US regulators warn banks of rise in cyber attacks

The Federal Financial Institutions Examination Council (FFIEC) has warned the financial services industry to put proper measures in place to guard against fraud.

According to Reuters, The FFIEC has seen a rise of so-called denial-of-service (DoS) attacks on bank websites, with an increase in attacks in the latter half of 2012.

In one recent case, criminals stole $40 million (£24 million) from 12 accounts in a sophisticated scheme known as an "Unlimited Operations" fraud. In that incident, criminals may begin an attack by installing malware on a bank's computers via phishing emails. Then they hack into control panels to raise limits on how much a cash machine can dispense and withdraw large amounts of money from a number of cash machines within a short period of time with stolen bank cards.

Such operations can be accompanied by a DoS attack, in which a bank's website is flooded with information requests so that it slows down or completely stops working for clients with legitimate requests.

Asked if a warning such as this was paranoia, Paul Bonner, head of technical services at Hardware.com, said it was not, but was more a case of awareness. “If you are a security manager at an organisation must keep himself up to speed with what is going on out there and take a long hard look at themselves as some of the breaches we have seen are not global attacks, as people are getting clever,” he said.

“When was the last time you turned on the news and a bank was robbed by a man with a mask and gun? It doesn’t happen, yet every day banks are hit by cyber attacks so the whole crime of getting money out has changed, but it is not paranoia but awareness of their own security policies and they need to test them.”

Commenting, Mark Teolis, general manager of DOSarrest, said: “When it comes to cyber attacks, sites in general and financial institutions are not immune, we are seeing DDoS attacks being used as a smoke screen that enables hackers to probe and find weak spots that otherwise would be picked up by Intrusion Detection Systems.”

Tim Keanini, CTO of Lancope, said: “The level of coordination and precision it takes to pull of perfect execution in 20 countries across 4,500 different ATM machines is the stuff movies are made of and speaks to the sophistication of cyber crime these days.

“Banks to this point have just made it too convenient for their customers to log in to systems. They are now paying the price of not being aggressive with multi-factor authentication. Banks need to explain to their customer case that we are all in this fighting this fight together against cyber crime and we all need to do our part.”

Colin Miles, CTO of Pirean, explains that financial institutions should consider advanced threat protection to help with these kind of attacks, explaining that 2 "these security controls offer capabilities to offer protection against zero-day application exploits by preventing malware from ever reaching the network even when otherwise trusted employees have been compromised through so called spear-phishing scams."

Dan Raywood is editor of The IT Security Guru