R. Kinney Williams - Yennik, Inc.
R. Kinney Williams
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

November 1, 2009

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Microsoft recovers most Sidekick data - Only a small number of Sidekick users will suffer permanent data loss - Microsoft has good news for most Sidekick users: The company says it has recovered most of the data for T-Mobile Sidekick users who saw personal information accidentally wiped from their devices. http://www.computerworld.com/s/article/9139407/Microsoft_recovers_most_Sidekick_data?taxonomyId=17

Fugitive hacker headed back to U.S. for arraignment - Edwin Pena faces 20 federal charges related to hacking and wire fraud in VoIP theft scam - A Miami man who for three years had evaded prosecution in connection with the theft and reselling of VoIP services is being extradited to Newark from Mexico today and is set to be arraigned in a New Jersey federal courthouse. http://www.computerworld.com/s/article/9139434/Fugitive_hacker_headed_back_to_U.S._for_arraignment?source=rss_security

Michigan airport grounds website over malware risk - An airport in Michigan reportedly took down its website late on Monday in response to a computer virus risk. http://www.theregister.co.uk/2009/10/13/airport_malware_infection/

FTC increases security obligations of ChoicePoint - The Federal Trade Commission has punished ChoicePoint for another data breach after the agency concluded the data broker failed to properly implement security measures as prescribed in the wake of its watershed 2005 incident.

Survey finds lax health care privacy in United States - More than half of American hospitals fail to take appropriate steps to protect the privacy of patients, according to a new survey of health care IT security professionals. http://www.scmagazineus.com/Survey-finds-lax-health-care-privacy-in-United-States/article/155795/?DCMP=EMC-SCUS_Newswire

ID theft tops list of American's security concerns - More than the H1N1 flu or their ability to meet financial obligations, Americans are most concerned about identity theft, according to the latest Unisys Security Index released Tuesday. http://www.scmagazineus.com/Survey-ID-theft-tops-list-of-Americans-security-concerns/article/155766/?DCMP=EMC-SCUS_Newswire

NASA must fix cyber vulnerabilities - A new report from the Government Accountability Office (GAO) found that NASA has multiple cybersecurity problems. http://www.scmagazineus.com/GAO-NASA-must-fix-cyber-vulnerabilities/article/155738/


Trojan plunders $480k from online bank account - A Pennsylvania organization that helps develop affordable housing learned a painful lesson about the hazards of online banking using the Windows operating system when a notorious trojan siphoned almost $480,000 from its account. http://www.theregister.co.uk/2009/10/14/microsoft_windows_bank_thefts/

Data on 103,000 Students Misplaced - A flash drive containing the personal information of more than 103,000 former adult education students in Virginia was misplaced last month, state education officials reported. http://www.washingtonpost.com/wp-dyn/content/article/2009/10/14/AR2009101402118.html

Ex-Ford engineer charged with trade secret theft - Suspect allegedly stole trade secrets after accepting job with a competing Chinese company - A former product engineer at Ford Motor Co. has been charged with stealing sensitive design documents from the auto maker worth millions of dollars. http://www.computerworld.com/s/article/9139472/Ex_Ford_engineer_charged_with_trade_secret_theft?source=rss_security

Time Warner Cable Exposes 65,000 Customer Routers to Remote Hacks - A vulnerability in a Time Warner cable modem and Wi-Fi router deployed to 65,000 customers would allow a hacker to remotely access the device's administrative menu over the internet, and potentially change the settings to intercept traffic, according to a blogger who discovered the issue. http://www.wired.com/threatlevel/2009/10/time-warner-cable/

Return to the top of the newsletter

We continue covering some of the issues discussed in the "Risk Management Principles for Electronic Banking" published by the Basel Committee on Bank Supervision.

Principle 10: Banks should have effective capacity, business continuity and contingency planning processes to help ensure the availability of e-banking systems and services.

To protect banks against business, legal and reputation risk, e-banking services must be delivered on a consistent and timely basis in accordance with customer expectations. To achieve this, the bank must have the ability to deliver e-banking services to end-users from either primary (e.g. internal bank systems and applications) or secondary sources (e.g. systems and applications of service providers). The maintenance of adequate availability is also dependent upon the ability of contingency back-up systems to mitigate denial of service attacks or other events that may potentially cause business disruption.

The challenge to maintain continued availability of e-banking systems and applications can be considerable given the potential for high transaction demand, especially during peak time periods. In addition, high customer expectations regarding short transaction processing cycle times and constant availability (24 X 7) has also increased the importance of sound capacity, business continuity and contingency planning. To provide customers with the continuity of e-banking services that they expect, banks need to ensure that:

1)  Current e-banking system capacity and future scalability are analyzed in light of the overall market dynamics for e-commerce and the projected rate of customer acceptance of e-banking products and services.

2)  E-banking transaction processing capacity estimates are established, stress tested and periodically reviewed.

3)  Appropriate business continuity and contingency plans for critical e-banking processing and delivery systems are in place and regularly tested.

Return to the top of the newsletter
We continue our series on the FFIEC interagency Information Security Booklet.


Management is responsible for ensuring institution and customer data is protected, even when that data is transmitted, processed, or stored by a service provider. Service providers should have appropriate security testing based on the risk to their organization, their customer institutions, and the institution's customers. Accordingly, management and auditors evaluating TSPs providers should use the above testing guidance in performing initial due diligence, constructing contracts, and exercising ongoing oversight or audit responsibilities. Where indicated by the institution's risk assessment, management is responsible for monitoring the testing performed at the service provider through review of timely audits and test results or other equivalent evaluations.

Return to the top of the newsletter


1. Obtain an understanding of the data security strategy.

Identify the financial institution's approach to protecting data (e.g., protect all data similarly, protect data based upon risk of loss).
Obtain and review the risk assessment covering financial institution data.  Determine if the risk assessment classifies data sensitivity in a reasonable manner and consistent with the financial institution's strategic and business objectives.
Consider whether policies and procedures address the protections for data that is sent outside the institution.
Identify processes to periodically review data sensitivity and update corresponding risk assessments.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

34. Does the institution deliver a revised privacy notice when it: 

a. discloses a new category of nonpublic personal information to a nonaffiliated third party; [8(b)(1)(i)]

b. discloses nonpublic personal information to a new category of nonaffiliated third party; [8(b)(1)(ii)] or

c. discloses nonpublic personal information about a former customer to a nonaffiliated third party, if that former customer has not had the opportunity to exercise an opt out right regarding that disclosure? [8(b)(1)(iii)]

Note: a revised notice is not required if the institution adequately described the nonaffiliated third party or information to be disclosed in the prior privacy notice. [8(b)(2)])


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated