Financial institutions of all sizes have found themselves the victim of advanced cyber attacks, with the most recent threats targeting small to mid-sized financial institutions. The FBI, in conjunction with Financial Services Information Sharing and Analysis Center (FS-ISAC) and the Internet Crime Complaint Center (IC3), has issued a fraud alert warning that criminals are using a multi-vector attack to compromise financial institution networks and initiate fraudulent wire transfers. What is striking about these attacks is that unlike the recent focus on strengthening merchant controls, in this case, the cyber attackers have targeted the financial institutions directly.
Institutions need to understand this attack, and use this opportunity to conduct “what if” training. This is also a good opportunity to reevaluate their own security controls, particularly employee security awareness training, and other emerging technical controls such as out-of-band authentication and secure DNS.
How Cyber Attacks Happen
Simply put, the attack uses a combination of SPAM and phishing emails, keystroke loggers, and remote access software to capture a financial institution employee’s authentication credentials. A successful attack results in an employee’s PC being taken control of by the criminal. The criminal then uses the employee’s authority to initiate and approve wires, potentially even overriding built-in transaction limits and other administrative controls.
It is important to understand these are not “proof-of-concept” attacks, but are actually occurring, and have resulted in attempted transfers ranging from $400,000 to $900,000.
How to Prevent Cyber Attacks
Preventing an attack in the first place is far better than having to detect and respond to one, and one of the best ways to prevent an attack is early recognition. A unique indicator of these cyber attacks is a denial of service assault just prior to or directly following the cyber attack itself. The financial institution’s website is targeted by a denial of service attack designed to slow or deny access to the institution’s website, distracting institution employees and preventing or delaying them from detecting fraudulent transactions. Financial institutions are advised to monitor for spikes in website traffic that may indicate the beginning of an attack.
Along with website traffic monitoring, the FBI alert lists 17 best practice recommendations for financial institutions to prevent and detect these and similar attacks. It is not surprising that the first five recommendations address the weakest link—the employee. Institutions have long known that the employee represents the single biggest threat to information security, and it is important to keep up the employee training effort even as emphasis has shifted recently to customer awareness training.
Many of the other recommendations should be familiar to financial institutions as well, including: restricting user access rights and login times, reviewing anti-malware and anti-virus defenses, implementing anomaly detection and utilizing IPS and “white-lists” to prevent connections to suspicious sites. Along with the best practice recommendations, the FBI alert also strongly recommends institutions implement out-of-band authentication for wire authorization. This is where the final authentication approval for an electronic transaction is sent back to the originator via a communication channel other than the one used to initiate the transaction.
For example, if a PC is used to originate the transaction, the final authentication code might be returned via a mobile phone or even a fax machine. Additionally, consider using a secure DNS service (at both the institution and the customer). This service only allows Internet traffic between trusted sites, greatly reducing new malware infections and shutting down channels of infected systems. These two controls can be implemented by financial institutions now, and will do more than any other layered controls to significantly reduce the incidence of fraudulent transactions.
Tom Hinkel is the director of compliance for Safe Systems