Line Security Encryption As computer and telecommunication technology advance financial institutions are greatly expanding their usage of Electronic Fund Transfer (EFT) Systems. This has partially been brought on by the realization that constructing "brick and motar" buildings is a costly method of spreading financial services to new market areas. Since the growth and technology of EFT cannot be predicted and varies regionally, it is important to fully understand the impact of newly introduced EFT systems. Thus, this section will provide the examiner with a basic understanding of various retail and wholesale EFT systems as well as identify additional control measures that must be considered when the transfer of funds occurs electronically. The evaluation of EFT cannot be done without reviewing related areas. For example, if the procedure used to change names and addresses were loosely controlled and poorly documented, an employee could participate easily in an EFT fraud using counterfeit cards. Additionally, internal and external audit involvement must be considered for each section. Audit should be consulted on each new EFT system and should thoroughly evaluate each system on a regular basis. Most EFT systems will require the transmission of information. This information may consist of personal identification numbers (PINS), passwords, or other identifying keys as well as account numbers, balances and financial data relating to transactions. Since data security is vital at point of entry into the EFT system, during transmission to the end user, and while stored at the users' central computer, the overall communication process should be evaluated to determine the weakest link. The weakest link may reside in the communication lines since telephone hook-ups are normally used. Therefore, the use of dialup common carrier lines is generally unacceptable for EFT use except when used for backup. Even dedicated leased lines are susceptible to line penetration or interruption as discussed in subsection 8.4. Although the need for data line encryption and data base encryption of PINs and other sensitive information is generally recognized, many data processing sites do not exercise special control over personnel who have access to communications equipment. Consequently, personnel could monitor and record data flowing out of decryption devices (which is in clear text), and effectively subvert the system. |