Banks have a fresh reason to raise their defenses against denial-of-service attacks and ATM fraud: regulators are watching.
In two statements issued in the past week, the Federal Financial Institutions Examination Council pushed banks to set up better security controls on both fronts.
One statement warned banks to be on the lookout for a type of ATM fraud in which criminals can withdraw large amounts of cash, outside any account or other limits the bank has set up. The U.S. Secret Service calls "Unlimited Operations," and in its alert, the FFIEC noted that a single attack netted scammers over $40 million.
The second FFIEC statement is more forceful. It urges all banks to step up their defenses against distributed-denial-of-service attacks, which have hit dozens of banks over the last couple of years. Many of the attacks were carried out by the terrorist group al-Qassam Cyber Fighters, though just recently mortgage technology provider Ellie Mae was the victim of a DDoS attack that the company suspects was launched by a competitor.
"Financial institutions of all sizes that experience DDoS attacks may face a variety of risks, including operational risks and reputation risks," the FFIEC said in its statement. "If the attack is coupled with attempted fraud, a financial institution may also experience fraud losses as well as liquidity and capital risks."
This is the second warning regulators have issued on DDoS attacks; the OCC issued a security alert about DDoS attacks in December 2012.
"The regulators are saying this is important enough to the well-being and stability of the U.S. economy that we are putting you all on notice that you have to do these things," says Rodney Joffe, senior vice president and senior technologist at Neustar, a provider of DDoS detection and mitigation solutions.
In the two alerts, regulators say they expect banks to, among other things, assess the adequacy of their current security mechanisms, better monitor their ATM and computer networks for signs of malicious behavior, and make staff responsible for ATM and DDoS security.
The ATM scams are less common and have received less attention than DDoS attacks, but they have alarmed regulators nonetheless.
According to the FFIEC, criminals may begin an Unlimited Operations attack by sending phishing emails to bank employees. When an unknowing victim clicks open the offending email, the attackers install malicious software on the institution's network. They use the malware to monitor the bank's network to determine how it accesses ATM control panels and to obtain employee login credentials.
Using stolen login credentials, the attackers access the control panel and change settings to permit larger cash disbursements at ATM machines, and to change other fraud and security related controls.
That done, the perpetrators create fake debit, prepaid, or ATM cards using account information and personal identification numbers stolen through separate attacks to withdraw funds from the ATMs. (The card account information and PINs might be stolen through point of sale malware or skimming, ATM malware or skimming, or compromise of the issuer's card operations.) The cash-out phase of the attack involves criminals organizing simultaneous withdrawals of large amounts of cash from multiple ATMs over a short time period, usually four hours to two days. Criminals may conduct their operations during holidays and weekends to take advantage of increased cash levels in ATMs and limited monitoring by financial institutions during non-work hours.
In an email exchange, a spokesperson for the Office of the Comptroller of the Currency said that this warning is directed at small and mid-size banks, which are more likely to use web-based control panels on their ATMs.
To deflect such ATM fraud, the FFIEC is requiring financial institutions to implement a long list of basic security controls. For instance, the agencies ask banks to conduct ongoing information security risk assessments; ensure intrusion detection systems and antivirus protection are up to date; limit the number of elevated privileges across the institution; and ensure that sign-on attempts for critical systems are limited and result in locking the account once limits are exceeded.
In a DDoS attack, a hacktivist group, disgruntled competitor or some other ill-intentioned individual uses several computers to hurl massive streams of traffic at a website, in an attempt to slow it down or stop it from working altogether.
To mitigate the damage from such attacks, the FFIEC is requiring banks to maintain an ongoing program to assess information security risk that identifies, prioritizes, and assesses the risk to critical systems; monitor web traffic to detect attacks; and consider sharing DDoS attack-related information with others.
These requirements seem fairly basic, but observers say many banks have had no formal processes in place to detect denial-of-service attacks.
"During the 2012 attacks, some of the banks were responding with a lot of ad-hoc and brute force processes," says Walter Hoogmoed, a principal with Deloitte & Touche. "Many of these controls and security mechanisms need to be much more mature, pervasive, and standardized across the enterprise."
Banks have responding by developing security talent, using simulation programs for training employees, and applying new process and technologies to warn against and analyze new threats.
Many large banks have also invested in threat management technology suites that include intrusion-detection, security-incident and event-management software as well as threat analysis and crisis management and simulation tools and integration with third parties, such as Internet service providers.
Still, Neustar's Joffe says he fears bank remain extremely vulnerable to DDoS attacks.
"I can guarantee that if I went into 100 of these banks [to do a DDoS mitigation assessment], 98 of them would be deer in the headlights," he says. "They would say, we've got a security group and administrators and Bobby takes care of it."