R. Kinney Williams & Associates®
R. Kinney Williams
& Associates

Internet Banking News

May 30, 2004

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing

FYI - Attacks on banks, insurance firms rise - Cyber attacks on IT systems of banks and insurance companies are on the rise worldwide, according to a survey by Deloitte Touche. 

FYI - Lack of desktop configuration standards hurting cybersecurity - The Office of Management and Budget and other federal agencies are falling short on meeting the most critical provision of the Federal Information Security Management Act, a security expert and Hill staff member said. 

FYI - Deloitte's annual Global Security Survey measures the state of IT security at the top global financial services firms - The survey reported that the majority of global financial institutions have had an external attack on their information technology systems within the last year and many of these breaches resulted in financial loss. But even with security attacks on the rise, the largest number of respondents (25%) reported flat security budget growth.  http://www.deloitte.com/dtt/research/0,2310,sid%253D1013%2526cid%253D48978,00.html

FYI  - Business group calls on tech companies, users to secure cyberspace - The Business Roundtable (BRT), an association of CEOs of leading corporations, is calling on software companies and users to join together to secure cyberspace.   http://www.computerworld.com/printthis/2004/0,4814,93277,00.html

FYI  - Third Country Hacker Uses Korean Computers to Hack U.S Air Force Space Command - Korean police and their U.S counterpart began a joint investigation as several computers of an army unit under the U.S Air Force Space Command (SPACECOM) were hacked by an individual in a third country via a Korean firms’ computers in mid-February. 

FYI  - FEA security layer due this summer - This will provide the opportunity for agencies to start thinking about security and privacy on Day One [of an IT project] versus thinking about it once you are into the later design phases.

FYI - Open season for phishing as attacks soar - Phishing activity has been growing at the rate of 75 percent a month since December, according to the Anti-Phishing Working Group.

FYI  - Interagency Advisory - Federal Court Reaffirms Protections for Financial Institutions Filing Suspicious Activity Reports - This is an interagency advisory that discusses an important ruling about the confidentiality of Suspicious Activity Reports www.ncua.gov/GuidesManuals/sar/InteragencyAdvisory05-25-04.pdf 

FYI - Canadian online banking users fall victim to Trojan -  A Trojan horse may be responsible for an online banking scam that has cost at least two Winnipeg customers thousands of dollars.  http://computerworld.com/securitytopics/security/story/0,10801,93281,00.html

FYI - E-Mail Scammer Gets Four Years - An Internet scammer who used e-mail and a fraudulent Web site to steal hundreds of credit card numbers was sentenced to almost four years in jail Tuesday, one of the stiffest-ever penalties handed down for online fraud.  http://www.washingtonpost.com/ac2/wp-dyn/A37406-2004May18?language=printer

Guidance On Development And Acquisition Of Information Systems Released By Federal Financial Institution Regulators - The Federal Financial Institutions Examination Council today issued revised guidance for examiners, financial institutions, and technology service providers on the development, acquisition, and maintenance of information systems.
Press Release: www.ffiec.gov/press/pr052704.htm 
Press Release: www.ots.treas.gov/docs/77416.html 
Press Release: www.ncua.gov/news/press_releases/2004/JR04-0527.pdf

Return to the top of the newsletter

Guidance on Safeguarding Customers Against E-Mail and Internet-Related Fraudulent Schemes" that was published March 12, 2004.

Responding to E-Mail and Internet-Related Fraudulent Schemes
Financial institutions should consider enhancing incident response programs to address possible e-mail and Internet-related fraudulent schemes. Enhancements may include:

!  Incorporating notification procedures to alert customers of known e-mail and Internet-related fraudulent schemes and to caution them against responding;

!  Establishing a process to notify Internet service providers, domain name-issuing companies, and law enforcement to shut down fraudulent Web sites and other Internet resources that may be used to facilitate phishing or other e-mail and Internet-related fraudulent schemes;

!  Increasing suspicious activity monitoring and employing additional identity verification controls;

!  Offering customers assistance when fraud is detected in connection with customer accounts;

!  Notifying the proper authorities when e-mail and Internet-related fraudulent schemes are detected, including promptly notifying their FDIC Regional Office and the appropriate law enforcement agencies; and

! Filing a Suspicious Activity Report when incidents of e-mail and Internet-related fraudulent schemes are suspected.

Steps Financial Institutions Can Take to Mitigate Risks Associated With E-Mail and Internet-Related Fraudulent Schemes

To help mitigate the risks associated with e-mail and Internet-related fraudulent schemes, financial institutions should implement appropriate information security controls as described in the Federal Financial Institutions Examination Council's (FFIEC) "Information Security Booklet." Specific actions that should be considered to prevent and deter e-mail and Internet-related fraudulent schemes include:

!  Improving authentication methods and procedures to protect against the risk of user ID and password theft from customers through e-mail and other frauds;

!  Reviewing and, if necessary, enhancing practices for protecting confidential customer data;

!  Maintaining current Web site certificates and describing how customers can authenticate the financial institution's Web pages by checking the properties on a secure Web page;

!  Monitoring accounts individually or in aggregate for unusual account activity such as address or phone number changes, a large or high volume of transfers, and unusual customer service requests;

!  Monitoring for fraudulent Web sites using variations of the financial institution's name;

1  Establishing a toll-free number for customers to verify requests for confidential information or to report suspicious e-mail messages; and

!  Training customer service staff to refer customer concerns regarding suspicious e-mail request activity to security staff.


E-mail and Internet-related fraudulent schemes present a substantial risk to financial institutions and their customers. Financial institutions should consider developing programs to educate customers about e-mail and Internet-related fraudulent schemes and how to avoid them, consider enhancing incident response programs to address possible e-mail and Internet-related fraudulent schemes, and implement appropriate information security controls to help mitigate the risks associated with e-mail and Internet-related fraudulent schemes.

Return to the top of the newsletter

- We continue our series on the FFIEC interagency Information Security Booklet.  


Asymmetric encryption is the basis of PKI, or public key infrastructure. In theory, PKI allows two parties who do not know each other to authenticate each other and maintain the confidentiality, integrity, and accountability for their messages. PKI rests on both communicating parties having a public and a private key, and keeping their public keys registered with a third party they both trust, called the certificate authority, or CA. The use of and trust in the third party is a key element in the authentication that takes place. For example, assume individual A wants to communicate with individual B. A first hashes the message, and encrypts the hash with A's private key. Then A obtains B's public key from the CA, and encrypts the message and the hash with B's public key. Obtaining B's public key from the trusted CA provides A assurance that the public key really belongs to B and not someone else. Using B's public key ensures that the message will only be able to be read by B. When B receives the message, the process is reversed. B decrypts the message and hash with B's private key, obtains A's public key from the trusted CA, and decrypts the hash again using A's public key. At that point, B has the plain text of the message and the hash performed by A. To determine whether the message was changed in transit, B must re - perform the hashing of the message and compare  the newly computed hash to the one sent by A. If the new hash is the same as the one sent by A, B knows that the message was not changed since the original hash was created (integrity). Since B obtained A's public key from the trusted CA and that key produced a matching hash, B is assured that the message came from A and not someone else (authentication).

Various communication protocols use both symmetric and asymmetric encryption. Transaction layer security (TLS, the successor to SSL) uses asymmetric encryption for authentication, and symmetric encryption to protect the remainder of the communications session. TLS can be used to secure electronic banking and other transmissions between the institution and the customer. TLS may also be used to secure e - mail, telnet, and FTP sessions. A wireless version of TLS is called WTLS, for wireless transaction layer security.

Virtual Private Networks (VPNs) are used to provide employees, contractors, and customers remote access over the Internet to institution systems. VPN security is provided by authentication and authorization for the connection and the user, as well as encryption of the traffic between the institution and the user. While VPNs can exist between client systems, and between servers, the typical installation terminates the VPN connection at the institution firewall. VPNs can use many different protocols for their communications. Among the popular protocols are PPTP (point - to - point tunneling protocol), L2F, L2TP, and IPSec. VPNs can also use different authentication methods, and different components on the host systems. Implementations between vendors, and between products, may differ. Currently, the problems with VPN implementations generally involve interfacing a VPN with different aspects of the host systems, and reliance on passwords for authentication.

IPSec is a complex aggregation of protocols that together provide authentication and confidentiality services to individual IP packets. It can be used to create a VPN over the Internet or other untrusted network, or between any two computers on a trusted network. Since IPSec has many configuration options, and can provide authentication and encryption using different protocols, implementations between vendors and products may differ. Secure Shell is frequently used for remote server administration. SSH establishes an encrypted tunnel between a SSH client and a server, as well as authentication services.

Disk encryption is typically used to protect data in storage.

Return to the top of the newsletter



2. Determine if the institution includes in its terms and conditions of employment the employee’s responsibilities for information security.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

SUBPART C - Exception to Opt Out Requirements for Service Providers and Joint Marketing

47.  If the institution discloses nonpublic personal information to a nonaffiliated third party without permitting the consumer to opt out, do the opt out requirements of §7 and §10, and the revised notice requirements in §8, not apply because:

a.  the institution disclosed the information to a nonaffiliated third party who performs services for or functions on behalf of the institution (including joint marketing of financial products and services offered pursuant to a joint agreement as defined in paragraph (b) of §13); [§13(a)(1)]

b.  the institution has provided consumers with the initial notice; [§13(a)(1)(i)] and

c.  the institution has entered into a contract with that party prohibiting the party from disclosing or using the information except to carry out the purposes for which the information was disclosed, including use under an exception in §14 or §15 in the ordinary course of business to carry out those purposes? [§13(a)(1)(ii)]

IN CLOSING - Did you know that R. Kinney Williams & Associates performs intranet-internal penetration testing in addition to its popular external-Internet testing?  To keep your cost affordable, we install our pre-programmed scanner box on your network.  To maintain the independent testing required by the examiners, we control the scanner box programming and testing procedures.  For more information, please visit http://www.internetbankingaudits.com/internal_testing.htm or email Kinney Williams at examiner@yennik.com.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, © Copyright Yennik, Incorporated