April 2014: A Busy Month for Fraud Alerts!

 Author: Jenny Roland-Vlach, JRoland-Vlach@jackhenry.com

Here we are at the end of April and my Inbox has had quite a few email alerts from various regulatory entities. These alerts have covered an array of topics with the most prevalent being an apparent current uptick in cyber-related risk. So, in case you may have missed one of these, among the multitude of emails you probably receive each day, I thought I would use this opportunity to provide a brief overview of this recent flurry of activity plus suggested steps to address outlined objectives.

Cyber-Attacks on Financial Institutions ATM and Card Authorization Systems

In light of the ATM cash-out schemes that had taken place recently, an alert was issued to provide details on how this type of fraud had occurred, the risks presented to financial institutions (FIs), and what FIs could do to mitigate these risks.

Essentially, the criminals behind these cash-out schemes were able to gain access to web-based ATM platforms, perhaps through malware installed via phishing emails. Once they gained access, they were able to manipulate withdrawal limits and then the criminals simultaneously hit multiple ATMs where they withdrew large amounts of cash. One such attack by the group Unlimited Operations was able to net over $40 million.

The alert went on to list measures that FIs should take to help mitigate potential attacks, including:

• Ongoing information security risk assessments,
• Perform security monitoring, prevention, and risk mitigation,
• Protecting against unauthorized access, implement and test controls on critical systems regularly,
• Conduct information security awareness training,
• Test incident response plans, and
• Participate in industry information sharing forums.

If there is an item on this list that you have not addressed in some time, use this as an opportunity to get it up-to-date.

Distributed Denial-of-Service (DDoS) Cyber-Attacks and Risk Mitigation

Everyone is well aware of the DDoS attacks that have been plaguing FIs since 2012. These attacks have been used to slow website response times or render websites unavailable all together. In more dire situations, DDoS attacks have been used as a distraction while running a corporate account takeover attack. This alert and the ongoing publicity surrounding these attacks mainly serves as a reminder that these attacks will probably not be going away anytime soon and that there are steps FIs can use to prevent and deal with an attack. The following steps are expected of FIs:

• Maintain an information security program and risk assessment,
• Monitor Internet traffic to your website in order to detect an attack (establish a baseline so you can easily discern an increase in activity)
• Activate incident response plans if you believe a DDoS attack is occurring and be sure to notify service providers such as your Internet Service Provider,
• Ensure appropriate staffing for the duration of an attack,
• Consider sharing information with organizations such as FS-ISAC and law enforcement to help other FIs respond to their own potential DDoS attacks, and
• Evaluate any gaps that were discovered during the implementation of your incident response plan.

The FDIC provides a listing of resources that can be used to better identify and mitigate potential cyber-risks. These sources are both government entities and government-sponsored entities and include the following:

• United States Computer Emergency Readiness Team (US – CERT)
• U.S. Secret Service Electronic Crimes Task Force (ECTF)
• FBI InfraGard
• Regional Coalitions
• Information Sharing and Analysis Centers (ISACs)

The FDIC encourages subscribing to these various groups to ensure that you receive regular security alerts, tips, and other updates. They also encourage visiting vendors’ websites and checking with those vendors for existing user groups.

OpenSSL “Heartbleed” Vulnerability

I have no doubt that you have already heard a good deal about the Heartbleed vulnerability given the prolific amount of media attention that it has received. This alert highlights how an attacker may be able to exploit the vulnerability and potentially access a server’s private cryptographic keys, resulting in compromised security of the server and its users. The information gained could be used to impersonate FIs, steal login credentials, access sensitive information or gain access to internal networks.

This alert provides additional measures for FIs to implement accordingly:

• Ensure that vendors who use Open SSL are aware of the vulnerability and have taken risk mitigation steps on their end (hopefully any affected vendors have already notified you that they are aware of the situation and are researching and working on the vulnerability),
• Monitor the efforts of those vendors,
• Identify and upgrade any internal systems or products that may be vulnerable, and
• Ensure adherence to appropriate patch management policy and procedures.

It ends with encouragement to utilize cyber-security resources like the ones I mentioned earlier.

Obviously, FIs have had a good deal of information thrown their way over the past few weeks. Most of the expectations outlined in these alerts should already be a part of your current risk based processes. However, it is important to not let these alerts become background noise. These should serve as reminders for reviewing/updating and ensuring your risk management and compliance efforts continue to meet those expectations.

Keeping your policies and procedures up-to-date and capitalizing on valuable cyber-security resources will also help in these proactive efforts.