadly 830-volt jolt - Pacemakers from several manufacturers can be commanded to deliver a deadly, 830-volt shock from someone on a laptop up to 50 feet away, the result of poor software programming by medical device companies. http://www.computerworld.com/s/article/9232477/Pacemaker_hack_can_deliver_deadly_830_volt_jolt?taxonomyId=85

FYI - Laptop stolen from Tennessee hospital - A laptop theft at Blount Memorial Hospital in Maryville, Tenn. has compromised the personal data of several thousand patients. http://www.scmagazine.com/laptop-stolen-from-tennessee-hospital/article/264677/?DCMP=EMC-SCUS_Newswire

FYI - Ally Financial sees 'unusual traffic,' cyberattack fears abound - The company hasn't said exactly what kind of issues it's seeing, and there has been no disruption or denial-of-service attacks. Ally Financial is experiencing some odd traffic issues that have prompted some to wonder if there's more there than meets the eye. http://news.cnet.com/8301-1009_3-57536056-83/ally-financial-sees-unusual-traffic-cyberattack-fears-abound/?tag=nl.e757&s_cid=e757

FYI - Barnes & Noble pulls PIN pads after fraud ring hits stores - Barnes & Noble has yanked PIN pads from all of its nearly 700 stores nationwide after discovering that scammers tampered with the devices at 63 locations to carry out card skimming fraud. http://www.scmagazine.com/barnes-noble-pulls-pin-pads-after-fraud-ring-hits-stores/article/265235/?DCMP=EMC-SCUS_Newswire

Return to the top of the newsletter

We continue the series regarding FDIC Supervisory Insights regarding
Incident Response Programs.  (4 of 12)

Reaction Procedures

Assessing security incidents and identifying the unauthorized access to or misuse of customer information essentially involve organizing and developing a documented risk assessment process for determining the nature and scope of the security event. The goal is to efficiently determine the scope and magnitude of the security incident and identify whether customer information has been compromised.

Containing and controlling the security incident involves preventing any further access to or misuse of customer information or customer information systems. As there are a variety of potential threats to customer information, organizations should anticipate the ones that are more likely to occur and develop response and containment procedures commensurate with the likelihood of and the potential damage from such threats. An institution's information security risk assessment can be useful in identifying some of these potential threats. The containment procedures developed should focus on responding to and minimizing potential damage from the threats identified. Not every incident can be anticipated, but institutions should at least develop containment procedures for reasonably foreseeable incidents.

Return to the top of the newsletter
We continue our coverage of the FDIC's "Guidance on Managing Risks Associated With Wireless Networks and Wireless Customer Access."

Part II. Risks Associated with Wireless Internet Devices

As wireless Internet devices become more prevalent in the marketplace, financial institutions are adopting wireless application technologies as a channel for reaching their customers. Wireless Internet services are becoming available in major cities across the United States. Through wireless banking applications, a financial institution customer could access account information and perform routine non-cash transactions without having to visit a branch or ATM.

The wireless Internet devices available today present attractive methods for offering and using financial services. Customers have access to financial information from anywhere they can receive wireless Internet access. Many of the wireless devices have built-in encryption through industry-standard encryption methods. This encryption has its limits based on the processing capabilities of the device and the underlying network architecture.

A popular standard for offering wireless applications is through the use of the Wireless Application Protocol (WAP). WAP is designed to bring Internet application capabilities to some of the simplest user interfaces. Unlike the Web browser that is available on most personal computer workstations, the browser in a wireless device (such as a cell phone) has a limited display that in many cases can provide little, if any, graphical capabilities. The interface is also limited in the amount of information that can be displayed easily on the screen. Further, the user is limited by the keying capabilities of the device and often must resort to many key presses for simple words.

The limited processing capabilities of these devices restrict the robustness of the encryption network transmissions. Effective encryption is, by nature, processing-intensive and often requires complex calculations. The time required to complete the encryption calculations on a device with limited processing capabilities may result in unreasonable delays for the device's user. Therefore, simpler encryption algorithms and smaller keys may be used to speed the process of obtaining access.

WAP is an evolving protocol. The most recent specification of WAP (WAP 2.0 - July 2001) offers the capability of encrypting network conversations all the way from the WAP server (at the financial institution) to the WAP client (the financial institution customer). Unfortunately, WAP 2.0 has not yet been fully adopted by vendors that provide the building blocks for WAP applications. Previous versions of WAP provide encryption between the WAP client and a WAP gateway (owned by the Wireless Provider). The WAP gateway then must re-encrypt the information before it is sent across the Internet to the financial institution. Therefore, sensitive information is available at the wireless provider in an unencrypted form. This limits the financial institution's ability to provide appropriate security over customer information.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

42.  Does the institution provide the consumer with a reasonable opportunity to opt out such as by:

a.  mailing the notices required by 10 and allowing the consumer to respond by toll-free telephone number, return mail, or other reasonable means (see question 22) within 30 days from the date mailed; [10(a)(3)(i)]

b.  where the consumer opens an on-line account with the institution and agrees to receive the notices required by 10 electronically, allowing the consumer to opt out by any reasonable means (see question 22) within 30 days from consumer acknowledgement of receipt of the notice in conjunction with opening the account; [10(a)(3)(ii)] or

c.  for isolated transactions, providing the notices required by 10 at the time of the transaction and requesting that the consumer decide, as a necessary part of the transaction, whether to opt out before the completion of the transaction? [10(a)(3)(iii)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated