R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

November 14, 2004
With more than 40 years auditing only financial institutions, my experience to test your Internet connection for vulnerabilities and understand your IT operation is unmatched.  Visit http://www.internetbankingaudits.com/ for more detailed information.

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing


FYI - The Latest Tool in Competition: Hacking - Your competitor has a wildly successful Web-based tool which is being used by many of your customers. Do you (A) give up and get out of the business; (B) set up a team of product developers to make a competing product; or (C) hack into the competitor's website, steal the code, and for good measure hire their critical employees to develop an exact duplicate of their website. If you answered (C) then congratulations and welcome to the new world of competitive hacking. http://www.securityfocus.com/printable/columnists/273

FYI - Secret Service busts online organized crime ring - In what it called an "Information Age undercover investigation," the U.S. Secret Service today announced that it has arrested 28 people from eight U.S. states and six countries allegedly involved in a global organized cybercrime ring. http://www.computerworld.com/printthis/2004/0,4814,97017,00.html

FYI - QuickTime, RealPlayer spools broken by critical bugs - Two of the three most popular media players on the market have highly critical bugs that could allow remote system control by a hacker. http://security.itworld.com/4345/041028mediabug/pfindex.html

FYI - Wells Fargo computers stolen - Identity thieves may have obtained sensitive information about thousands of Wells Fargo mortgage and student loan customers, after four computers containing customer account numbers and Social Security numbers were stolen last month.
http://news.com.com/Wells+Fargo+computers+stolen/2100-1029_3-5437481.html

FYI - Sloppy laptop security leaves European firms open to legal and commercial risks - Sloppy mobile device security is leaving European businesses and their employees open to legal, commercial and financial damage, newly published research has claimed. http://www.scmagazine.com/news/index.cfm?fuseaction=newsDetails&newsUID=dd9ddf8d-f59c-44c0-a95b-57d4932d5e0e&newsType=Latest%20News


FYI - Trojan horse spies on Web banking - Security experts say they've discovered a Trojan horse that records e-banking user details and Web surfing habits. Antivirus company Sophos is warning that the Banker-AJ Trojan is targeting online customers of British banks such as Abbey, Barclays, Egg, HSBC, Lloyds TSB, Nationwide and NatWest. The Trojan affects computers running Microsoft Windows.
http://news.com.com/Trojan+horse+spies+on+Web+banking/2100-7349_3-5448622.html?tag=nefd.top


FYI - The Cost of Security Training - It has been said before that the cost of IT training for those of us in the computer security industry is really quite high. After all, there is not only the cost of the course itself, but also the associated costs of hotels, food, and rental vehicles if the course is out of town. This quickly adds up to a rather tidy sum for managers trying to maximize their often decreasing budgets. But have those same managers considered what is the cost of not providing training to their staff? http://www.securityfocus.com/printable/columnists/275

Return to the top of the newsletter

INTERNET COMPLIANCE -
The Role Of Consumer Compliance In Developing And Implementing Electronic Services from FDIC:

When violations of the consumer protection laws regarding a financial institution's electronic services have been cited, generally the compliance officer has not been involved in the development and implementation of the electronic services.  Therefore, it is suggested that management and system designers consult with the compliance officer during the development and implementation stages in order to minimize compliance risk.  The compliance officer should ensure that the proper controls are incorporated into the system so that all relevant compliance issues are fully addressed.  This level of involvement will help decrease an institution's compliance risk and may prevent the need to delay deployment or redesign programs that do not meet regulatory requirements.

The compliance officer should develop a compliance risk profile as a component of the institution's online banking business and/or technology plan.  This profile will establish a framework from which the compliance officer and technology staff can discuss specific technical elements that should be incorporated into the system to ensure that the online system meets regulatory requirements.  For example, the compliance officer may communicate with the technology staff about whether compliance disclosures/notices on a web site should be indicated or delivered by the use of "pointers" or "hotlinks" to ensure that required disclosures are presented to the consumer.  The compliance officer can also be an ongoing resource to test the system for regulatory compliance.


Return to the top of the newsletter

INFORMATION SYSTEMS SECURITY
- We continue our series on the FFIEC interagency Information Security Booklet.  

INTRUSION DETECTION AND RESPONSE

Operational Anomalies


Operational anomalies may be evidence of a broad number of issues, one of which is potential intrusion. Anomalies that act as intrusion-warning indicators fall into two categories, those apparent in system processing, and those apparent outside the system.

System processing anomalies are evident in system logs and system behavior. Good identification involves pre-establishing which system processing data streams will be monitored for anomalies, defining which anomalies constitute an indicator of an intrusion, and the frequency of the monitoring. For example, remote access logs can be reviewed daily for access during unusual times. Other logs can be reviewed on other regular cycles for other unusual behaviors. System behavior covers a broad range of issues, from CPU utilization to network traffic protocols, quantity and destinations. One example of a processing anomaly is CPU utilization approaching 100% when the scheduled jobs typically require much less. Anomalous behavior, however, may not signal an intrusion.

Outside the system, detection is typically based on system output, such as unusual Automated Clearing House transactions or bill payment transactions. Those unusual transactions may be flagged as a part of ordinary transaction reviews, or customers and other system users may report them. Customers and other users should be advised as to where and how to report anomalies. The anomalous output, however, may not signal an intrusion.

Central reporting and analysis of all IDS output, honeypot monitoring, and anomalous system behavior assists in the intrusion identification process. Any intrusion reporting should use out-of-band communications mechanisms to protect the alert from being intercepted or compromised by an intruder.


Return to the top of the newsletter

IT SECURITY QUESTION: 
INTRUSION DETECTION AND RESPONSE

12. Determine whether:

!  Responsibilities and authorities of security personnel and system administrators for monitoring are established, and
!  Tools used are reviewed and approved by appropriate management with appropriate conditions for use.

13. Determine if the responsibility and authority of system administrators is appropriate for handling notifications generated by monitoring systems.

14. Determine if users are trained to report unexpected network behavior that may indicate an intrusion, and that clear reporting lines exist.

Return to the top of the newsletter

INTERNET PRIVACY
- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Sharing nonpublic personal information with nonaffiliated third parties under Sections 14 and/or 15 and outside of exceptions (with or without also sharing under Section 13).  (Part 3 of 3)

C. Opt Out Right 

1)  Review the financial institution's opt out notices. An opt out notice may be combined with the institution's privacy notices. Regardless, determine whether the opt out notices:

a.  Are clear and conspicuous (3(b) and 7(a)(1));

b.  Accurately explain the right to opt out (7(a)(1));

c.  Include and adequately describe the three required items of information (the institution's policy regarding disclosure of nonpublic personal information, the consumer's opt out right, and the means to opt out) (7(a)(1)); and

d.  Describe how the institution treats joint consumers (customers and those who are not customers), as applicable (7(d)).

2)  Through discussions with management, review of the institution's policies and procedures, and a sample of electronic or written records where available, determine if the institution has adequate procedures in place to provide the opt out notice and comply with opt out directions of consumers (customers and those who are not customers), as appropriate. Assess the following:

a.  Timeliness of delivery (10(a)(1));

b.  Reasonableness of the method of delivery (e.g., by hand; by mail; electronically, if the consumer agrees; or as a necessary step of a transaction) (9).

c.  Reasonableness of the opportunity to opt out (the time allowed to and the means by which the consumer may opt out) (10(a)(1)(iii), 10(a)(3)); and

d.  Adequacy of procedures to implement and track the status of a consumer's (customers and those who are not customers) opt out direction, including those of former customers (7(e), (f), (g)).

IN CLOSING
- The FFIEC interagency Internet guidelines require financial institution web sites to comply with consumer compliance, advertising, notifications, weblinking, and other federal regulations.  We have identified 17 federal regulations and over 130 issues that relate to an institution's web site.  We also verify weblinks for functionality and appropriateness.  As a former bank examiner with over 40 year experience, we audit web sites following the FFIEC Internet guidelines for financial institutions across the country.  Visit http://www.bankwebsiteaudits.com and learn how we can assist your financial insitution..

 

PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119
Examiner@yennik.com

 

Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated