Mitigating the risks associated with cyberattacks is among the most potent challenges banks face today. Increasing use of online and mobile banking technologies has made banks and their customers more vulnerable than ever before. Given the huge cost of a data breach — in terms of both monetary loss and reputational damage — all banks should have a solid program for assessing and addressing cybersecurity risks.
Over the last decade, bank regulators — through the Federal Financial Institutions Examination Council (FFIEC) — have issued guidance on several aspects of cybersecurity. Most recently, the FFIEC outlined the steps banks should take to address two severe threats: 1) distributed denial-of-service (DDoS) attacks and 2) cyberattacks on ATM and card authorization systems.
In a recent statement, the FFIEC alerted banks to the risks associated with DDoS attacks on public websites. These attacks slow website response times and otherwise disrupt network resources. They’re designed to prevent customers from accessing bank information and services and to interfere with back-office operations.
In some cases, the FFIEC explained, criminals use DDoS attacks as a diversionary tactic in connection with attempts to initiate fraudulent wire or ACH transfers using stolen customer or bank employee credentials.
Regulators expect banks to address DDoS readiness as part of their ongoing information security and incident response plans. In addition to evaluating the risks to critical systems, banks should:
- Monitor website traffic to detect attacks,
- Activate incident response plans as appropriate (including notification of Internet service providers and customers), and
- Consider sharing information with law enforcement and organizations such as the Financial Services Information Sharing and Analysis Center (FS-ISAC).
Banks also should ensure sufficient staffing for the duration of an attack and consider engaging third-party service providers to manage Internet traffic flow. Following an attack, a bank must identify any gaps in its response and modify its risk management controls accordingly.
The statement lists several resources available to help banks mitigate the risks of DDoS attacks, including the Department of Homeland Security’s DDoS Quick Guide, available at http://www.us-cert.gov/security-publications/DDoS-Quick-Guide.
Defending against ATM attacks
The FFIEC also has warned about a dangerous form of ATM cash-out fraud known as “unlimited operations.” It enables criminals to withdraw funds well beyond ATM control limits and even beyond the cash balance in customer accounts. In one recent attack, criminals used unlimited operations to steal more than $40 million using only 12 debit card accounts.
To perpetrate this scheme, criminals typically send phishing e-mails to bank employees in an attempt to install malware on the bank’s network, giving themselves the ability to alter the settings on Web-based ATM control panels. By increasing or eliminating limits on ATM cash disbursements and reducing fraud and security-related controls, criminals can quickly withdraw significant sums using fraudulent debit or other ATM cards.
The statement notes that banks may initially be liable for ATM fraud losses, even if they outsource their card issuing function to a card processor and the compromise takes place at the processor.
To mitigate ATM fraud risks, banks should:
- Conduct ongoing information security risk assessments,
- Perform security monitoring, prevention and risk mitigation, including monitoring third-party processors and ATM transaction activity for unusual behavior,
- Take steps to protect against unauthorized access,
- Review — and periodically test — the adequacy of controls over IT networks, card authorization systems, ATM usage parameters and fraud detection processes,
- Conduct regular training programs,
- Test incident response plans, and
- Participate in industry information-sharing programs, such as FS-ISAC.
Regulators expect banks to incorporate ATM fraud risks into their regular risk management processes, consistent with the FFIEC Information Technology Examination Handbook. And banks that create PINs for cardholders must follow the Payment Card Industry (PCI) PIN Security Requirements.
Assess your risk
As technology continues to advance and fraud schemes become more sophisticated, it’s critical for banks to evaluate their risks on an ongoing basis. The FFIEC urges banks to revisit their risk assessments at least once a year — more frequently if they introduce new electronic services or receive new information about potential risks or vulnerabilities.