Subject: Network Security Vulnerabilities
Date: April 24, 2001
Network Security Vulnerabilities
To: Chief Executive Officers and Chief Information Technology Officers of National Banks, Federal Branches, Service Providers and Software Vendors; Department and Division Heads, and Examining Personnel
This alert is intended to raise awareness regarding potential threats in electronic banking systems and to remind banks and service providers to identify and correct network security vulnerabilities.
In recent weeks, hackers have exploited a number of significant vulnerabilities in e-commerce systems. Recent National Infrastructure Protection Center (NIPC) advisories report an increase in unauthorized activities targeting e-commerce Web sites and identify some common and frequently utilized vulnerabilities in commercially available hardware and software.1 These vulnerabilities may allow unauthorized access to bank and service provider systems. Unauthorized intrusions threaten the confidentiality, integrity, and availability of bank information systems and customer information. If successful in breaching a system and gaining access to customer records, unauthorized parties may fraudulently withdraw funds from bank accounts, obtain funds through identity theft, or extort funds by threatening public disclosure.
Response to Network Security Vulnerabilities
In response to the increased risks, the Office of the Comptroller of the Currency (OCC) advises banks and service providers to review the NIPC advisories. In addition, banks should review their controls to safeguard customer information and bank information systems. As part of this effort, banks and service providers should take the following steps to respond to network vulnerabilities:
A bank's board of directors is responsible for ensuring that an effective information security program is in place and operating properly. In the event that bank information systems are subject to unlawful activities, including suspected intrusions, the events should be reported in Suspicious Activity Reports, consistent with 12 CFR 21.11. Additional information on OCC and FFIEC information security guidance can be obtained on the OCC's Web site at www.occ.treas.gov and includes:
Questions regarding this alert should be directed to Clifford A. Wilke, Director, Bank Technology Division, at (202) 874–5920 or by e-mail: email@example.com.
Clifford A. Wilke
1 NIPC Advisory 01-003, "E-Commerce Vulnerabilities Update," dated March 8, 2001; and NIPC Advisory 00-60, "E-Commerce Vulnerabilities," dated December 1, 2000. Refer to www.nipc.gov for additional information.