In 2012, cyber criminals claiming to be politically motivated conducted several well-publicized, large-scale attacks on national banks. Recently, two credit unions were also victims of the attacks. The attacks disrupt online service at the impacted financial institutions, sometimes serving as smoke screens while member/customer account funds are diverted to accounts held by criminals at other institutions.
To help credit unions avoid or mitigate these cyber attacks, CUNA Mutual Group Risk Management Senior Consultant Ken Otsuka recently published the following tips:
1. Don’t underestimate the threat of cyber attacks. It’s true that most credit unions don’t face the same risk as national banks from attacks by high-profile cyber criminal groups, but the first thing to understand about cyber attacks is that they are unpredictable. No one knows whether they will come from an established criminal organization or from a single perpetrator with an axe to grind, so no credit union should assume they aren’t big enough to be a target.
2. Mitigate the risk of service interruptions caused by “distributed denial of services” (DDoS). In the world of internet banking, DDoS generally refers to an attempt to disrupt or suspend online service by saturating the targeted institution’s network with external communication requests to overload its server. Legitimate users either can’t log on, or can’t use any services because the system is responding so slowly. Credit unions may not be able to prevent DDoS attacks, but they can establish a process to identify them. Monitoring bandwidth usage, using firewall logs to determine what is being attacked and using an intrusion detection system to identify the type of traffic are all viable tactics.
3. Perform due diligence on third-party service providers. Credit unions should ensure that third parties such as internet service providers and web-hosting vendors address website problems caused by DDoS attacks. They should also confirm that the providers have a contingency plan for these types of attacks.
4. Be prepared to provide timely and accurate information to members. Have a plan in place to get the word out if the credit union website is disabled or compromised. The faster an impacted credit union communicates, the better they can control the message and counter any rumors or misconceptions about what’s going on.
Credit union staff should also be prepared to monitor social media and search engine results to find out what’s being said in cyberspace about any interruption to online services. Credit unions may need extra staff or third-party assistance to work the phones and contact local media, if necessary, to be sure the correct information reaches members as quickly as possible.
5. Check transfers initiated via online banking when an attack occurs. When a DDoS attack occurs, employees may be busy answering calls from members who cannot access the credit union website, as well as performing other damage control steps. During the chaos, the institution may fail to notice fraudulent transactions initiated through online banking. Therefore, impacted credit unions should review transactions initiated through online banking to identify suspicious transfers. If necessary, transfers should be delayed until their legitimacy is verified with the members.
6. Have a strong multi-factor authentication method in place for online banking systems. Credit unions should be sure their authentication process complies with the Federal Financial Institution Examination Council’s (FFIEC) updated authentication guidance issued in 2011. The FFIEC expects all financial institutions to have a fraud monitoring system in place to detect anomalies related to: the initial login and authentication of members requesting access to the online banking system; and initiating fund transfers to other parties.