Yesterday, the interagency Federal Financial Institutions Examination Council issued two statements to the nation’s banks regarding to forms of cyber attacks that can wreak havoc.
The first deals with a type of ATM fraud referred to as “Unlimited Operations” by the Secret Service.
This type of cash-out heist begins with the nogoodniks installing malware on the networks of a financial institution, most likely through an e-mail phishing scheme. Once they have access to the bank’s inner-workings, they are able to get a peek under the hood of the ATM system, while also stealing bank employee login credentials.
With this information in hand, the criminals can then manipulate the system to remove cash withdrawal limits, overdraft restrictions, fraud alerts, and other roadblocks to the money they want to steal.
Using a pilfered debit card account and PIN (most likely stolen via a skimmer attached to an ATM), the jerks can then create a duplicate card, go to an ATM and withdraw massive amounts of cash without setting off alarm bells.
According to FFIEC, one group of fraudsters managed to steal $40 million with this method and only needed a dozen debit accounts to access that mountain of cash.
Thus, regulators are asking banks to tighten up security on their networks, perform more frequent and more strenuous checks for intrusion, and to have a tested response protocol in place in case an attack is detected.
The second alert from FFIEC to banks was about distributed denial-of-service (DDoS) attacks on the websites of financial institutions. During a DDoS attack, a websites is crippled under an avalanche of bogus data requests, often making it difficult or impossible for the public to access the site. For banking sites — which consumers depend on for paying bills, transferring money, and other important uses — such attacks are especially problematic.
According to FFIEC, while DDoS attacks are often political or ideological in nature, they can also be used by cybercriminals as a distraction, diverting a bank’s security resources away from a more malicious, financially motivated intrusion.
To that end, regulators are asking that banks be fully prepared to prevent, respond to, and weather DDoS attacks in order to maximize the public’s access to these sites and to minimize the risk to the institutions.