Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Networking

E Commerce Review Committee

advertisement 
E Commerce Review Committee-
Updated
Reviewed
Updated
Updated
Updated
Updated
Updated
2007-06-20
2009-03-29
2010-05-07
2011-09-05
2013-01-23
2014-03-01
2015-02-27
Multifactor authentication assessment.
Per NCUA letter dated 12-2005 and the FFIEC guidelines the Credit Union has
conducted the following risk assessment on its e-commerce activity. The
recommendations outlined in the documentation suggest that multifactor
authentication be used for access where users can obtain non-public personal
information or initiate payments to third parties. Multifactor authentication seeks to
add a third level of authorization to account access in the form of site keys, shared
secrets, security tokens, etc. For more information see the attached letters.
Phone (Call) 24
Currently uses account number and Pin. By default Pin is set to the last 4 of the SSN.
Can be setup to require a change at the next logon.
Risk Assessment:
Low
Rational:
Can only transfer funds within account and inquire on account
balance and history
Online Banking/Bill Payment
Currently uses account number and PIN to establish a user id and password.
Complexity requirements are in place for user and ID and password.
Fiserv Virtual Branch utilizes challenge questions and a security phrase for each user
logging into to online banking.
Risk Assessment:
Medium
Rational:
Transfer funds within institution, inquire on account balance and
history, initiate bill pays, but cannot originate wire transfers.
Other Information:
Some of the key layered security controls in place within Virtual Branch include:

Login ID is controlled by the user, need not be the individual's actual account
number, and can be changed by the user as desired

Security Code is controlled by the user, contains limitations on re-use, and
involves a complexity structure enabling combinations in excess of trillions
times billions

Option to allow the credit union to periodically force security code resets

System automatically blocks access to account after three consecutive failed
login attempts

Enhanced Authentication process validates user access device, layered with
challenge questions if needed, and is strengthened with an anti-phishing
component

Last access date is displayed to user on each login

Automated session logout after period of inactivity

Automatic alert sent to user upon change of Login ID

Automatic alert sent to user upon change of Security Code

Automatic alert sent to user upon change of email address (to both the new
and old email address)

Alert to notify user when a new bill pay merchant is added or an existing bill
pay merchant is modified

Alerts to notify user of account balances or transactions exceeding specified
amounts

User control of delivery address (choice of email addresses, or SMS via Mobile
Money) for most alert types

Credit union controls of user access to functions and services
Automated reports available to credit union to monitor user enrollment, bill
payment activity, and funds transfer activity
MOBILE


Requires users to register their phone via online banking

SMS message sent to phone with activation code that needs to be entered into
online banking.
Online Credit Card
Currently uses multifactor authentication to establish access. Person must have:
Credit Card Number
Last four of Home Ph #
Zip Code
CVV
have
know
know
have
Name on Credit Card
Last four of SSN#
Mother Maiden Name
have
know
know
Information above is required to establish a user id and password. Complexity
requirements are in place for user and ID and password.
Risk Assessment:
Medium
Rational:
Transfer funds within institution, inquire on account balance and
history, initiate a bill payment, but cannot originate funds.
Loan Application-LPQ
Input applications online and pushed to core data processing system hosted by
Meridian Loan PQ.
Risk Assessment:
Medium
Rational:
Accessed via internet using multifactor authentication and IP
address restrictions. Some remote users have IP address
restriction removed to accommodate remote processing which
brings the RA level to medium.
Consumer Loan Application-LPQ (changed from Webloan in 2/2015)
Complete application online and pushed to core data processing system hosted by
Meridian Loan PQ.
Risk Assessment:
Low
Rational:
Accessed via online banking and/or with knowledge of account,
and phone 24 pin.
Member may or may may not be able to access the application
after it has been submitted based on how they input information.
.
Real Estate Loan Application
Complete application online and push to secure server hosted by Colonial Savings.
Risk Assessment:
Medium
Rational:
Once submitted, application is sent to secure server until.
Member has the ability to access the application after it has been
submitted and review its status.
Fiserv EFT
Employee access to Debit Card Processing system
Risk Assessment:
Low
Rational:
Access to client site requires use of security token. Access to
card database requires second username and password.
Real Estate Loan Service- Colonial Savings
Complete information online protected by multifactor authentication.
Risk Assessment:
Medium
Rational:
User needs, account number, pin number, and access card which
contains information to answer a question at logon
VANTIV (TNB)- Credit Card Admin Platform
Employee access to Credit Card Processing system
Risk Assessment:
Low
Rational:
Access to client site requires use of secure certificates. Access to
card database requires second username and password.
Estatement enrollment
Members are opted in when enrolling for Online Banking. Actual communication to
the Estatement server only occurs when the Estatement option is clicked in Online
Banking. Fiserv Virtual Branch and Credit Union share a private encryption key, which
encrypts the Secure Sign On (SSO) to the Estatement server located at the Credit
Union. The server is a virtualized server segregated on the network into a DMZ.
Risk Assessment: Medium
Rational:
Members may only submit request, via a secure https channel,
which uses private key encryption to pass data.
Bridger XP
Site to screen accounts for regulatory compliance
Risk Assessment:
Low
Rational:
Need software, site id, user id, and password to be able to screen
a batch group. No data resided on Bridger’s server. In regards to
on demand requests, no data resides on the Bridger server.
Board Portal (established 1/2015)
Online portal for volunteers to access information for Board packages, polices,
training etc.
Risk Assessment:
Medium
Rational:
Accessed via the internet the site requires knowledge of the link
and is not accessible via any link found on the ConnectCU.org
website. The site is hosted by Ewart technologies with usage
audit reports readily available. To access the site, a user name
and password are required for each volunteer/employee. To
access and of the files with sensitive, private or otherwise
confidential information in them, a separate password is needed
to “unencrypt” the pdf file. Each pdf file is protected from
modification, page extraction and printing.
Related documents
Classify these numbers as either rational or irrational and explain
Classify these numbers as either rational or irrational and explain
Classify these numbers as either rational or irrational and explain
Classify these numbers as either rational or irrational and explain
Section 11.3 Examples Example 1: Recall that a rational number is a
Section 11.3 Examples Example 1: Recall that a rational number is a
Types of Rational Numbers
Types of Rational Numbers
Name That Rational Number
Name That Rational Number
Download
advertisement