Beware of unlimited operations
by. Henry Meier
Yesterday the FFIEC, the regulatory body comprised of all the major federal financial regulators including the NCUA, issued two guidances related to the expected risk-mitigation efforts to be taken by financial institutions regarding automated teller machine (ATM) card authorization schemes and distributed denial of service attacks (DDoS). Don’t toss these statements into the bin on the corner of the desk. Efforts taken by financial institutions to mitigate cyber attacks are a point of emphasis for all examiners, including the NCUA.
The Joint Statement on cyber attacks on ATM card authorization systems is particularly noteworthy. Under an increasingly popular form of cyber theft called “unlimited operations,” crooks use basic phishing techniques to gain access to employee passwords. Over time, hackers are able to infiltrate a financial institution’s debit card authorization system. With this knowledge, they eliminate limits placed on the amount of money that can be taken from debit and pre-paid debit cards. In one scam highlighted by federal prosecutors in New York, cyber criminals distributed debit card information to co-conspirators in several countries who pulled more than $40 million from customer accounts.
Denial of service attacks have gotten a lot of attention lately because of the increasing evidence that they are being used by countries and cyber terrorists to disrupt the online services of major financial institutions. But these attacks designed to disrupt services are also commonly used to mask good, old-fashioned cyber crime. As explained by security analyst Avivah Litan:
continue reading »“Once the DDoS is underway, this attack involves takeover of the payment switch (e.g. wire application) itself via a privileged user account that has access to it. Now, instead of having to get into one customer account at a time, the criminals can simply control the master payment switch and move as much money from as many accounts as they can get away with until their actions are noticed.”