Is Your Bank on Top of Cybersecurity?

May 2015

Is Your Bank on Top of Cybersecurity?

By Joe Oleksak

Increasing use of online and mobile banking technologies has made banks and their customers more vulnerable than ever before. Given the huge cost of a data breach — in terms of both monetary loss and reputational damage — all banks should have a solid program for assessing and addressing cybersecurity risks.

The FFIEC has outlined the steps banks should take to address two severe threats: distributed denial-of-service (DDoS) attacks and cyberattacks on ATM and card authorization systems.

DDoS attacks on public websites slow website response times and otherwise disrupt network resources. They’re designed to prevent customers from accessing bank information and services and to interfere with back-office operations. In some cases, the FFIEC explained, criminals use DDoS attacks as a diversionary tactic in connection with attempts to initiate fraudulent wire or ACH transfers using stolen customer or bank employee credentials.

Banks should address DDoS readiness as part of their ongoing information security and incident response plans. In addition to evaluating the risks to critical systems, banks should:

  • Monitor website traffic to detect attacks,
  • Activate incident response plans as appropriate (including notification of Internet service providers and customers), and
  • Consider sharing information with law enforcement and organizations, such as the Financial Services Information Sharing and Analysis Center.

Banks also should ensure sufficient staffing for the duration of an attack and consider engaging third-party service providers to manage Internet traffic flow. Following an attack, a bank must identify any gaps in its response and modify its risk management controls accordingly. Additionally, the board of directors should be informed.

The FFIEC also has warned about a dangerous form of ATM cash-out fraud known as “unlimited operations.” It enables criminals to withdraw funds well beyond ATM control limits and even beyond the cash balance in customer accounts. In one recent attack, criminals used unlimited operations to steal more than $40 million using only 12 debit card accounts.

Criminals typically send phishing emails to bank employees in an attempt to install malware on the bank’s network, giving themselves the ability to alter the settings on web-based ATM control panels. By increasing or eliminating limits on ATM cash disbursements and reducing fraud and security-related controls, criminals can quickly withdraw significant sums using fraudulent debit or other ATM cards.

The FFIEC statement notes that banks may initially be liable for ATM fraud losses, even if they outsource their card-issuing function to a card processor and the compromise takes place at the processor.

To mitigate ATM fraud risks, banks should:

  • Conduct ongoing information security risk assessments
  • Perform security monitoring, prevention, and risk mitigation, including monitoring third-party processors and ATM transaction activity for unusual behavior
  • Take steps to protect against unauthorized access
  • Review — and periodically test — the adequacy of controls over IT networks, card authorization systems, ATM usage parameters, and fraud detection processes
  • Conduct regular training programs
  • Test incident response plans

Editor’s Note: Joe Oleksak is a partner in information technology consulting at Plante Moran in Illinois.  

Cyber Resources

Regulators recommend that banks use the following as resources:

Federal Trade Commission’s On Guard Online

National Cyber Security Alliance’s Stay Safe Online   

US-Cert Security Tip (STI-003)
“Handling Destructive Malware”

Joint Security Awareness Report (JSAR-12-241-01B)
“Shamoon/DstTrack Malware”