Internet Banking News

July 4, 2004

CONTENT	Internet Compliance	Information Systems Security
IT Security Question	Internet Privacy	Website for Penetration Testing

FYI - The SANS Institute Internet Storm Center issued an alert this week about pop-up ads designed to download a program that keeps track any time a PC user clicks to the log-in page of 50 financial institutions worldwide. The program captures log-in information and sends it to another Web site, before the bank can encrypt the data. http://www.bankwebsiteaudits.com/article070104USA.htm

FYI - Pop-up program reads keystrokes, steals passwords - A malicious program that installs itself through a pop-up can read keystrokes and steal passwords when victims visit any of nearly 50 targeted banking sites, security researchers warned. The targeted sites include major financial institutions, such as Citibank, Barclays Bank and Deutsche Bank.
http://news.com.com/Pop-up+program+reads+keystrokes%2C+steals+passwords/2100-7349_3-5251981.html?tag=nefd.lede

FYI - NCUA - Recent Cyber Attacks - This alert is intended to raise awareness of a number of cyber attacks targeted at financial institutions. The attacks have the potential to infect financial institution and consumer PCs, and obtain name and password information, allowing unauthorized access to financial accounts. www.ncua.gov/FBIIC/Security/SA04-0702.pdf

FYI - Net Attack Aimed at Banking Data - Computer security experts warned of another new Internet threat that can steal the passwords and account information of people who bank online -- the second such discovery in a week.
http://news.yahoo.com/news?tmpl=story&cid=1804&u=/washpost/20040630/tc_washpost/a16023_2004jun29&printer=1

FYI - This advisory letter highlights issues regarding bank electronic record systems in light of the E-SIGN Act. 15 USC 7001, et seq. The letter provides a basic framework that bank management can use to assess and address key issues posed by electronic record keeping systems. www.occ.treas.gov/ftp/advisory/2004-9.txt

FYI - Cybersecurity spending projected to be flat in 2005 - Despite dire warnings about the nation's ineffective cybersecurity, the federal government's spending on information technology security will remain relatively flat in fiscal 2005, according to a new study from a private IT consulting firm.
http://www.govexec.com/story_page.cfm?articleid=28750&printerfriendlyVers=1&

FYI - Feds, Private Groups to Educate Consumers About Phishing Scams - The federal government and some of the nation's leading consumer organizations and financial institutions today kicked off a campaign to educate consumers about the growing threat posed by "phishing," a sophisticated form of identity theft conducted via e-mail and counterfeit Web sites. http://www.securityfocus.com/printable/news/8936

FYI - Industry groups want changes in DHS interim rule - A financial services roundtable, BITS, is pressing DHS to expand its definition of critical infrastructure information. John Carlson, BITS senior director, said the critical infrastructure information definition wouldn't protect information such as a telecommunication company's switch location for a bank's high-speed Internet connection. http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci970920,00.html

FYI - Switches taking on new security roles - Security innovations being built into switches are attracting attention from buyers who not long ago focused primarily on feeds and speeds. http://www.nwfusion.com/news/2004/0614switchsecurity.html

FYI - Earthlink, Webroot Spot Spyware All Over - Nearly one in three computers scanned by EarthLink and Webroot in their second monthly SpyAudit were found infected with a Trojan horse or system monitor planted by spyware, the two companies said. http://www.techweb.com/wire/story/TWB20040617S0008

FYI - Fraudulent Web Site www.occnetonline.com: Fraudulent Web site purporting to be operated by the Office of the Comptroller of the Currency. www.occ.treas.gov/ftp/alert/2004-12.txt

Return to the top of the newsletter

INTERNET COMPLIANCE - We continue our review of the FFIEC interagency statement on "Weblinking: Identifying Risks and Risk Management Techniques."

B. RISK MANAGEMENT TECHNIQUES

Introduction

Management must effectively plan, implement, and monitor the financial institution's weblinking relationships. This includes situations in which the institution has a third-party service provider create, arrange, or manage its website. There are several methods of managing a financial institution's risk exposure from third-party weblinking relationships. The methods adopted to manage the risks of a particular link should be appropriate to the level of risk presented by that link as discussed in the prior section.

Planning Weblinking Relationships

In general, a financial institution planning the use of weblinks should review the types of products or services and the overall website content made available to its customers through the weblinks. Management should consider whether the links support the institution's overall strategic plan. Tools useful in planning weblinking relationships include:

1) due diligence with respect to third parties to which the financial institution is considering links; and

2) written agreements with significant third parties.

Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY - We continue our series on the FFIEC interagency Information Security Booklet.

SYSTEMS DEVELOPMENT, ACQUISITION, AND MAINTENANCE - SOFTWARE DEVELOPMENT AND ACQUISITION

Development and Support

Development and support activities should ensure that new software and software changes do not compromise security. Financial institutions should have an effective application and system change control process for developing, implementing, and testing changes to internally developed software and purchased software. Weak change control procedures can corrupt applications and introduce new security vulnerabilities. Change control considerations relating to security include the following:

! Restricting changes to authorized users,
! Reviewing the impact changes will have on security controls,
! Identifying all system components that are impacted by the changes,
! Ensuring the application or system owner has authorized changes in advance,
! Maintaining strict version control of all software updates, and
! Maintaining an audit trail of all changes.

Changes to operating systems may degrade the efficiency and effectiveness of applications that rely on the operating system for interfaces to the network, other applications, or data. Generally, management should implement an operating system change control process similar to the change control process used for application changes. In addition, management should review application systems following operating system changes to protect against a potential compromise of security or operational integrity.

When creating and maintaining software, separate software libraries should be used to assist in enforcing access controls and segregation of duties. Typically, separate libraries exist for development, test, and production.

Return to the top of the newsletter

IT SECURITY QUESTION:

G. APPLICATION SECURITY

1. Determine if operational software storage, program source, object libraries and load modules are appropriately secured against unauthorized access.

Return to the top of the newsletter

INTERNET PRIVACY - We continue our series listing the regulatory-privacy examination questions. When you answer the question each week, you will help ensure compliance with the privacy regulations.

Definitions and Key Concepts

In discussing the duties and limitations imposed by the regulations, a number of key concepts are used. These concepts include "financial institution"; "nonpublic personal information"; "nonaffiliated third party"; the "opt out" right and the exceptions to that right; and "consumer" and "customer." Each concept is briefly discussed below. A more complete explanation of each appears in the regulations.

Financial Institution:

A "financial institution" is any institution the business of which is engaging in activities that are financial in nature or incidental to such financial activities, as determined by section 4(k) of the Bank Holding Company Act of 1956. Financial institutions can include banks, securities brokers and dealers, insurance underwriters and agents, finance companies, mortgage bankers, and travel agents.

Nonaffiliated Third Party:

A "nonaffiliated third party" is any person except a financial institution's affiliate or a person employed jointly by a financial institution and a company that is not the institution's affiliate. An "affiliate" of a financial institution is any company that controls, is controlled by, or is under common control with the financial institution.

IN CLOSING - The FFIEC interagency Internet guidelines require financial institution web sites to comply with consumer compliance, advertising, notifications, weblinking, and other federal regulations. We have identified 17 federal regulations and over 130 issues that relate to an institution's web site. We also verify weblinks for functionality and appropriateness. As a former bank examiner with over 40 year experience, we audit web sites following the FFIEC Internet guidelines for financial institutions across the country. Visit http://www.bankwebsiteaudits.com and learn how we can assist Yennik, Inc.