26 Hoosier Banker May 2015 Mitigating the risks associated with cyberattacks is among the most potent challenges banks face today. Increasing use of online and mobile banking technologies has made banks and their customers more vulnerable than ever before. Given the huge cost of a data breach, in terms of both monetary loss and reputational damage, all banks should have a solid program for assessing and addressing cybersecurity risks. Over the last decade, bank regulators — through the Federal Financial Institutions Examination Council (FFIEC) — have issued guidance on several aspects of cybersecurity. Most recently the FFIEC outlined the steps banks should take to address two severe threats: 1. Distributed denial-of-service (DDoS) attacks; and 2. Cyberattacks on automated teller machines and card authorization systems. Combating DDoS In a recent statement, the FFIEC alerted banks to the risks associated with DDoS attacks on public websites. These attacks slow website response times and otherwise disrupt network resources. They are designed to prevent customers from accessing bank information and services, and to interfere with back-office operations. According to the FFIEC, in some cases criminals use DDoS attacks as a diversionary tactic in connection with attempts to initiate fraudulent wire or ACH transfers using stolen customer or bank employee credentials. Regulators expect banks to address DDoS readiness as part of their ongoing information security and incident response plans. In addition to evaluating the risks to critical systems, banks should: • Monitor website traffic to detect attacks; • Activate incident response plans as appropriate (including notification of Internet service providers and customers); and • Consider sharing information with law enforcement and organizations, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC). Banks also should ensure sufficient staffing for the duration of an attack and consider engaging third-party service providers to manage Internet traffic flow. Following an attack, a bank must identify any gaps in its response and modify its risk management controls accordingly. Additionally the board of directors should be made aware of any incidents or attacks and related risks. The statement lists several resources available to help banks mitigate the risks of DDoS attacks, including the Department of Homeland Security’s DDoS Quick Guide, available at: us-cert.gov/scurity-publications/ DDoS-Quick-Guide. Defending Against ATM Attacks The FFIEC also has warned about a dangerous form of ATM cash-out fraud known as “unlimited operations.” It enables criminals to withdraw funds well beyond ATM control limits, and even beyond the cash balance in customer accounts. In one attack, criminals used unlimited operations to steal more than $40 million, using only 12 debit card accounts. To perpetrate this scheme, criminals typically send phishing emails to bank employees in an attempt to install malware on the bank’s network, giving themselves the ability to alter the settings on Web-based ATM control panels. By increasing or eliminating limits on ATM cash disbursements and by reducing fraud and securityrelated controls, criminals can quickly withdraw significant sums using fraudulent debit or other ATM cards. The statement notes that banks may initially be liable for ATM fraud losses, even if they outsource their cardissuing function to a card processor, and the compromise takes place at the processor. About the Author Joseph Oleksak is a partner with Plante Moran, Auburn Hills, Michigan. He has 16 years of financial institution experience in information systems security and information technology audit. Additionally he is certified in risk and information security controls, is a certified information systems security professional, and is a qualified security assessor and member of the Indiana Bankers Association Operations & Technology Committee. Oleksak also belongs to the Information Systems Audit and Control Association and to the International Information Systems Security Certification Consortium. The author can be reached at 847-628-8860, email: joe.oleksak@plantemoran.com. Plante Moran is a Diamond Associate Member of the Indiana Bankers Association. OPERATIONS / TECHNOLOGY Is Your Bank on Top of Cybersecurity? Two threats loom over financial institutions
RkJQdWJsaXNoZXIy MTg3NDExNQ==