Did Malware Take the Banks Down? Analyst Says Malware Likely to Blame for Online Banking, ATM Outage
Editor's Note: BankInfoSecurity.com on Nov. 15 reported that most of the institutions, including BofA and Fairwinds, allegedly hit by the outage denied claims that malware was involved, and in some cases said they were not impacted by any ATM or online outage at all.

Several financial institutions saw their ATM and online banking channels taken offline over the weekend of the daylight saving time change. The institutions allegedly affected by the outage, including Bank of America, Chase, U.S. Bank, Wells Fargo, Compass, USAA, Suntrust, Chase, Fairwinds Credit Union, American Express, BB&T on the East Coast and PNC, reportedly blamed the downtime on a computer glitch related to the time-zone change.

But Julie McNelley, a senior analyst at Aite Group LLC who covers banking and payments fraud, says more is likely going on behind the scenes. In fact, she says the outage could have been related to anything from a widespread malware attack to outdated technical infrastructures.

"Infrastructure is certainly a problem with banks," McNelley says. "They acknowledge it." And given the proprietary nature of most banking institutions' code, she says it's unlikely that a bug related to the time-zone would simultaneously hit all of these institutions, or at least within the same relative timeframe. "That just doesn't seem like a plausible reason for me," she says. "I think malware if probably the most likely culprit, or some sort of coordinated attack."

During this interview, McNelley discusses:

  • Outsourcing to third-party vendors;
  • The link between the ATM and online channels; and
  • Outdated technology and infrastructures.

McNelley has more than a decade of hands-on product management experience working with financial institutions, payments processors and risk management companies. She most recently served as senior vice president of product management with Golden Gateway Financial, where she developed and managed new financial services lines of business. Before joining Golden Gateway, she was vice president of product solutions with Early Warning Services, where she managed a suite of fraud prevention services. Under McNelley's leadership, Early Warning launched multiple new solutions to successfully detect and prevent fraud; further, she was a key member of the team that facilitated the spin-off of Early Warning Services from First Data Corp. to Bank of America, JPMorgan Chase, Wells Fargo, and BB&T. She also led operational process improvements for NextCard, identifying points of compromise and implementing solutions to reduce fraud and operational expenses. She began her career as a research analyst at E*Offering, where she analyzed online financial services and risk-management firms.

McNelley holds a master's degree in international policy from the Monterey Institute of International Studies and a bachelor's degree in business administration from Michigan State University.

Simultaneous ATM Meltdown: More Than 'Glitch'?

TRACY KITTEN: Julie, Bank of America, Chase, U.S. Bank, Wells Fargo, Compass, USAA, SunTrust, Fairwinds Credit Union, American Express, BB&T on the East Coast, and PNC were all reportedly affected by this weekend's glitch. The banks are referring to it as a time-zone glitch, but could there be more going on here?

JULIE MCNELLEY: There certainly could be. It seems very odd that all of them would have the same bug pop up the same weekend. This is three years after Congress changed the time zone to be the first weekend in November. It seems that it would be odd that it would take three years for this bug to pop up and hit all of these banks at the same time.

Outdated Infrastructure or Malware to Blame?

KITTEN: Do you think it could be related to outdated infrastructure, or do you think they could have all been hit by some type of malware attack?

MCNELLEY: I would say that infrastructure is certainly a problem with banks. They acknowledge it. Much of their code is proprietary, so I would be very surprised if they all had the same bug coded into outdated infrastructure. That just doesn't seem like a plausible reason for me. I think malware if probably the most likely culprit, or some sort of coordinated attack. It seems, based on the players, based on the locations, that this was somebody testing, trying to figure out how deep they can penetrate, and it looks like something was successful.

KITTEN: Julie, if it were related to some type of malware attack, why would the banks be reluctant to admit that they were adversely affected?

MCNELLEY: I think there are two reasons. First of all, banks make their living based on customer trust. They don't want to make it public that they have been victims of a malware attack on this scale. Secondly, if it has been a successful malware attack, then they don't necessarily want to make it clear to the fraudster public that they have been compromised to this extent, because that could put a big target on their back for future attempts of this sort.

Siloed ATM, Online Channels

KITTEN: Is there anything odd about the fact that the online channel and the ATM channel were taken down? Can we glean anything from that?

MCNELLEY: That is one of the more interesting things, especially when you are talking about outdated infrastructure, because in a lot of these banks, online and ATM infrastructures are actually some of the newest infrastructures in place. Since the advent of Check 21, banks have been spending a lot of time on their ATM channel and online channels within the last 10 years that's been developed. One of the commonalities with both online and ATM is a lot of it is outsourced to a handful of vendors. So that could explain why it could have been successful on this scale, because if it was some sort of malware or some sort of hacker attack that could have been targeting the systems of a few vendors they were able to penetrate and compromise.

Vulnerabilities of Outsourcing and Third Parties

KITTEN: That is an interesting point. We've talked quite a bit over the last several months about signing with vendors and making sure that the third parties you work with are actually protecting the information, since banks lose control at some level. How vulnerable are banks to these types of outages?

MCNELLEY: In terms of the outsourcing, banks rely on technology vendors. But having been a technology vendor to a bank, I know that, especially with the big banks, they have a huge amount of oversight, especially when customer data is involved. So I don't think this is cause for concern for the consumer public -- that there are all of these gaps and holes in banking infrastructure. I think that, again, this could have been a very targeted attack, where some malware hackers found some vulnerability in a few specific areas. But in terms of it being pandemic across banks, I don't think that is an issue, just because banks are so paranoid about customer data. And nobody wants to go back to 2005 and be the next person called up on Capitol Hill because of data breaches. Banks are very sensitive to that issue.

Is Chase Outage Related?

KITTEN: The Chase bank website went down recently. Do you think that this could be something similar to what adversely affected the Chase banking website?

MCNELLEY: It is hard to speculate. They are such complex entities and there is so much going on with them right now that there could be any one of a million reasons for what happened to the Chase banking website. I would be more inclined to say that was coincidence at this point, but, again, that is pure speculation.

Conspiracy in the Blogosphere

KITTEN: It is interesting too because a number of bloggers out there are speculating about what actually happened. I read a couple of speculations that the banks may have actually conspired to create what they are calling a "bank holiday" to devalue the dollar -- ultimately, an effort to limit cash withdraws. It seems a bit far fetched, but what is your take?

MCNELLEY: I read those, too, and I think they are actually kind of amusing. I'm not a big conspiracy theorist, especially in the light of what the Fed has been doing in the last week to actually poor more money into the system. I think that it's so remote, it's not even a possibility.

Conspiracy in the Blogosphere

KITTEN: And before we close, Julie, could you give any final thoughts or share with our audience any insights that you might have about what could have happened here, as it relates to outdated infrastructure, or maybe what we can expect to read about in the next couple of weeks as more of this unfolds?

MCNELLEY: Based on how tight-lipped the banks are being right now, I'm not sure we're going to be reading a lot about it in the next few weeks. Although, based on some of the speculation out there, I think if that continues unchecked, then an explanation probably will help dampen some of that. Again, to me, I would put my money on a malware attack. It has all the hallmarks of that, just based on the geographic spread of it, the targeted systems and the banks in question. Although, it was interesting that there was a credit union in the mix, because, for the most part, credit unions tend to use different outsourced vendors than banks. I found it very interesting, and again, there are a lot of financial institutions out there, so that could have just been coincidence.

Around the Network