Information Security: Distributed Denial of Service Attacks and Customer Account Fraud
To: Chief Executive Officers of All National Banks, Federal Branches and Agencies, Federal Savings Associations, Technology Service Providers, Department and Division Heads, All Examining Personnel, and Other Interested Parties
Recently, various sophisticated groups launched distributed denial of service (DDoS) attacks directed at national banks and federal savings associations (collectively, banks). Each of the groups had different objectives for conducting these attacks ranging from garnering public attention to diverting bank resources while simultaneous online attacks were under way and intended to enable fraud or steal proprietary information. This alert provides a general description of the attacks, along with risk mitigation information and sources of related risk management guidance. The alert also reiterates the Office of the Comptroller of the Currency’s (OCC) expectations that banks should have risk management programs to identify and appropriately consider new and evolving threats to online accounts and to adjust their customer authentication, layered security, and other controls as appropriate in response to changing levels of risk.
A DDoS attack seeks to deny Internet access to bank services by directing waves of Internet-based traffic from compromised computers to the bank. In some instances, sophisticated groups shift their tactics during attacks and target Internet service providers (ISP). Fraudsters also use DDoS attacks to distract bank personnel and technical resources while they gain unauthorized remote access to a customer’s account and commit fraud through Automated Clearing House (ACH) and wire transfers (account takeover). In this scenario, the DDoS can occur immediately before, during, or after the attack.1 DDoS attacks also have been used to deny bank customers the opportunity to report suspected fraud and to block the banks’ customer-alert communications.
Identification and Risk Management
Banks need to have a heightened sense of awareness regarding these attacks and employ appropriate resources to identify and mitigate the associated risks. Preparations may include ensuring sufficient staffing for the duration of DDoS attacks in conjunction with pre-contracted third-party servicers that can assist in managing the Internet-based traffic flow. Additionally, banks should ensure that their incident response effectively involves the appropriate personnel across multiple lines of business and external partners. Banks should also consider conducting due diligence reviews of service providers, such as ISPs and Web-hosting servicers, to ensure they have taken the necessary steps to identify and mitigate the risks stemming from potential DDoS attacks.
Because the groups conducting DDoS may shift tactics and targets during an attack, banks should incorporate information sharing with other banks and service providers into their risk mitigation strategies. Participating in information-sharing organizations, such as the Financial Services Information Sharing and Analysis Center2 (FS-ISAC), can assist banks by facilitating efficient sharing of information. The FS-ISAC and the United States Computer Emergency Readiness Team3 (US-CERT) are good sources of information on the methods used to conduct attacks and on risk mitigation tactics to minimize their impact. The FS-ISAC, for example, has issued documents related to DDoS attacks4 and account takeover.
As part of their contingency planning process, banks should be prepared to provide timely and accurate communication to their customers regarding Web site problems, risks to customers, precautions customers can take, and alternate delivery channels that will meet their banking needs. Banks should consider the recent DDoS attacks and concurrent fraud against customer accounts as part of their ongoing risk management program. Consideration should extend throughout the banks’ risk management process and encompass risk assessment, risk mitigation techniques, response plans, related policies and procedures, testing, training, and customer education.
Existing regulatory guidance addresses actions banks should take to help mitigate the risks associated with information security. The “Information Security” booklet of the FFIEC Information Technology Examination Handbook (IT Handbook) discusses the overall management of information security-related risk. Guidance addressing attacks against customer accounts is contained in the FFIEC’s “Authentication in an Internet Banking Environment,”5 issued in 2005, and its “Supplement”6 published in 2011. Additionally, banks’ use of third-party DDoS mitigation services should be in conformance with the “Outsourcing Technology Services” booklet of the IT Handbook.
The OCC expects banks that are victims of or adversely affected by a DDoS attack to report this information to law enforcement authorities and to notify their supervisory office. Additionally, banks should voluntarily file a Suspicious Activity Report (SAR) if the DDoS attack affects critical information of the institution including customer account information, or damages, disables or otherwise affects critical systems of the bank.7 Events that involve account takeover activity may require filing a SAR, as discussed in the guidance the Financial Crimes Enforcement Network issued last year.8
For Further Information
Direct questions regarding this alert to the OCC’s Bank Information Technology Division at (202) 649-6340.
Carolyn G. DuChene
Deputy Comptroller for Operational Risk
7 The unauthorized electronic intrusion box of the SAR form should be checked, and the specific term “DDoS” and a description of the attack should be included in the narrative portion of the SAR.