Internet Banking News
August 22, 1999
1) This has been an interesting week for Internet Banking. The Fed
approved banks delivering statements to customers over the Internet as long as the
customer agrees. The Industry Standard reported in a new study, that approximately
one-third of U.S. online-bank customers discontinued their accounts during the past 12
months. First Union Corp., Chase Manhattan Corp. and Wells Fargo & Co. said they will
begin offering a test version of an online bill delivery and payment service to customers
next month but that the service will not be ready for their 60 million customers until
early next year.
2) INTERNET SECURITY - Host- Versus Network-Based Vulnerability Assessment Tools - As in
intrusion detection systems, which I will discuss in a future newsletter, there are
generally two types of vulnerability assessment tools: host-based and network-based.
Another category is sometimes used for products that assess vulnerabilities of specific
applications (application-based) on a host. A host is generally a single computer or
workstation that can be connected to a computer network. Host-based tools assess the
vulnerabilities of specific hosts. They usually reside on servers, but can be placed on
specific desktop computers, routers, or even firewalls.
FYI - As an auditor, I do not recommend products but I know of a couple of web sites
that provide an overview of several different products, services, and vendors available in
the marketplace. These sites provide good educational material about various facets of
information system technology. One point that should be emphasized when researching these
areas is that none of the respective products or services on the market today (or in the
future) provide a "silver bullet" to cure all system vulnerabilities. Rather, it
is the combination of a variety of tools and techniques that operate under the direction
of an information security program designed for the individual bank (and based on the
bank's risk assessment). Automated tools are only one option. Other options include manual
reviews, which may be performed by internal bank personnel or external specialists.
The two web sites that I would recommend for more detailed information on intrusion
detection systems, scanning tools and penetration tests include:
http://www.sans.org (the SANS Institute)
http://www.gocsi.com (the Computer Security Institute)
3) INTERNET COMPLIANCE - Fair Housing Act - A financial institution that advertises
on-line credit products that are subject to the Fair Housing Act must display the Equal
Housing Lender logotype and legend or other permissible disclosure of its
nondiscrimination policy if required by rules of the institution's regulator (OTS §528.4,
FDIC §338.3, NCUA §701.31, FRB Fair Housing Advertising and Poster Requirements, 54 Fed.
Reg. 11,567 (1989)).
I may not have brought this to your attention during my last web site audit, so please
review your real estate lending pages. It would be strongly recommended that "The
bank makes loans without regard to race, color, religion, national origin, sex, handicap,
or familial status" appear on all lending web pages.
IN CONCLUSION - Within the past couple of weeks, the FDIC has changed some of their web
site URLs. It appears that the Year 2000 URLs stayed the same. I would recommend that you
review any links to FDIC that may be on your web site to be certain that the links