On April 2, 2014, the Federal Financial Institutions Examination Council (“FFIEC”) published joint statements regarding “Cyber-attacks on Financial Institutions’ ATM and Card Authorization Systems and Distributed Denial of Service Attacks” (the “Statements”). The FFIEC is made up of the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the National Credit Union Administration, the Consumer Financial Protection Bureau, and the State Liaison Committee. The purpose of the Statements is to notify financial institutions of the risks associated with cyber-attacks on Automated Tell Machine (“ATM”) and card authorization systems as well as the continued distributed denial of service (“DDoS”) attacks on public-facing websites. The Statements further describe the steps that the FFIEC expect financial institutions to take to address these cyber-attacks and highlight resources institutions can use to help mitigate the risk posed by such attacks.
Cyber-attacks on Financial Institutions’ ATM and Card Authorization Systems
The FFIEC has become aware of a recent increase in a type of large dollar value ATM cash-out fraud characterized by the U.S. Secret Service as Unlimited Operations. Unlimited Operations are a category of ATM cash-out fraud where criminals are able to withdraw funds beyond the cash balance in customer accounts or beyond other control limits applied to ATM withdrawals. The fraud is perpetrated by initiating cyber-attacks to gain access to web-based ATM control panels, which allow the criminals to withdraw customer funds from ATMs using stolen customer debit, prepaid, or ATM card account information.
The criminal begins the attack by sending phishing emails to employees of financial institutions as a means to install malicious software (“Malware”) onto the institution’s network. When the Malware is installed, it is used to monitor the institution’s network to determine how the institution accesses ATM control panels and obtain employee login credentials. The control panels are often web-based and manage the amount of money customers may withdraw within a set time frame, the geographic limitations of withdrawals, the types and frequency of fraud reports that its service provider sends to the financial institution, the designated employee that receives these reports, and other management functions related to card security and internal controls. Once this information is obtained, the employee’s login credentials are used to gain access to the control panel and change the settings to permit greater or unlimited cash disbursements at ATM machines, and to change other fraud and security related controls.
Once the ATM control panels are attacked, fraudulent debit, prepaid, or ATM cards are created with account information and personal identification numbers (“PINs”) stolen through separate attacks to withdraw funds from ATMS. Account information and PINs are usually stolen via point-of-sale malware or skimming, ATM malware or skimming, or compromise of the issuer’s card operations. The cash-out phase involves criminals organizing simultaneous withdrawals of large amounts of cash from multiple ATMs over a short period of time.
Financial institutions that issue debit, prepaid, or ATM cards may face a variety of risks from Unlimited Operations including operational risks, fraud losses, liquidity and capital risks.
The FFIEC expect financial institutions to take the following risk management steps regarding cyber-attacks on ATM and card authorization systems:
1. Maintain an ongoing information security risk assessment program that identifies, prioritizes and assesses the risk to critical systems, including threats to applications that control ATM parameters and other security and fraud prevention systems;
2. Ensure intrusion detection systems and antivirus protection are up-to-date, and firewall rules are configured properly. Monitor system reports to identify when attacks are attempted or are occurring, when data may be inappropriately leaving the network, and when anomalous behavior patterns occur inside the institution’s network. Monitor third-party processers as well as ATM transaction activity for unusual behavior or attempts to go beyond normal daily limits;
3. Limit the number of elevated privileges across the institution, including administrator accounts, and the ability to assign elevated privileges to critical systems such as the systems to manage the institution’s card issuer authorization and ATM management systems. Consider updating all credentials and monitoring logs for use of old credentials. Consider establishing authentication rules, such as time-of-day controls, or implementing multifactor authentication protocols for web-based control panels;
4. Ensure appropriate controls are implemented for systems based on risk. Ensure that sign-on attempts for critical systems are limited and result in locking the account once limits are exceeded. Implement alerts to notify multiple employees when controls are changed on critical systems. Test the effectiveness of controls periodically. Report test results along with recommended risk mitigation strategies and progress to remediate findings to senior management or a committee of the board of directors;
5. Conduct regular information security awareness training across the financial institution, including how to identify and prevent successful phishing attempts;
6. Test the effectiveness of incident response plans at the financial institution and with third-party processors to ensure that all employees understand their respective responsibilities and protocols, including individuals responsible for managing liquidity and reputation risk, information security, vendor management, fraud detection, and customer inquiries. Consider conducting an exercise at the financial institution that simulates this type of attack; and
7. Incorporate information sharing with other financial institutions and service providers into risk mitigation strategies.
The FFIEC became aware in the latter half of 2012 of an increased number of DDoS attacks launched against financial institutions by politically motivated groups. Such attacks have increased in sophistication and intensity. The attacks caused slow website response times, prevented customers from accessing institutions’ public websites, and adversely affected back-office operations. Sometimes, these attacks serve as a diversionary tactic by criminals attempting to commit fraud using stolen customer or bank employee credentials to initiate fraudulent wire or automated clearinghouse transfers.
Financial institutions that experience DDoS attacks may face operational risks and reputation risks. If the attack is coupled with attempted fraud, a financial institution may also experience fraud losses as well as liquidity and capital risks.
The FFIEC expect financial institutions to take the following risk management steps regarding DDoS attacks:
1. Maintain an ongoing program to assess information security risk that identifies, prioritizes, and assesses the risk to critical systems, including threats to external websites and online accounts;
2. Monitor Internet traffic to the institution’s website to detect attacks;
3. Activate incident response plans and notify service providers, including internet service providers, as appropriate, if the institution suspects that a DDoS attack is occurring. Response plans should include appropriate communication strategies with customers concerning the safety of their accounts;
4. Ensure sufficient staffing for the duration of the DDoS attack and consider hiring pre-contracted third-party servicers, as appropriate, that can assist in managing the Internet-based traffic flow. Identify how the institution’s internet service provider can assist in responding to and mitigating an attack;
5. Consider sharing information with organizations, such as the Financial Services Information Sharing and Analysis Center and law enforcement because attacks can change rapidly and sharing the information can help institutions to identify and mitigate new threats and tactics; and
6. Evaluate any gaps in the institution’s response following attacks and in its ongoing risk assessments, and adjust risk management controls accordingly.
There are clear economic reasons for a financial institution to heed the FFIEC’s warnings and risk management guidelines. In addition, there are compliance reasons as well. For example, the Bank Secrecy Act requires depository institutions to have a compliance program that incorporates training from the operational staff to the board of directors, which is designed to limit and control risks and to achieve compliance with the Act. Ultimately, the Bank Secrecy Act seeks the institution to: maintain internal controls to implement a customer identification program; implement a risk-based customer due diligence policy, procedure and process; understand expected customer activity; monitoring for unusual or suspicious transactions; and maintaining records of electronic funds transfers. The recent increase in cyber-attacks on financial institutions’ ATM and card authorization systems and distributed denial of service attacks showcases the even greater need for a financial institution, no matter the size, to constantly review its risk management and training procedures in order to be vigilant against such attacks.
No information in this article is intended to constitute legal advice. For specific legal advice, please contact an attorney.
If you have any questions or would like more information about the Federal Financial Institutions Examination Council’s joint statements regarding Cyber-attacks on Financial Institutions’ ATM and Card Authorization Systems and Distributed Denial of Service Attacks, please contact Eric Mettenbrink at 713.220.9141 or firstname.lastname@example.org.