New DDoS Warning Issued by Regulator Second Alert Recommends Defensive Steps

The National Credit Union Administration is the second federal banking regulator to issue an alert about fraud risks linked to distributed denial of service attacks.

See Also: Healthcare Breaches - The Next Digital Epidemic

In late December, the Office of the Comptroller of the Currency also issued an alert about DDoS activity.

Attorney Joseph Burton, a cybercrime and information security expert and managing partner of law firm Duane Morris LLP, says banking institutions should heed these notices as warnings that DDoS strikes will continue this year.

"In the attacks we're talking about, there have definitely been account transfers," Burton says, adding that banks and credit unions have an obligation and responsibility to address these risks and ensure they have the right types of programs in place.

New DDoS Alert

The NCUA's Feb. 21 alert lists policies and procedures credit unions and other financial institutions should implement to defend themselves against DDoS attacks.

Among the NCUA's recommendations:

  • Conduct ongoing assessments to identify risks associated with DDoS attacks;
  • Ensure disaster recovery and incident response programs include DDoS attack scenarios that can be tested before, during, and after an attack;
  • Perform ongoing due diligence on third-party service providers, especially Internet and Web-hosting providers, to ensure appropriate traffic management policies and controls are in place.

While the NCUA notes that the primary goal of DDoS attacks is to create online disruption rather than fraud, the regulator also notes that DDoS attacks often are used as tools of distraction to veil fraud taking place in the background.

"Credit unions should voluntarily file a Suspicious Activity Report if an attack impacts Internet service delivery, enables fraud, or compromises member information," the alert states. "DDoS attacks may also be paired with attempts to steal member funds or data."

The NCUA also says credit unions should brace for DDoS attacks by following the practices and controls outlined in the Federal Financial Institutions updated authentication guidance, which recommends the implementation of member and employee education programs, multifactor authentication for online transactions, and transaction monitoring and verification procedures.

DDoS: Tool of Distraction

The Office of the Comptroller of Currency issued its alert late last year to raise awareness, because some attacks had been used to distract attention from attempts by fraudsters to commit account fraud or to steal proprietary information, a spokesman said (see Attacks Put Banks on Alert).

"Because the groups conducting DDoS may shift tactics and targets during an attack, banks should incorporate information sharing with other banks and service providers into their risk mitigation strategies," OCC spokesman Bill Grassano said Dec. 21.

Burton, the attorney, says the OCC's December alert was issued in response to DDoS attacks that targeted California-based Bank of the West at the end of last year. The attacks were used as a means of distraction to take over online accounts and steal funds, he says.

Security blogger Brian Krebs reported Feb. 13 that the attack against Bank of the West resulted in more than $900,000 being drained from one account, and a Christmas Eve DDoS attack distracted bank employees from detecting the takeover.

"If you have one, two or three of those types of attacks, is that going to be enough for people to say, 'We're going to come up with some methods to deal with these attacks'?" Burton asks. "I don't know. But there are a range of things that can be done to mitigate those circumstances. I don't believe it's a sufficient answer to say this is just hacktivism. I don't think that's an adequate answer."

Izz ad-Din al-Qassam Cyber Fighters

Larger banking institutions have been battling DDoS attacks since mid-September, when the hacktivist group Izz ad-Din al-Qassam Cyber Fighters launched its first wave of attacks against leading institutions, such as Bank of America and JPMorgan Chase, in protest over a YouTube video deemed offensive to Muslims.

But in late January, the attacks shifted, and smaller institutions were named among the hacktivists' targets. Shortly after those attacks, Izz ad-din al-Qassam Cyber Fighters said it planned to temporarily halt it attacks.

But in mid-February, the group announced on the open forum Pastebin that it expected to reinitiate its attacks against U.S. banks.

Institutions Taking Threat Seriously

Mike Wyffels, who supports compliance oversight and fraud prevention for $2 billion bank holding company QCR Holdings, which owns four banking institutions in Illinois, Iowa and Wisconsin, says banking institutions are taking DDoS seriously.

"The DDoS attacks continue to be persistent and organized, which means organizations need to be vigilant and aware of what is taking place," he says. "These attacks may also be a method of deception, causing organizations to look at the obvious and miss the real threat intended. Over the past year, these attacks have nearly doubled in volume and have proven difficult, at best, to defend against. Organizations should evaluate solutions internally to mitigate risks and work with their suppliers in a partnership to accomplish the same."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network