R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

November 12, 2006

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI
- Hacking contactless credit cards made easy - US security researchers have demonstrated how easy it might be for crooks to read sensitive personal information from RFID-based credit and debit cards. http://www.theregister.co.uk/2006/10/24/rfid_credit_card_hack/print.html

FYI - GAO - Coordination of Federal Cyber Security Research and Development.
Report: http://www.gao.gov/cgi-bin/getrpt?GAO-06-811
Highlights: http://www.gao.gov/highlights/d06811high.pdf

FYI - It's possible hackers got Children's Hospital data on 230,000 patients, families, 12,000 donors - Hackers broke into Akron Children's Hospital computer files over Labor Day weekend, potentially accessing names, addresses, birth dates, and Social Security numbers of about 230,000 patients and their families, as well as a database containing the bank-account information of about 12,000 donors.
http://www.centredaily.com/mld/centredaily/news/nation/15871658.htm
http://www.scmagazine.com/us/newsletter/dailyupdate/article/20061101/601539/

FYI - Identity-theft computer scheme uncovered in apartment search - An identity-theft scheme that could affect thousands of Americans has been uncovered in Denver, the district attorney's office warned in a consumer alert Friday. "The potential harm to people is huge," said Lynn Kimbrough, spokeswoman for the prosecutor's office. "The potential is there that could affect thousands through the incredible misuse of tax records and banking information." http://test.denverpost.com/nuggets/ci_4564807

MISSING COMPUTERS

FYI - Another possible data security breach at Los Alamos - Another possible breach at Los Alamos National Laboratory in New Mexico is raising new questions about data security at the troubled nuclear weapons facility. http://federaltimes.com/index.php?S=2313329

FYI - Computer With Info On Colo. Human Services Dept. Clients Stolen - A computer containing personal information of some clients of the Colorado Department of Human Services was stolen from a Dallas-based firm that operates the Family Registry. http://www.thedenverchannel.com/news/10162004/detail.html

FYI - Security officials say computer drive lost at Portland airport - Federal Homeland Security officials say a computer storage device that may have held personal information on current and former employees has been lost. http://www.oregonlive.com/newsflash/regional/index.ssf?/base/news-17/116179555334230.xml&storylist=orlocal

FYI - Operator of 12 hospitals informs of lost data - CD contained personal data for more than a quarter-million patients - The operator of 12 hospitals in Indiana and Illinois is notifying more than a quarter-million patients that compact discs containing their Social Security numbers and other personal information were lost for three days over the summer. http://www.msnbc.msn.com/id/15403873/


Return to the top of the newsletter

WEB SITE COMPLIANCE -
Electronic Fund Transfer Act, Regulation E  (Part 2 of 2)

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated on-line. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.

Additionally, the regulations clarifies that a written authorization for preauthorized transfers from a consumer's account includes an electronic authorization that is not signed, but similarly authenticated by the consumer, such as through the use of a security code. According to the OSC, an example of a consumer's authorization that is not in the form of a signed writing but is, instead, "similarly authenticated" is a consumer's authorization via a home banking system. To satisfy the regulatory requirements, the institution must have some means to identify the consumer (such as a security code) and make a paper copy of the authorization available (automatically or upon request). The text of the electronic authorization must be displayed on a computer screen or other visual display that enables the consumer to read the communication from the institution.

Only the consumer may authorize the transfer and not, for example, a third-party merchant on behalf of the consumer.

Pursuant to the regulations, timing in reporting an unauthorized transaction, loss, or theft of an access device determines a consumer's liability. A financial institution may receive correspondence through an electronic medium concerning an unauthorized transaction, loss, or theft of an access device. Therefore, the institution should ensure that controls are in place to review these notifications and also to ensure that an investigation is initiated as required. 

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
- e continue our series on the FFIEC interagency Information Security Booklet.  


SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION

Security Controls in Application Software


Application development should incorporate appropriate security controls, audit trails, and activity logs. Typical application access controls are addressed in earlier sections. Application security controls should also include validation controls for data entry and data processing. Data entry validation controls include access controls over entry and changes to data, error checks, review of suspicious or unusual data, and dual entry or additional review and authorization for highly sensitive transactions or data. Data processing controls include: batch control totals; hash totals of data for comparison after processing; identification of any changes made to data outside the application (e.g., data-altering utilities); and job control checks to ensure programs run in correct sequence (see the booklet "Computer Operations" for additional considerations).

Some applications will require the integration of additional authentication and encryption controls to ensure integrity and confidentiality of the data. As customers and merchants originate an increasing number of transactions, authentication and encryption become increasingly important to ensure non-repudiation of transactions.


Return to the top of the newsletter

IT SECURITY QUESTION:

F. PERSONNEL SECURITY

6. Determine if an appropriate disciplinary process for security violations exists and is functioning.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

23. If the institution delivers the opt out notice after the initial notice, does the institution provide the initial notice once again with the opt out notice? [7(c)]

24. Does the institution provide an opt out notice, explaining how the institution will treat opt out directions by the joint consumers, to at least one party in a joint consumer relationship? [7(d)(1)]

NETWORK SECURITY TESTING
- IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test.  With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network.  For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated