By Ken Otsuka
CUNA Mutual Group
Cyber attacks against U.S. financial institutions are nothing new. In 2012, however, cyber criminals claiming to be politically motivated conducted several well-publicized, large-scale attacks on national banks. Two credit unions were recent victims of the attacks. Defense Secretary Leon Panetta said the scale and speed of these attacks was unprecedented.
The attacks disrupted online service at the impacted financial institutions. Other criminal groups launched similar attacks which served as smoke screens for attacks on customer accounts that diverted funds to accounts held by criminals at other institutions.
Here are six steps credit unions can take to prepare for a cyber attack:
1. Don’t underestimate the threat of cyber attacks.
It’s true that most credit unions don’t face the same risk as national banks from attacks by high-profile cyber criminal groups. But the first thing to understand about cyber attacks is that we can’t predict the next type of attack to come along. We simply don’t know whether it will come from an established criminal organization or from a single perpetrator with an axe to grind. Don’t bet on behalf of your members that your credit union isn’t big enough to be a target.
2. Mitigate the risk of service interruptions caused by “distributed denial of services.”
You may not be able to prevent DDoS attacks, but you can establish a process to identify them. For example, you can monitor bandwidth usage, use firewall logs to determine what is being attacked, and use an intrusion detection system to identify the type of traffic.
3. Perform due diligence on third-party service providers.
Ensure that third parties such as Internet service providers and web-hosting vendors address website problems caused by DDoS attacks. Confirm that the providers have a contingency plan for these types of attacks.
What is a “distributed denial of services?”
In the world of Internet banking, DDoS generally refers to an attempt to disrupt or suspend online service by saturating the targeted institution’s network with external communication requests to overload its server. Legitimate users either can’t log on, or can’t use any services because the system is responding so slowly.
4. Be prepared to provide timely and accurate information to members.
Have you ever run a drill at your credit union to simulate how you would communicate to members that your website has been disabled or compromised? Have a plan in place to get the word out. The faster you do so, the better you can control the message and counter any rumors or misconceptions about what’s going on.
Prepare your staff to monitor social media and search engine results to find out what’s being said in cyberspace about any interruption to your online services. You may need extra staff or third-party assistance to work the phones and to contact local media, if necessary, to be sure the correct information reaches your members as quickly as possible.
5. Check transfers initiated via online banking when an attack occurs.
When a DDoS attack occurs, the financial institution’s employees may be busy answering calls from customers who cannot access the institution’s website as well as performing other damage control steps. During the chaos, the institution may fail to notice fraudulent transactions initiated through online banking.
When a DDoS occurs, be sure to review transactions initiated through online banking to identify suspicious transfers. If necessary, delay executing the transfers until you verify their legitimacy with the members.
6. Have a strong multi-factor authentication method in place for online banking systems.
Be sure your authentication process complies with the Federal Financial Institution Examination Council’s updated authentication guidance issued in 2011. The FFIEC expects all financial institutions to have a fraud monitoring system in place to detect anomalies related to:
Ken Otsuka is a Risk Management Senior Consultant at CUNA Mutual Group. For more information about protecting your credit union from cyber crime and other risks, contact CMG at (800) 356-2644 or email@example.com.