Beware of Unlimited Operations
Yesterday the FFIEC, the regulatory body comprised of all the major federal financial regulators including the NCUA, issued two guidances related to the expected risk-mitigation efforts to be taken by financial institutions regarding automated teller machine (ATM) card authorization schemes and distributed denial of service attacks (DDoS). Don’t toss these statements into the bin on the corner of the desk. Efforts taken by financial institutions to mitigate cyber attacks are a point of emphasis for all examiners, including the NCUA.
The Joint Statement on cyber attacks on ATM card authorization systems is particularly noteworthy. Under an increasingly popular form of cyber theft called “unlimited operations,” crooks use basic phishing techniques to gain access to employee passwords. Over time, hackers are able to infiltrate a financial institution’s debit card authorization system. With this knowledge, they eliminate limits placed on the amount of money that can be taken from debit and pre-paid debit cards. In one scam highlighted by federal prosecutors in New York, cyber criminals distributed debit card information to co-conspirators in several countries who pulled more than $40 million from customer accounts.
Denial of service attacks have gotten a lot of attention lately because of the increasing evidence that they are being used by countries and cyber terrorists to disrupt the online services of major financial institutions. But these attacks designed to disrupt services are also commonly used to mask good, old-fashioned cyber crime. As explained by security analyst Avivah Litan:
“Once the DDoS is underway, this attack involves takeover of the payment switch (e.g. wire application) itself via a privileged user account that has access to it. Now, instead of having to get into one customer account at a time, the criminals can simply control the master payment switch and move as much money from as many accounts as they can get away with until their actions are noticed.”
Yesterday’s statements also underscore the need for all institutions, irrespective of asset size, to take steps to guard against cyber assault. In fact, the guidance on ATM takeovers notes that unlimited operations specifically target web-based controls used by small and medium sized financial institutions.
Also, keep in mind that while these statements are new, the need for credit unions to take appropriate steps consistent with their size and sophistication to guard against cyber crime is not new. You should periodically be taking a look, at 12 CFR 748 to make sure that your credit union is implementing an appropriate program of loss mitigation.
While all institutions should be required to make reasonable, good faith efforts regarding cyber crime, let’s face it, this is a high-tech game of Whack-A-Mole. Any successful efforts to mitigate a certain type of security breach will quickly be circumvented by hackers with the brains and the financial motivation to take other people’s money.
The federal government has to take the lead in developing an appropriate cyber defense scheme in this country. But with Congress unable or unwilling to impose basic security measures on merchants, this is about as likely to happen as the Yankees winning the World Series this year . . .that’s right after just two games I am willing to say that’s an awfully expensive mediocre team. On that note, enjoy your day.