FFIEC: New Statements on Fraud, DDoSOutlines Expectations for Mitigation Steps
The Federal Financial Institutions Examination Council on April 2 issued notices spelling out its expectations for steps banking institutions should take to mitigate risks posed by ATM cash-out schemes and the continued distributed-denial-of-service attacks on public-facing websites.
"Cyber-attacks on financial institutions to gain access to, and alter the settings on, Web-based ATM control panels used by small- to medium-sized institutions are on the rise," the FFIEC says in its announcement of the statements. "The [FFIEC] expects financial institutions to take steps to address this threat by reviewing the adequacy of their controls over information technology networks, card issuer authorization systems, ATM usage parameters and fraud detection processes."
The FFIEC says it also expects financial institutions to address DDoS readiness as part of their ongoing information security and incident plans.
Stephanie Collins, spokeswoman for the Office of the Comptroller of the Currency, says the FFIEC's statements were not issued in response to any particular threat, but was meant to make banking institutions aware of ongoing trends.
"The OCC works with its partners in law enforcement and the intelligence community to keep current on the evolving cybersecurity landscape so we can better inform and help our banks with risk mitigation tactics," she says. "The FFIEC joint statements on DDoS and ATM cash-out are directed at all institutions. However, with regard to the ATM cash-out joint statement, small and mid-size banks are more likely to use Web-based control panels."
Payments fraud expert John Buzzard, who oversees FICO's Card Alert Service, says the regulators' advisory about cash-out schemes is a good reminder about ongoing risks.
"I read this as [the] FFIEC sharing information that apparently is a credible threat and not so much a live situation," Buzzard says. "It's a good opportunity for everyone to take pause and make sure that firewalls and hardware security modules are in place, and that passwords are fresh and secure - the basics should be revisited."
From a DDoS perspective, Buzzard says it seems the FFIEC is just reminding smaller institutions that they are vulnerable and could be targeted. "Many of the large financial brands have been hit or have taken precautions to prevent an attack, so this seems like common sense warnings to me," he says.
But one fraud executive with a mid-sized banking institution in the Southeast, who asked not to be named, says getting these types of periodic reminders from regulators serves a purpose. "Smaller institutions are more vulnerable," this executive says. "They are trying to stay competitive with the big banks by offering new products that customers want. But small banks often do not realize the fraud potential of such products, nor can a small bank tolerate the monetary losses that big banks sustain."
Having regulators outline certain areas that need to be paid additional attention is helpful to smaller institutions, the executive adds, because most do not have professionally trained fraud specialists on staff.
The FFIEC says it issued the notice about cyber-attacks on ATM and card authorization systems to warn financial institutions about large dollar-value ATM cash-out fraud schemes. In the schemes, criminals are able to withdraw funds beyond the cash balance in customer accounts or beyond other control limits typically applied to ATM withdrawals, the FFIEC says (see 3 Indicted in Cybercrime Scheme).
Criminals perpetrate the fraud by initiating cyber-attacks to gain access to Web-based ATM control panels, which enables them to withdraw customer funds from ATMs using stolen customer debit, prepaid or ATM card account information, according to the notice.
The FFIEC says it expects institutions to take the following steps to mitigate the threat posed by cash-out schemes:
- Conduct ongoing information security risk assessments;
- Perform security monitoring, prevention and risk mitigation;
- Protect against unauthorized access;
- Implement and test controls around critical systems regularly;
- Conduct information security awareness and training programs;
- Test incident response plans;
- Participate in industry information sharing forums.
In its notice about DDoS attacks and risk mitigation, the FFIEC notes that these attacks can sometimes serve as a diversion by criminals attempting to commit fraud using stolen customer or bank employee credentials to initiate fraudulent wire or ACH transfers.
To mitigate DDoS threats, the FFIEC says it expects banking institutions to take the following steps:
- Maintain an ongoing program to assess information security risk that identifies, prioritizes and assesses the risk to critical systems, including threats to external websites and online accounts;
- Monitor Internet traffic to the institution's websites to detect attacks;
- Activate incident response plans and notify service providers as appropriate if the institution suspects that a DDoS attack is occurring;
- Ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers that can assist in managing the Internet-based traffic flow;
- Share information about the attack with FS-ISAC and law enforcement;
- Evaluate any gaps in the response following attacks and in ongoing risk assessments.
(Executive Editor Tracy Kitten contributed to this article.)