by Amy Kleinschmit, Director of Compliance

This Alert discusses the recent distributed denial of service attacks that various groups have launched against national banks and federal savings associations. As explained in the Alert, these distributed denial of service (DDoS) attacks seek, “to deny Internet access to bank services by directing waves of Internet-based traffic from compromised computers to the bank. In some instances, sophisticated groups shift their tactics during attacks and target Internet service providers (ISP). Fraudsters also use DDoS attacks to distract bank personnel and technical resources while they gain unauthorized remote access to a customer’s account and commit fraud through Automated Clearing House (ACH) and wire transfers (account takeover). In this scenario, the DDoS can occur immediately before, during, or after the attack. DDoS attacks also have been used to deny bank customers the opportunity to report suspected fraud and to block the banks’ customer-alert communications.” OCC Alert 2012-16

The alert advises of the need to have a heightened sense of awareness regarding these attacks and employ appropriate resources to identify and mitigate the associated risks. Due diligence reviews are also suggested of service providers to ensure that they have taken the necessary steps to identify and mitigate risk stemming from potential DDoS attacks. The "Information Security" booklet of the FFIEC Information Technology Examination Handbook (IT Handbook) discusses the overall management of information security-related risk. Guidance addressing attacks against customer accounts is contained in the FFIEC’s "Authentication in an Internet Banking Environment," issued in 2005, and its "Supplement" published in 2011.

As you may recall, the National Credit Union Association issued Letter 11-CU-09, which can be found here: http://www.ncua.gov/Resources/Documents/LCU2011-09.pdf also discussed the FFIEC Supplement to Authentication in an Internet Banking Environment and advised that “Federally insured credit unions will be expected to adapt appropriate strategies from the supplement to strengthen and enhance controls by January 2012. Beginning in 2012, at credit unions offering electronic services, NCUA examiners will evaluate these controls under the enhanced expectations outlined in the supplement.” NCUA Letter 11-CU-09.

An alert issued last fall (2012), which can be found here: http://www.ic3.gov/media/2012/FraudAlertFinancialInstitutionEmployeeCredentialsTargeted.pdf warns of cyber criminals targeting financial institution employee credentials to conduct wire transfer fraud. In this alert it noted that the victims typically had been “Small-to-medium sized banks or credit unions have been targeted in most of the reported incidents, however, a few large banks have also been affected.” This alert was part of a joint effort between the Federal Bureau of Investigation, the Financial Services Information Sharing and Analysis Center and the Internet Crime Complaint Center. The trends discussed in this alert involved cyber criminal actors using “spam and phishing e-mails, keystroke loggers, and Remote Access Trojans (RAT) to compromise financial institution networks and obtain employee login credentials. The stolen credentials were used to initiate unauthorized wire transfers overseas. The wire transfer amounts have varied between $400,000 and $900,000, and, in at least one case, the actor(s) raised the wire transfer limit on the customer’s account to allow for a larger transfer. In most of the identified wire transfer failures, the actor(s) were only unsuccessful because they entered the intended account information incorrectly.”

A number of recommendations for financial institutions were provided in this alert include:

 Educate employees on the dangers associated with opening attachments or clicking on links in unsolicited e-mails

 Do not allow employees to access personal or work e-mails on the same computers used to initiate payments

 Do not allow employees to access the Internet freely on the same computers used to initiate payments

 Do not allow employees to access administrative accounts from home computers or laptops connected to home networks

 Ensure employees do not leave USB tokens in computers used to connect to payment systems

 Review anti-malware defenses and ensure the use of reputation based content and website access filters

 Ensure that workstations utilize host-based IPS technology and/or application white-listing to prevent the execution of unauthorized programs

 Monitor employee logins that occur outside of normal business hours

 Consider implementing time-of-day login restrictions for the employee accounts with access to payment systems

 Restrict access to wire transfer limit settings

 Reduce employee wire limits in automated wire systems to require a second employee to approve larger wire transfers.

 If wire transfer anomaly detection systems are used, consider changing “rules” to detect this type of attack and, if possible, create alerts to notify bank administrators if wire transfer limits are modified

 Secure and/or store manuals offline or restrict access to the training system manuals with further security, such as enhanced access controls and/or segregation from the payment systems themselves

 Monitor for spikes in website traffic that may indicate the beginning of a DDoS and implement a plan to ensure that when potential DDoS activity is detected, the appropriate authorities handling wire transfers are notified so wire transfer requests will be more closely scrutinized

 Strongly consider implementing an out of band authorization prior to allowing wire transfers to execute

 Limit systems from which credentials used for wire authorization can be utilized

 Review intrusion detection and incident response procedures and consider conducting a mock scenario testing exercise to ensure familiarity with the plan FBI, FS-ISAC, IC3 September 17, 2012 Fraud Alert

Should you have any questions or concerns on this or any other compliance topic, please do not hesitate to contact Amy Kleinschmit at akleinschmit@cuad.coop or 701.214.9721.