Internet Banking News

December 24, 2006

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

Does Your Financial Institution need an affordable Internet security penetration-vulnerability test? Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b). The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses. For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.

FYI - Disabled deprived of access to many top Web sites - Many Web sites around the world are beyond the reach of disabled persons but could easily be improved to meet international accessibility standards, a survey commissioned by the United Nations found on Tuesday. http://news.com.com/2102-1032_3-6141241.html?tag=st.util.print

FYI - In Korea - Insurance Covers Financial Losses From Hacking - Financial service providers will be required to insure customers' accounts to cover financial damage caused by hackers and financial accidents beginning next month, the Financial Supervisory Service (FSS). http://times.hankooki.com/lpage/biz/200612/kt2006120519175511870.htm

FYI - In the UK - Banks hiding online fraud, say police - Banks and other financial institutions are deliberately failing to report incidents of online fraud to the police, possibly because they are worried about the potential damage to their reputations, a senior police officer said. http://money.guardian.co.uk/news_/story/0,,1964117,00.html

FYI - ATM system called unsafe - A U.S. Secret Service memo obtained by MSNBC.com indicates that organized criminals are systematically attempting to subvert the ATM system and unscramble encrypted PIN codes. Researchers who work for an Israeli computer security company say they have discovered a fundamental weakness in the system that banks use to keep debit card PIN codes secret while they are transported across bank networks - a flaw that they say could undermine the entire debit card system. http://redtape.msnbc.com/2006/11/researchers_who.html

FYI - Student hacked into computers, police say - A student hacked into computers of four UW-Whitewater staffers, gaining access to sensitive information such as passwords, student disciplinary discussions and exam answers, according to a criminal complaint. According to the complaint, Mraz installed "Keylogger" software onto at least four computers by downloading it from his university-issued flash drive, a portable data storage device. http://www.gazetteextra.com/mraz120506.asp

FYI - BITS and the American Bankers Association jointly released the "BITS/ABA Key Considerations for Responding to Unauthorized Access to Sensitive Customer Information." http://www.bitsinfo.org/downloads/Publications%20Page/BITSABADBNov06.pdf

FYI - Computer Hacking Results In Armed Police Raid - A Denver woman who didn't have adequate security on her home computer paid the price. http://www.thedenverchannel.com/news/10486347/detail.html

FYI - Cingular turns cell phones into wallets in N.Y. trial - Some Cingular Wireless cardholders in New York City will be testing a new service that allows them to make purchases with their cell phones. The mobile operator said Thursday that it's teaming with cell phone maker Nokia and financial institutions Citigroup and MasterCard Worldwide to trial new phones that have MasterCard PayPass contactless payment capability. http://msn-cnet.com.com/2102-1039_3-6143975.html?tag=st.util.print

MISSING COMPUTERS/DATA

FYI - Computer Stolen from 130th Airlift Wing in Charleston - Theft prompts Army National Guard unit to send out identity theft warnings across the state. A laptop computer with personal information about every member of West Virginia's Army National Guard 130th Airlift Wing in Charleston recently was stolen. http://wowktv.com/story.cfm?func=viewstory&storyid=17093
Return to the top of the newsletter

WEB SITE COMPLIANCE - TRUTH IN SAVINGS ACT (REG DD)

Financial institutions that advertise deposit products and services on-line must verify that proper advertising disclosures are made in accordance with all provisions of the regulations. Institutions should note that the disclosure exemption for electronic media does not specifically address commercial messages made through an institution's web site or other on-line banking system. Accordingly, adherence to all of the advertising disclosure requirements is required.

Advertisements should be monitored for recency, accuracy, and compliance. Financial institutions should also refer to OSC regulations if the institution's deposit rates appear on third party web sites or as part of a rate sheet summary. These types of messages are not considered advertisements unless the depository institution, or a deposit broker offering accounts at the institution, pays a fee for or otherwise controls the publication.

Disclosures generally are required to be in writing and in a form that the consumer can keep. Until the regulation has been reviewed and changed, if necessary, to allow electronic delivery of disclosures, an institution that wishes to deliver disclosures electronically to consumers, would supplement electronic disclosures with paper disclosures.

Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

PERSONNEL SECURITY

Security personnel allow legitimate users to have system access necessary to perform their duties. Because of their internal access levels and intimate knowledge of financial institution processes, authorized users pose a potential threat to systems and data. Employees, contractors, or third - party employees can exploit their legitimate computer access for malicious, fraudulent, or economic reasons. Additionally, the degree of internal access granted to some users increases the risk of accidental damage or loss of information and systems. Risk exposures from internal users include:

! Altering data,
! Deleting production and back up data,
! Crashing systems,
! Destroying systems,
! Misusing systems for personal gain or to damage the institution,
! Holding data hostage, and
! Stealing strategic or customer data for corporate espionage or fraud schemes.

BACKGROUND CHECKS AND SCREENING

Financial institutions should verify job application information on all new employees. The sensitivity of a particular job or access level may warrant additional criminal background and credit checks. Institutions should verify that contractors are subject to similar screening procedures. Typically, the minimum verification considerations include:

! Character references;
! Confirmation of prior experience, academic record, and professional qualifications; and
! Confirmation of identity from government issued identification.

After employment, managers should remain alert to changes in employees' personal circumstances that could increase incentives for system misuse or fraud.

Return to the top of the newsletter

IT SECURITY QUESTION: APPLICATION SECURITY

6. Determine whether appropriate warning banners are displayed when applications are accessed.

7. Determine whether appropriate logs are maintained and available to support incident detection and response efforts.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

33. Except as permitted by ��13-15, does the institution refrain from disclosing any nonpublic personal information about a consumer to a nonaffiliated third party, other than as described in the initial privacy notice provided to the consumer, unless:

a. the institution has provided the consumer with a clear and conspicuous revised notice that accurately describes the institution's privacy policies and practices; [�8(a)(1)]

b. the institution has provided the consumer with a new opt out notice; [�8(a)(2)]

c. the institution has given the consumer a reasonable opportunity to opt out of the disclosure, before disclosing any information; [�8(a)(3)] and

d. the consumer has not opted out? [�8(a)(4)]

NETWORK SECURITY TESTING - IT examination guidelines require financial institutions to annually conduct an independent internal-network penetration test. With the Gramm-Leach-Bliley and the regulator's IT security concerns, it is imperative to take a professional auditor's approach to annually testing your internal connections to your network. For more information about our independent-internal testing, please visit http://www.internetbankingaudits.com/internal_testing.htm.