Yennik, Inc.®
Yennik, Inc.

Internet Banking News
Brought to you by Yennik, Inc. the acknowledged leader in Internet auditing for financial institutions.

December 16, 2007

CONTENT Internet Compliance Information Systems Security
IT Security Question
Internet Privacy
Website for Penetration Testing
Does Your Financial Institution need an affordable Internet security audit?  Yennik, Inc. has clients in 42 states that rely on our penetration testing audits to ensure proper Internet security settings and to meet the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The penetration audit and Internet security testing is an affordable-sophisticated process than goes far beyond the simple scanning of ports.  The audit focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give R. Kinney Williams a call today at 806-798-7119 or visit

Risk Management Program Revised IT Officer's Questionnaire - The FDIC has updated its risk-focused Information Technology examination procedures for FDIC-supervised financial institutions.

FYI - Visa fines Ohio bank in TJX data breach - Fifth Third Bancorp, the Ohio bank that was fined $880,000 by Visa for its role in the customer data security breach at TJX Cos., the largest ever, also paid fines and compensation totaling $1.4 million following the loss of data from BJ's Wholesale Club Inc. several years ago, a court filing shows.

FYI - Insider charged with hacking California canal system - A man has been charged with hacking a computer used to control water canals in California. A former employee of a small California canal system has been charged with installing unauthorized software and damaging the computer used to divert water from the Sacramento River.;511545055;fp;2;fpid;1

FYI - Should IT security workers become professionals? - Lawyers, doctors and engineers are professionals. Now, with public confidence in IT ebbing as data thefts dominate headlines, its time for security workers to debate becoming a self-managing group.

FYI - Visa and TJX Agree to Provide U.S. Issuers up to $40.9 Million for Data Breach Claims - U.S. Visa Issuers Eligible to Participate in Speedy, Alternative Recovery Program - Visa Inc. announced today it has negotiated an agreement with The TJX Companies, Inc. (TJX) and its U.S. acquirer to offer an alternative recovery program to U.S. issuers that may have been affected by the retailer's previously announced unauthorized computer intrusion(s).

FYI - Hackers Launch Cyber Attack on Federal Lab - Oak Ridge National Laboratory Says Breach Could Have Compromised Visitor Information - A "sophisticated cyber attack" has been detected at Oak Ridge National Laboratory over the last several weeks that may have compromised the personal information of thousands of visitors to the lab, according to a communiqué sent to employees.


FYI - 30,000 Dutch Telsell-customer creditcard details stolen from Telsell computers - Telsell claims not their responsibility - Customers of the television-sales organization TelSell can not only tele-shop while relaxing in their lazy chair, they also have a good chance to be robbed, while in that same chair.

FYI - Tesco online store 'is infiltrated by insider card fraudster - Customers shopping at Britain's biggest Internet store - Tesco Direct - are feared to have had their card details stolen by a company insider.'is+infiltrated+by+insider+card+fraudster'/

FYI - Massachusetts Data Breach Puts Seniors at Risk - Compromise of the state's insurance program could expose 150,000 residents to identity theft. The state of Massachusetts is warning 150,000 members of its Prescription Advantage insurance program that their personal information may have been snatched by an identity thief.,140206/article.html?tk=nl_dnxnws

Return to the top of the newsletter

Equal Credit Opportunity Act (Regulation B)

The regulations clarifies the rules concerning the taking of credit applications by specifying that application information entered directly into and retained by a computerized system qualifies as a written application under this section. If an institution makes credit application forms available through its on-line system, it must ensure that the forms satisfy the requirements.

The regulations also clarify the regulatory requirements that apply when an institution takes loan applications through electronic media. If an applicant applies through an electronic medium (for example, the Internet or a facsimile) without video capability that allows employees of the institution to see the applicant, the institution may treat the application as if it were received by mail.

Return to the top of the newsletter

We continue the series  from the FDIC "Security Risks Associated with the Internet." 

Logical Access Controls (Part 2 of 2)


Token technology relies on a separate physical device, which is retained by an individual, to verify the user's identity. The token resembles a small hand-held card or calculator and is used to generate passwords. The device is usually synchronized with security software in the host computer such as an internal clock or an identical time based mathematical algorithm. Tokens are well suited for one‑time password generation and access control. A separate PIN is typically required to activate the token.

Smart Cards

Smart cards resemble credit cards or other traditional magnetic stripe cards, but contain an embedded computer chip. The chip includes a processor, operating system, and both read only memory (ROM) and random access memory (RAM). They can be used to generate one-time passwords when prompted by a host computer, or to carry cryptographic keys. A smart card reader is required for their use.


Biometrics involves identification and verification of an individual based on some physical characteristic, such as fingerprint analysis, hand geometry, or retina scanning. This technology is advancing rapidly, and offers an alternative means to authenticate a user.

Return to the top of the newsletter

IT SECURITY QUESTION:  Core application user access controls: (Part 1 of 2)

a. Is there a written procedure for password administration?
b. If a username is required, does the system automatically enter the username?
c. Is the password length six or greater?
d. Is the use of proper nouns and dictionary words discouraged?
e. Is the password required to include upper and lower case letters, special characters, and numbers?
f. Are passwords required to be changed at least every 30 days?

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Initial Privacy Notice

6. Does the institution provide an annual privacy notice to each customer whose loan the institution owns the right to service? [§§5(c), 4(c)(2)]


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated