Regulator Warns of DDoS, Fraud Link

OCC Issues Alert, Security Tips for Banking Institutions
Regulator Warns of DDoS, Fraud Link

A federal banking regulator says banking institutions should be concerned about fraud attempts linked to recent distributed-denial-of-service attacks on prominent U.S. banks.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

On Dec. 21, the Office of the Comptroller of the Currency became the first regulatory agency to issue an alert to financial institutions on the recent wave of DDoS strikes.

An OCC spokesman says the alert was issued to raise awareness about DDoS attacks identified by depository institutions that have, in some instances, been used as tools of distraction to perpetrate customer account fraud or steal proprietary information (see Attacks Put Banks on Alert).

"Because the groups conducting DDoS may shift tactics and targets during an attack," says OCC spokesman Bill Grassano, "banks should incorporate information sharing with other banks and service providers into their risk mitigation strategies."

Participating in information-sharing organizations, such as the Financial Services Information Sharing and Analysis Center, and communicating with the United States Computer Emergency Readiness Team are highly recommended, the OCC notes (see Bank Attacks: What Have We Learned?).

"Banks need to have a heightened sense of awareness regarding these attacks and employ appropriate resources to identify and mitigate the associated risks," Grassano says. "Preparations may include ensuring sufficient staffing for the duration of DDoS attacks, in conjunction with pre-contracted third-party servicers that can assist in managing the Internet-based traffic flow."

Institutions also should ensure incident-response strategies involve appropriate personnel across multiple lines of business, as well as external partners. Banks should consider due diligence reviews of service providers, such as Internet service providers and Web-hosting servicers to ensure they, too, have taken the necessary steps to identify and mitigate potential risks associated with DDoS attacks, the OCC recommends.

DDoS: Tools of Distraction

Bill Nelson, president and CEO of the FS-ISAC, says the OCC's notice really just reiterates what industry groups have been sharing with the industry since September, when the first wave of DDoS began (see More U.S. Banks Report Online Woes).

"I think the warning, in general, is that you should be prepared for DDoS," Nelson says. "These advanced attacks we've seen since September, and we actually saw them earlier, too, have brought more publicity to DDoS attacks. These attacks by hacktivists are trying to strike terror, and it's just denying access to sites. But cybercriminal groups have been attacking, too, off on their own, launching cyberfraud. Rather than striking terror, they're trying to make it more difficult to detect their fraud, and that's the worry here" ( see Alert: Banks at High Risk of Attack).

DDoS attacks being used as a means to disguise fraud were first identified last year, Nelson says, when community and regional banks started noticing they were being hit by DDoS.

"DDoS was only something at the larger institutions, and then we saw a year ago that smaller banks and regional banks were being hit and many were at a loss about why. It was kind of a surprise tactic," he says, until attempts were identified to commit fraud in the background.

Gartner analyst and fraud expert Avivah Litan, who blogged about the regulator's statement, says the OCC clearly outlines steps all banking institutions should take to prepare for attack.

"It's reassuring to see that the OCC takes these threats very seriously," she says. "No doubt, they will step up their enforcement of FFIEC guidance on Internet banking security."

Other OCC Recommendations

The OCC says institutions should prepare for DDoS attacks by having sufficient staffing. If attacked, institutions should file suspicious activity reports if the incidents impact critical information, including customer account details, or if damage occurs to critical banking systems.

The OCC also notes that layers of security and conformance with the Federal Financial Institutions Examination Council's updated authentication guidance will address most DDoS risks. "Banks should consider the recent DDoS attacks and concurrent fraud against customer accounts as part of their ongoing risk management program," the OCC's Grassano says. "Consideration should extend throughout the banks' risk management process and encompass risk assessment, risk mitigation techniques, response plans, related policies and procedures, testing, training, and customer education."

Banks also should provide accurate and timely communication to their customers regarding website problems, customer risks and precautions those customers should take, as well as communicate alternate delivery channels that can meet customers' banking needs.

Recent Bank Attacks

Banks are currently being hit with DDoS attacks as part of a second phase of campaigns waged by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters. In a Dec. 18 posting on Pastebin, the group warned attacks would persist until a YouTube movie trailer, deemed offensive to Muslims, is removed.

This week, PNC Financial Services, Wells Fargo and BB&T reported online traffic surges, with hits reported as recently as Dec. 20.

BB&T spokesman Brian Davis said Dec. 21 that BB&T did recognize DDoS activity in the late afternoon of Dec. 20 - the first time the bank had detected DDoS-related traffic since the first campaign, which ran from mid-September to mid-October (see DDoS: PNC, Wells Report Traffic Surge).

A week earlier, Izz ad-Din al-Qassam Cyber Fighters announced plans to initiate its second phase of DDoS strikes against Bank of America, JPMorgan Chase, PNC Financial Services, U.S. Bancorp and SunTrust Banks (see 5 Banks Targeted for New DDoS Attacks).

Jeffrey Roman contributed to this story.


About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network