R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

December 25, 2005

CONTENT Internet Compliance Information Systems Security
IT Security Question
 		 Internet Privacy
 		 Website for Penetration Testing
 
Does Your Financial Institution need an affordable Internet security penetration-vulnerability test?  Our clients in 41 states rely on VISTA to ensure their IT security settings, as well as meeting the independent diagnostic test requirements of FDIC, OCC, OTS, FRB, and NCUA, which provides compliance with Gramm-Leach Bliley Act 501(b) The VISTA penetration study and Internet security test is an affordable-sophisticated process than goes far beyond the simple scanning of ports and focuses on a hacker's perspective, which will help you identify real-world weaknesses.  For more information, give Kinney Williams a call today at 806-798-7119 or visit http://www.internetbankingaudits.com/.


 

FYI - Federal Bank and Thrift Regulatory Agencies Publish Guide to Help Financial Institutions Comply with Information Security Guidelines - The federal bank and thrift regulatory agencies today announced the publication of a compliance guide for the Interagency Guidelines Establishing Information Security Standards (Security Guidelines). The compliance guide summarizes the obligations of financial institutions to protect customer information and illustrates how certain provisions of the Security Guidelines apply to specific situations.
Press Release: www.federalreserve.gov/boarddocs/press/bcreg/2005/20051214/default.htm 
Press Release: www.fdic.gov/news/news/press/2005/pr12705.html 
Press Release: www.occ.treas.gov/toolkit/newsrelease.aspx?JNR=1&Doc=FCQ6KWX2.xml 
Press Release: www.ots.treas.gov/docs/7/77548.html 
Press Release: www.occ.treas.gov/ftp/bulletin/2005-44.txt 
Attachment: www.occ.treas.gov/ftp/bulletin/2005-44a.pdf 

FYI - NCUA - Letter to Credit Unions 05-CU-20 -Phishing Guidance for Credit Unions and Their Members. www.ncua.gov/letters/2005/CU/05-CU-20.pdf  

FYI - IT Lessons Learned From the FBI - A recent GAO testimony highlights several best management practices organizations can follow when updating their IT systems. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5667

FYI - Fat fingered typing costs a trader losses -CLUMSY typing cost a Japanese bank at least £128 million and staff their Christmas bonuses yesterday, after a trader mistakenly sold 600,000 more shares than he should have. http://www.timesonline.co.uk/article/0,,3-1917093,00.html

FYI - Likelihood of fraud after security breach is surprisingly low, analysis finds - A computerized analysis of four data breaches that compromised personal information on some 500,000 people suggests the alarm that often accompanies electronic break-ins may be largely unwarranted.
http://www.signonsandiego.com/uniontrib/20051208/news_1b8identity.html
http://www.scmagazine.com/us/news/article/532650/?n=us

FYI - Terrorist groups lack the capability to launch a damaging Internet-based attack on the United States, and foreign governments are probably behind many online spying attempts, FBI officials said. http://news.zdnet.com/2102-1009_22-5986099.html?tag=printthis

FYI - Notification criticized for lack of information - The undated letter aggravated many recipients, though, because it provided no details about the breach and offered no specific recommendations on steps they could take to protect their personal banking and credit accounts. http://www.signonsandiego.com/news/business/20051203-9999-1b3breach.html

FYI - Business backup blues from storage survey - One third of businesses in Ireland and the UK have no backup and recovery procedures in place or don't adhere to the policies that they have, a new survey has revealed. http://www.siliconrepublic.com/news/news.nv?storyid=single5800

FYI - Security Breach Exposes Credit Cards - Mastercard, Visa alert customers whose personal data may have been released in Sam's Club glitch. Sam's Club, a division of Wal-Mart Stores, is investigating a security breach that has exposed credit card data belonging to an unspecified number of customers who purchased gas at the wholesaler's stations between September 21 and October 2. http://www.pcworld.com/news/article/0,aid,123919,tk,dn121405X,00.asp

FYI - Pensonal Computer - Photographs show a conceptual pen-sized personal computer system. http://www.snopes.com/photos/advertisements/pcpen.asp

FYI - 'High' risk in Symantec antivirus software flaw - Symantec's antivirus software contains a vulnerability that could be exploited by a malicious hacker to take control of a system, the company said. According to an advisory issued by Secunia, the bug affects most of Symantec's products, including enterprise and home user versions of Symantec AntiVirus, Symantec Norton AntiVirus and Symantec Norton Internet Security, across the Windows and Macintosh platforms. http://news.com.com/2102-1002_3-6004097.html?tag=st.util.print

Return to the top of the newsletter

WEB SITE COMPLIANCE - Electronic Fund Transfer Act, Regulation E (Part 1 of 2)

Generally, when online banking systems include electronic fund transfers that debit or credit a consumer's account, the requirements of the Electronic Fund Transfer Act and Regulation E apply.  A transaction involving stored value products is covered by Regulation E when the transaction accesses a consumer's account (such as when value is "loaded" onto the card from the consumer's deposit account at an electronic terminal or personal computer).

Financial institutions must provide disclosures that are clear and readily understandable, in writing, and in a form the consumer may keep.  An Interim rule was issued on March 20, 1998 that allows depository institutions to satisfy the requirement to deliver by electronic communication any of these disclosures and other information required by the act and regulations, as long as the consumer agrees to such method of delivery.

Financial institutions must ensure that consumers who sign up for a new banking service are provided with disclosures for the new service if the service is subject to terms and conditions different from those described in the initial disclosures.  Although not specifically mentioned in the commentary, this applies to all new banking services including electronic financial services.

The Federal Reserve Board Official Staff Commentary (OSC) also clarifies that terminal receipts are unnecessary for transfers initiated online. Specifically, OSC regulations provides that, because the term "electronic terminal" excludes a telephone operated by a consumer, financial institutions need not provide a terminal receipt when a consumer initiates a transfer by a means analogous in function to a telephone, such as by a personal computer or a facsimile machine.
Return to the top of the newsletter

INFORMATION TECHNOLOGY SECURITY

We continue our series on the FFIEC interagency Information Security Booklet.  

SECURITY CONTROLS - IMPLEMENTATION

LOGICAL AND ADMINISTRATIVE ACCESS CONTROL 

AUTHENTICATION
Action Summary - Financial institutions should use effective authentication methods appropriate to the level of risk. Steps include

1)  Selecting authentication mechanisms based on the risk associated with the particular application or services;
2)  Considering whether multi - factor authentication is appropriate for each application, taking into account that multifactor authentication is increasingly necessary for many forms of electronic banking and electronic payment activities; and
3)  Encrypting the transmission and storage of authenticators (e.g., passwords, PINs, digital certificates, and biometric templates).

Authentication is the verification of identity by a system based on the presentation of unique credentials to that system. The unique credentials are in the form of something the user knows, something the user has, or something the user is. Those forms exist as shared secrets, tokens, or biometrics. More than one form can be used in any authentication process. Authentication that relies on more than one form is called multi - factor authentication and is generally stronger than any single authentication method. Authentication contributes to the confidentiality of data and the accountability of actions performed on the system by verifying the unique identity of the system user.

Authentication is not identification as that term is used in the USA PATRIOT Act (31 U.S.C. 5318(l)). Authentication does not provide assurance that the initial identification of a system user is proper. Authentication only provides assurance that the user of the system is the same user that was initially identified. Procedures for the initial identification of a system user are beyond the scope of this booklet.
Return to the top of the newsletter

IT SECURITY QUESTION:  B. NETWORK SECURITY

3. Evaluate controls over the management of remote equipment.

4. Determine if effective procedures and practices are in place to secure network services, utilities, and diagnostic ports, consistent with the overall risk assessment.
Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

The Exceptions

Exceptions to the opt out right are detailed in sections 13, 14, and 15 of the regulations. Financial institutions need not comply with opt-out requirements if they limit disclosure of nonpublic personal information:

1)  To a nonaffiliated third party to perform services for the financial institution or to function on its behalf, including marketing the institution's own products or services or those offered jointly by the institution and another financial institution. The exception is permitted only if the financial institution provides notice of these arrangements and by contract prohibits the third party from disclosing or using the information for other than the specified purposes. In a contract for a joint marketing agreement, the contract must provide that the parties to the agreement are jointly offering, sponsoring, or endorsing a financial product or service. However, if the service or function is covered by the exceptions in section 14 or 15 (discussed below), the financial institution does not have to comply with the additional disclosure and confidentiality requirements of section 13. Disclosure under this exception could include the outsourcing of marketing to an advertising company. (Section 13)

2)  As necessary to effect, administer, or enforce a transaction that a consumer requests or authorizes, or under certain other circumstances relating to existing relationships with customers. Disclosures under this exception could be in connection with the audit of credit information, administration of a rewards program, or to provide an account statement. (Section 14)

3)  For specified other disclosures that a financial institution normally makes, such as to protect against or prevent actual or potential fraud; to the financial institution's attorneys, accountants, and auditors; or to comply with applicable legal requirements, such as the disclosure of information to regulators. (Section 15)

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.
4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

  

Please visit our other web sites:
 VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated