New DDoS Warning Issued by Regulator

Second Alert Recommends Defensive Steps

By , February 22, 2013.
New DDoS Warning Issued by Regulator

The National Credit Union Administration is the second federal banking regulator to issue an alert about fraud risks linked to distributed denial of service attacks.

See Also: Identity, Security and Risk Requirements for a New IAM Architecture

In late December, the Office of the Comptroller of the Currency also issued an alert about DDoS activity.

Attorney Joseph Burton, a cybercrime and information security expert and managing partner of law firm Duane Morris LLP, says banking institutions should heed these notices as warnings that DDoS strikes will continue this year.

"In the attacks we're talking about, there have definitely been account transfers," Burton says, adding that banks and credit unions have an obligation and responsibility to address these risks and ensure they have the right types of programs in place.

New DDoS Alert

The NCUA's Feb. 21 alert lists policies and procedures credit unions and other financial institutions should implement to defend themselves against DDoS attacks.

Among the NCUA's recommendations:

  • Conduct ongoing assessments to identify risks associated with DDoS attacks;
  • Ensure disaster recovery and incident response programs include DDoS attack scenarios that can be tested before, during, and after an attack;
  • Perform ongoing due diligence on third-party service providers, especially Internet and Web-hosting providers, to ensure appropriate traffic management policies and controls are in place.

While the NCUA notes that the primary goal of DDoS attacks is to create online disruption rather than fraud, the regulator also notes that DDoS attacks often are used as tools of distraction to veil fraud taking place in the background.

"Credit unions should voluntarily file a Suspicious Activity Report if an attack impacts Internet service delivery, enables fraud, or compromises member information," the alert states. "DDoS attacks may also be paired with attempts to steal member funds or data."

The NCUA also says credit unions should brace for DDoS attacks by following the practices and controls outlined in the Federal Financial Institutions updated authentication guidance, which recommends the implementation of member and employee education programs, multifactor authentication for online transactions, and transaction monitoring and verification procedures.

DDoS: Tool of Distraction

The Office of the Comptroller of Currency issued its alert late last year to raise awareness, because some attacks had been used to distract attention from attempts by fraudsters to commit account fraud or to steal proprietary information, a spokesman said (see Attacks Put Banks on Alert).

"Because the groups conducting DDoS may shift tactics and targets during an attack, banks should incorporate information sharing with other banks and service providers into their risk mitigation strategies," OCC spokesman Bill Grassano said Dec. 21.

Burton, the attorney, says the OCC's December alert was issued in response to DDoS attacks that targeted California-based Bank of the West at the end of last year. The attacks were used as a means of distraction to take over online accounts and steal funds, he says.

Security blogger Brian Krebs reported Feb. 13 that the attack against Bank of the West resulted in more than $900,000 being drained from one account, and a Christmas Eve DDoS attack distracted bank employees from detecting the takeover.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE President Obama Signs USA Freedom Act

Hours after the Senate approved the USA Freedom Act, President Obama signed the legislation to...

Latest Tweets and Mentions

ARTICLE President Obama Signs USA Freedom Act

Hours after the Senate approved the USA Freedom Act, President Obama signed the legislation to...

The ISMG Network