December 17, 2000
FYI - Charles Schwab's online customers are at risk of having their account information accessed and their accounts manipulated due to the same software vulnerability that affected ETrade's Web site in September.
INTERNET SECURITY FYI - Creditcards.com was the victim of an extortion attempt by a man accused of hacking into its site and exposing more than 55,000 credit card numbers, the company said Tuesday.
INTERNET SECURITY - We continue our review of the FDIC paper "Risk Assessment Tools and Practices or Information System Security."
A thorough and proactive risk assessment is the first step in establishing a sound security program. This is the ongoing process of evaluating threats and vulnerabilities, and establishing an appropriate risk management program to mitigate potential monetary losses and harm to an institution's reputation. Threats have the potential to harm an institution, while vulnerabilities are weaknesses that can be exploited.
The extent of the information security program should be commensurate with the degree of risk associated with the institution's systems, networks, and information assets. For example, compared to an information-only Web site, institutions offering transactional Internet banking activities are exposed to greater risks. Further, real-time funds transfers generally pose greater risks than delayed or batch-processed transactions because the items are processed immediately. The extent to which an institution contracts with third-party vendors will also affect the nature of the risk assessment program.
INTERNET COMPLIANCE - Disclosures/Notices (Partial)
Several regulations require disclosures and notices to be given at specified times during a financial transaction. For example, some regulations require that disclosures be given at the time an application form is provided to the consumer. In this situation, institutions will want to ensure that disclosures are given to the consumer along with any application form. Institutions may accomplish this through various means, one of which may be through the automatic presentation of disclosures with the application form.
Regulations that allow disclosures/notices to be delivered electronically and require institutions to deliver disclosures in a form the customer can keep have been the subject of questions regarding how institutions can ensure that the consumer can "keep" the disclosure. A consumer using certain electronic devices, such as Web TV, may not be able to print or download the disclosure. If feasible, a financial institution may wish to include in its on-line program the ability for consumers to give the financial institution a non-electronic address to which the disclosures can be mailed.
IN CLOSING - We will not publish the "Internet Banking News" over the Holidays. The next edition will be January 7, 2001. All of us (Diana, Kinney, and Paul) wish you a very happy Holiday season.