An official website of the United States government
Parts of this site may be down for maintenance from Thursday, December 19, 9:00 p.m. Sunday, December 22, 9:00 a.m. (Eastern).
Alert 2001-4 | April 24, 2001
Share This Page:
Chief Executive Officers and Chief Information Technology Officers of National Banks, Federal Branches, Service Providers and Software Vendors; Department and Division Heads, and Examining Personnel
This alert is intended to raise awareness regarding potential threats in electronic banking systems and to remind banks and service providers to identify and correct network security vulnerabilities.
In recent weeks, hackers have exploited a number of significant vulnerabilities in e-commerce systems. Recent National Infrastructure Protection Center (NIPC) advisories report an increase in unauthorized activities targeting e-commerce Websites and identify some common and frequently utilized vulnerabilities in commercially available hardware and software.1 These vulnerabilities may allow unauthorized access to bank and service provider systems. Unauthorized intrusions threaten the confidentiality, integrity, and availability of bank information systems and customer information. If successful in breaching a system and gaining access to customer records, unauthorized parties may fraudulently withdraw funds from bank accounts, obtain funds through identity theft, or extort funds by threatening public disclosure.
In response to the increased risks, the Office of the Comptroller of the Currency (OCC) advises banks and service providers to review the NIPC advisories. In addition, banks should review their controls to safeguard customer information and bank information systems. As part of this effort, banks and service providers should take the following steps to respond to network vulnerabilities:
A bank's board of directors is responsible for ensuring that an effective information security program is in place and operating properly. In the event that bank information systems are subject to unlawful activities, including suspected intrusions, the events should be reported in Suspicious Activity Reports, consistent with 12 CFR 21.11. Additional information on OCC and FFIEC information security guidance can be obtained on the OCC's website at www.occ.gov and includes:
Questions regarding this alert should be directed to Clifford A. Wilke, Director, Bank Technology Division, at (202) 874–5920 or by email: clifford.wilke@occ.treas.gov.
Clifford A. Wilke Director, Bank Technology Division
1 NIPC Advisory 01-003, "eCommerce Vulnerabilities Update," dated March 8, 2001; and NIPC Advisory 00-60, "eCommerce Vulnerabilities," dated December 1, 2000. Refer to www.nipc.gov for additional information.