On September 17, 2012, the Federal Bureau of Investigation (FBI), the Financial Services Information Sharing and Analysis Center (FS-ISAC), and the Internet Crime Complaint Center (IC3) released a joint fraud alert titled Cyber Criminals Targeting Financial Institution Employees Credentials to Conduct Wire Transfer Fraud. In the alert, they suggest recent reporting indicates a new trend in cyber attacks to compromise financial institution networks and obtain employee login credentials. In many cases, these attacks used spam and phishing emails to install keyloggers and Remote Access Trojans (RAT) to gain access to the employee's computer and subsequently to the bank network. The majority of victims targeted were small-to-medium sized banks or credit unions; however, the report adds a few larger banks have also been affected.
On October 5, 2012, researchers at EMC-RSA warned, based on "underground chatter," that a sophisticated, large-scale cyber attack was being planned to raid the bank accounts of customers at a number of banks in the U.S. In a blog post by Mor Ahuvia, the cyber crime communications specialist at RSA's FraudAction Research Labs, Ahuvia wrote, "If the gang's plans do materialize, this campaign could be the largest coordinated attack on American financial institutions to date."
With this increase in actual and predicted cyber criminal activity directed at financial institutions, we must be diligent and prudent to protect ourselves. But what can we do to protect our employees and customers from these types of attacks? Below are some suggestions you can review to be proactive in reducing the risk of a cyber attack against your institution. Some of these suggestions are taken directly from the fraud alert issued by the FBI, FS-ISAC, and IC3, while others are included from further guidance or industry best practice.
- Conduct and/or review your information security and Internet banking risk assessments
- Conduct security awareness training for all employees, including educating employees on the dangers of social engineering (e.g. opening email attachments, clicking on links in unsolicited emails or messages, etc.)
- Educate commercial and retail online banking customers on security awareness and online security best practices
- Provide enhanced security awareness training to all employees or high risk customers with access to payment systems
- Ensure reputable and up-to-date anti-virus and anti-malware defenses are in place and functioning properly
- Ensure operating system and application security patches are up-to-date and a process is in place to update them regularly
- Restrict Internet access and/or implement Internet content filtering
- Restrict and/or limit Administrative access to computer systems as much as possible
- Implement additional security controls on systems used for wire or ACH activities (e.g. restrict email access, restrict Internet usage, etc.)
- Adhere to dual control procedures
- Consider implementing time-of-day login restrictions and/or monitor employee logins that occur outside of normal business hours
- Implement an Intrusion Detection/Prevention System (IDS/IPS)
- Block connections from IP addresses known or suspected to be associated with fraudulent activities
- Implement a fraud detection system
- Implement anomaly detection systems
- Implement multi-factor authentication for high-risk systems
- Consider implementing out-of-band authorization prior to allowing wire or ACH activity
- Consider implementing restrictions on wire and ACH activities (e.g. dollar and/or volume limits, etc.)
- Test your Incident Response Plan
- Conduct an external penetration test
- Conduct a social engineering test
- Ensure all observations from your prior IT related audits and/or security tests have been properly addressed
In addition, below are some possible red flags which indicate when malicious or fraudulent activity may be occurring:
- Activity, such as log-on, from a suspicious IP address (e.g. an IP address known or suspected to be associated with fraudulent activities, a foreign IP address, a new or unknown IP address)
- Activities during unusual times of the day
- Unusual transaction activity (e.g. unusually small or large transaction amounts, uncommon transaction such as one-time bill pay to new payee, etc.)
- Changes to administrative, cash management, or online banking settings (e.g. new user accounts added, new payees added, modifications to an ACH batch or wire transfer after it has been initiated, disabled or changed security features or notifications, changes to account and routing numbers of existing payees, etc.)
- Unusual system activity (e.g. inability to login to online banking system, dramatic loss of computer speed, changes in appearance of website, etc.)