Yennik, Inc.
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

December 2, 2007

CONTENT Internet Compliance Information Systems Security
IT Security Question
 
Internet Privacy
 
Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 41 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


FYI
-
Major League Baseball, National Hockey League websites hit by traffic-redirection attack - Malicious banner ads first affected visitors to the websites of Major League Baseball and the National Hockey League late last week, according to researchers at Exploit Prevention Labs. http://www.scmagazineus.com/Major-League-Baseball-National-Hockey-League-websites-hit-by-traffic-redirection-attack/article/96362/

FYI - Nevada tightens payroll security - Under the new procedures, disks must be signed for and returned to the personnel department after each pay period. Passwords will be required to read data stored on CDs. And state employee information will be correlated to unique employee identification numbers instead of Social Security numbers. http://www.gcn.com/online/vol1_no1/45412-1.html?topic=security&CMP=OTC-RSS

FYI - FCO breached data privacy of 50,000 visa applicants - The personal details of 50,000 visa applicants were on view to visitors to a website run by the Foreign and Commonwealth Office, the Information Commissioner's Office has found. http://www.computerweekly.com/Articles/2007/11/13/228058/fco-breached-data-privacy-of-50000-visa-applicants.htm

FYI - Commonwealth passes security question to Netbank users - Commonwealth Bank is looking to shift concerns over online security to Netbank customers with the announcement that it will be giving away security software to a selection of users.
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339283812-130061744t-110000005c
http://www.zdnet.com.au/news/security/print.htm?TYPE=story&AT=339283820-130061744t-110000005c

FYI - Ulster Bank steps up security against ID theft - Ulster Bank is issuing special card readers to its internet banking customers as part of ongoing measures to combat online banking fraud. The free-of-charge readers are part of Ulster Bank's overall enhanced security strategy to prevent identity theft by making it difficult for attackers to steal a user's online identity. http://www.siliconrepublic.com/news/news.nv?storyid=single9630

FYI - Targeted e-mail attacks spoof DOJ, business group - Security expert says latest attacks part of an escalating problem. Availability of toolkits, rise of social networks are making it easier for phishers. Security experts warned this week of two separate e-mail attacks launched Monday that take aim at specific individuals within corporations. http://www.news.com/Targeted-e-mail-attacks-spoof-DOJ%2C-business-group/2100-7349_3-6219559.html?tag=nefd.lede

FYI - NIST addresses security for industrial controls systems - Print this Email this Purchase a Reprint Link to this page The National Institute of Standards and Technology has released an initial draft of new security guidelines for government information technology systems used for industrial control processes. The guidelines are in a revised appendix to NIST Special Publication 800-53, "Recommended Security Controls for Federal Information Systems." http://www.gcn.com/online/vol1_no1/45455-1.html?topic=security&CMP=OTC-RSS

MISSING COMPUTERS/DATA

FYI - UK bank data of millions missingStory Highlights - Britain's tax and customs service lost banking and personal data of 25 million people -- nearly half the country's population -- when two computer disks disappeared in an internal mail service, the Treasury chief said. http://edition.cnn.com/2007/WORLD/europe/11/20/britain.personal.ap/index.html

FYI - Deja vu all over again at Veterans Administration - Another breach for an agency that's prone to them - In what's become a fairly familiar routine for them of late, the U.S. Department of Veterans Affairs is investigating a potential data breach -- the theft of three computers containing personal data on potentially 12,000 individuals. http://www.computerworld.com/action/article.do?command=viewArticleBasic&taxonomyId=13&articleId=9047482

FYI - Missing: 25m people's personal data - Computer discs holding sensitive personal data on 25 million people and 7.25 million families have gone missing, Chancellor Alistair Darling has admitted to MPs. http://www.guardian.co.uk/uklatest/story/0,,-7091592,00.html

Return to the top of the newsletter

WEB SITE COMPLIANCE - This week begins our series on the Federal Financial Institutions Examination Council Guidance on Electronic Financial Services and Consumer Compliance.

Electronic Fund Transfer Act, Regulation E  (Part 1 of 2)

Generally, when on-line banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply. A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep. An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign-up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures. Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY
We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Product Certification and Security Scanning Products

Several organizations exist which independently assess and certify the adequacy of firewalls and other computer system related products. Typically, certified products have been tested for their ability to permit and sustain business functions while protecting against both common and evolving attacks.

Security scanning tools should be run frequently by system administrators to identify any new vulnerabilities or changes in the system. Ideally, the scan should be run both with and without the firewall in place so the firewall's protective capabilities can be fully evaluated. Identifying the susceptibility of the system without the firewall is useful for determining contingency procedures should the firewall ever go down. Some scanning tools have different versions with varying degrees of intrusion/attack attempts.

Return to the top of the newsletter

IT SECURITY QUESTION:  Network user access controls: (Part 1 of 2)

a. Is there a written procedure for password administration?
b. If a username is required, does the system automatically enter the username?
c. Is the password length six or greater?
d. Is the use of proper nouns and dictionary words discouraged?
e. Is the password required to include upper and lower case letters, special characters, and numbers?
f. Are passwords required to be changed at least every 30 days?


Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.


Initial Privacy Notice

5)  When the subsequent delivery of a privacy notice is permitted, does the institution provide notice after establishing a customer relationship within a reasonable time? [4(e)]

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated