Blog: Financial Institutions

The Federal Financial Institutions Examination Council (FFIEC) issued statements today notifying financial institutions of the risks associated with cyber-attacks on Automated Teller Machines (ATM) and car authorization systems and the continued distributed denial of service (DDoS) attacks. [more]

To read the Press Release, visit http://www.ffiec.gov/press/pr040214.htm

To view the Joint Statement, Cyber-attacks on Financial Institutions' ATM and Card Authorization Systems, visit http://www.ffiec.gov/press/PDF/FFIEC%20ATM%20Cash-Out%20Statement.pdf

To view the Joint Statement, Distributed Denial-of-Service (DDoS) Cyber-Attacks, Risk Mitigation, and Additional Resources, visit http://www.ffiec.gov/press/PDF/FFIEC%20DDoS%20Joint%20Statement.pdf


 
 

I was recently helping a bank network support client install an update to a Jack Henry application named Yellowhammer. Normally we save the installation file to the network of that certain program just for organizational purposes. 

Upon reading the instruction I just save the .exe file to the user's PC because I wanted to see what files needed to be updated.  However, upon running the installation it just opened a GUI that setup a connection back to Jack Henry.  We closed out the program to begin saving the program to the network.  When we did this ALL THE DESKTOP ITEMS DISAPPEARED from the user's PC. [more]

After looking into what files were unzipped I came across a file name “cleanup.bat” which deleted whatever folder these files were located, and in our case it happened to be the Desktop folder. 

I am just curious as to what would have happened if I saved this anywhere else.  So for future reference, check for a cleanup.bat file in any Jack Henry Installation.


 

During a recent audit, we noticed one of the Internet domain names registered to the bank was displaying a website provided by the registrar (Network Solutions).  Upon discussing this issue with the bank, they told me they had registered the name because they use it internally as their Active Directory domain name and did not want anybody else registering the public name.  So the bank’s IT vendor dutifully registered the name, but did not do anything with it as far as pointing it to an existing bank website or an “under construction” site.  As a result the registrar parked the domain name and displayed an advertisement website.  The advertisements were for Gucci, Wells Fargo, Bank of America, etc.  The bank was not very happy when they found out their domain was being used to advertise other banks.


 

Declaring that “the American people will never again be asked to foot the bill for Wall Street’s mistakes,” President Obama signed the 2300-page Dodd-Frank Wall Street Reform and Consumer Protection Act into law today.  The American Bankers Association (ABA) and Independent Community Bankers of America (ICBA) have released similar statements declaring that core provisions in the new legislation provide the much-needed reform that banks have long supported, but they are leery of the seemingly unrelated regulations added to the bill during its journey from inception to signing.

Some highlights of the Dodd-Frank Act include:

  • Creating the Consumer Financial Protection Bureau with the authority to write new rules for mortgages, credit cards, payday loans, and other consumer products
  • Increasing FDIC protection to $250,000
  • Enhancing the authority of the Fed and other bank regulators to examine and take enforcement action against non-bank subsidiaries, such as mortgage affiliates
  • Eliminating the Office of Thrift Supervision, bringing savings and loan holding company and institution supervision to the Fed, OCC, and FDIC
  • Imposing strict controls on large bank holding companies and significant nonbank financial companies
  • Prohibiting banks and their affiliates from engaging in proprietary trading and providing strict limits on investment in and sponsoring of hedge and private equity funds
  • Allowing merchants to discriminate or discount based on payment type and set minimum payment amounts for acceptance of debit and credit cards
  • Subjecting holding companies to new “source of strength” rules regarding their depository institution subsidiary

Most provisions will be enacted immediately, but many have delayed effective dates. [more]

For a more detailed summary of the Dodd-Frank Act, as well as a timeline of deadline dates, visit the ABA Regulatory Reform Center at http://aba.com/RegReform/default.htm or the ICBA’s Victories, Helpful Exemptions and Harmful Measures for Community Banks at http://www.icba.org/files/ICBASites/NSPDFs/Frank-DoddSummary071510.pdf.

While legislators are in staunch disagreement over whether or not this bill should have been passed, no one seems to disagree that this will change the face of the banking and financial industry as we know it.


 

The Federal Financial Institutions Examination Council (FFIEC) issued an updated Retail Payment Systems Booklet.  The booklet is part of the IT Examination Handbook series and provides guidance to examiners, financial institutions, and technology service providers (TSPs) on identifying and controlling risks associated with retail payment systems and related banking activities.  To download the booklet and associated workprogram, visit http://www.ffiec.gov/ffiecinfobase/html_pages/it_01.html


 

CoNetrix is pleased to announce the release of Tandem, new security and compliance software. Tandem was developed to help financial institutions complete and maintain an Information Security Program (per GLBA and the Interagency Guidelines Establishing Information Security Standards).  While Tandem was designed as a complete solution from the ground up, it was fashioned into modules which allow for versatility.  The modules include risk assessment, policies, vendor management, and business continuity planning.  Each module was released as it was completed.

To read the full press release, visit http://news.yahoo.com/s/prweb/20100216/bs_prweb/prweb3598024_2


 

After installing ARTA Deposit on a virtual Windows XP system running user could connect and access all the data. The problem was the bank employees could not preview or print any forms. After a little investigation I called ARTA support. I went through all the normal steps of checking folder permissions and basic troubleshooting before being handed to a 2nd tier support tech. The tech asked me to check the permissions of the Component Services. I navigated to [Control Panel\Administrative Tools\Component Services]. I then went to “My Computer”, in the Microsoft Management Console, right clicked and selected “Properties”.  [more]

Then I select the COM Security tab and under “Launch and Activation Permissions” select “Edit Default”.  I added the local “Internet Guest Account”  with Local Launch, Remote Launch, Local Activation and Remote Activation permissions and was then able to preview and print forms in ARTA Deposit.

This is not documented as needing to be done anywhere that I could find and the tech said it was a common problem. The level 1 support did not know about these permissions either.


 

The American Bankers Association (ABA) has published a news release warning its members of a fraudulent email attack, an attack commonly referred to as phishing.  According to the ABA, the emails inform recipients that an “unauthorized transaction” has been charged to their account using their “bank card.”  The amount of the transactions is typically between $3,000 and $7,000.

In the news release, the ABA states they would never contact a consumer and ask for financial information.

To read the news release from the ABA, visit http://www.aba.com/Pressrss/012610FraudulentEmails.htm


 

The Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Independent Community Bankers Association (ICBA), along with a variety of payment systems industry partners, are planning a Cyber Attack against Payment Processes (CAPP) exercise.  the three-day exercise is scheduled for February 9-11 and will simulate a different attack scenario each day.  There is no charge to participate in this exercise.  The deadline to register is January 29th.  To read more or register, visit http://www.fsisac.com/capp/.