R. Kinney Williams & Associates
R. Kinney Williams
& Associates

Internet Banking News

December 26, 2004
With more than 40 years auditing only financial institutions, my experience to test your Internet connection for vulnerabilities and understand your IT operation is unmatched.  Visit http://www.internetbankingaudits.com/ for more detailed information.

CONTENT Internet Compliance Information Systems Security
IT Security Question Internet Privacy Website for Penetration Testing

HAPPY HOLIDAYS - We appreciate your readership and wish you a wonderful Holiday Season and prosperity in the New Year.

FYI - The Legal Realities of Computer Logs - Computer-generated logs, once a source of data that only the most die-hard techie could appreciate, have emerged as a key component in corporate information assurance - be it privacy, systems security, or legal risk management. http://www.theiia.org/itaudit/index.cfm?fuseaction=forum&fid=5569

FYI - 'Phishing' attacks rocket in November - The number of phishing sites, or fake Web sites set up to fool victims into handing over personal information, reached 1,518 last month, the Anti-Phishing Working Group said in a report released on Wednesday. The total was up almost a third over October and three times the level in September. http://news.com.com/Phishing+attacks+rocket+in+November/2100-7349_3-5491794.html?tag=nefd.top

FYI - The Internet can be a dangerous place to do business these days. No one knows this better than Dave Thomas, chief of the FBI's Computer Intrusion Section, which oversees the FBI's counter-terrorism and criminal computer intrusion investigations. http://www.nwfusion.com/supp/2004/cybercrime/112904qanda.html

FYI - The Treasury Department today released a study commissioned by the Department in coordination with BITS, the technology branch of the Financial Services Roundtable. The study will provide a model for the nation's regional financial centers to protect and strengthen their critical financial services infrastructure at the local level.
Press release: http://www.treas.gov/press/releases/js2130.htm
Handbook: http://www.treas.gov/press/releases/reports/chicagofirst_handbook.pdf

FYI - Consumers reportedly dissatisfied with online security - Passwords are not enough, study says - The results of a survey conducted by Gartner and shared with IDG News Service show that online consumers are growing frustrated with the lack of security provided by banks and online retailers, and feel that passwords are no longer sufficient to secure their online transactions. http://www.infoworld.com/article/04/12/06/HNdissatisfied_1.html

Identity Theft Study on "Account-Hijacking" Identity Theft and Suggestions for Reducing Online Fraud - The FDIC has issued a study on "account-hijacking" identity theft, which outlines the problem and suggests steps to reduce online fraud for both bank and regulatory agency consideration. The FDIC hopes to use the study to formulate guidance to bankers next year. Comments on the study are due on February 11, 2005. www.fdic.gov/news/news/financial/2004/fil13204.html 

FYI - FDIC Issues Study on Identity Theft and Seeks Comments on Possible Guidance to Bankers - The Federal Deposit Insurance Corporate today released a study on a type of identity theft known as account-hijacking, one of the fastest growing forms of identity theft in the country. The agency is soliciting comments on the study that it hopes to use to formulate guidance to bankers next year. www.fdic.gov/news/news/press/2004/pr12504.html 
Return to the top of the newsletter

Expedited Funds Availability Act (Regulation CC)

Generally, the rules pertaining to the duty of an institution to make deposited funds available for withdrawal apply in the electronic financial services environment. This includes rules on fund availability schedules, disclosure of policy, and payment of interest. Recently, the FRB published a commentary that clarifies requirements for providing certain written notices or disclosures to customers via electronic means. Specifically, the commentary to the regulations states that a financial institution satisfies the written exception hold notice requirement, and the commentary to the regulations states that a financial institution satisfies the general disclosure requirement by sending an electronic version that displays the text and is in a form that the customer may keep. However, the customer must agree to such means of delivery of notices and disclosures. Information is considered to be in a form that the customer may keep if, for example, it can be downloaded or printed by the customer. To reduce compliance risk, financial institutions should test their programs' ability to provide disclosures in a form that can be downloaded or printed. 

Return to the top of the newsletter

We continue our series on the FFIEC interagency Information Security Booklet.


Information security is an integrated process that reduces information security risks to acceptable levels. The entire process, including testing, is driven by an assessment of risks. The greater the risk, the greater the need for the assurance and validation provided by effective information security testing.

In general, risk increases with system accessibility and the sensitivity of data and processes. For example, a high-risk system is one that is remotely accessible and allows direct access to funds, fund transfer mechanisms, or sensitive customer data. Information only Web sites that are not connected to any internal institution system or transaction capable service are lower-risk systems. Information systems that exhibit high risks should be subject to more frequent and rigorous testing than low-risk systems. Because tests only measure the security posture at a point in time, frequent testing provides increased assurance that the processes that are in place to maintain security over time are functioning.

A wide range of tests exists. Some address only discrete controls, such as password strength. Others address only technical configuration, or may consist of audits against standards. Some tests are overt studies to locate vulnerabilities. Other tests can be designed to mimic the actions of attackers. In many situations, management may decide to perform a range of tests to give a complete picture of the effectiveness of the institution's security processes. Management is responsible for selecting and designing tests so that the test results, in total, support conclusions about whether the security control objectives are being met.

Return to the top of the newsletter


3. Determine if cryptographic key controls are adequate.

!  Identify where cryptographic keys are stored.
!  Review security where keys are stored and when they are used (e.g., in a hardware module).
!  Review cryptographic key distribution mechanisms to secure the keys against unauthorized disclosure, theft, and diversion.
!  Verify that two persons are required for a cryptographic key to be used, where appropriate.
!  Review audit and security reports that review the adequacy of cryptographic key controls.

Return to the top of the newsletter

- We continue our series listing the regulatory-privacy examination questions.  When you answer the question each week, you will help ensure compliance with the privacy regulations.

Account number sharing

A. If available, review a sample of telemarketer scripts used when making sales calls to determine whether the scripts indicate that the telemarketers have the account numbers of the institution's consumers ('12).

B. Obtain and review a sample of contracts with agents or service providers to whom the financial institution discloses account numbers for use in connection with marketing the institution's own products or services. Determine whether the institution shares account numbers with nonaffiliated third parties only to perform marketing for the institution's own products and services. Ensure that the contracts do not authorize these nonaffiliated third parties to directly initiate charges to customer's accounts ('12(b)(1)).

C. Obtain a sample of materials and information provided to the consumer upon entering a private label or affinity credit card program. Determine if the participants in each program are identified to the customer when the customer enters into the program ('12(b)(2)).   

- The FFIEC interagency Internet guidelines require financial institution web sites to comply with consumer compliance, advertising, notifications, weblinking, and other federal regulations.  We have identified 17 federal regulations and over 130 issues that relate to an institution's web site.  We also verify weblinks for functionality and appropriateness.  As a former bank examiner with over 40 year experience, we audit web sites following the FFIEC Internet guidelines for financial institutions across the country.  Visit http://www.bankwebsiteaudits.com and learn how we can assist your financial institution.


PLEASE NOTE:  Some of the above links may have expired, especially those from news organizations.  We may have a copy of the article, so please e-mail us at examiner@yennik.com if we can be of assistance.  

Back Button

Company Information
Yennik, Inc.

4409 101st Street
Lubbock, Texas 79424
Office 806-798-7119


Please visit our other web sites:
VISTA penetration-vulnerability testing
The Community Banker - Bank FFIEC & ADA Web Site Audits
Credit Union FFIEC & ADA Web Site Audits - Bank Auditing Services
US Banks on the Internet  
US Credit Unions on the Internet

All rights reserved; Our logo is registered with the United States Patent and Trademark Office.
Terms and Conditions, Privacy Statement, Copyright Yennik, Incorporated