The Office of the Comptroller of the Currency is warning banks to review their risk management programs and take necessary precautions against escalating attacks by fraud-minded hackers.
In an alert issued to national banks and federal savings associations, the regulator is warning of Distributed Denial of Service (DDoS) attacks being used to perpetrate customer account fraud. A DDoS attack seeks to deny Internet access to bank services by bombarding the system with waves of traffic from a network of compromised computers. These attacks can be used to distract bank personnel and divert technical resources while the perpetrators gain unauthorized, remote access to customer accounts and prevent the timely reporting of suspected fraud.
In the alert, the OCC reiterates “expectations that banks should have risk management programs to identify and appropriately consider new and evolving threats to online accounts and to adjust their customer authentication, layered security, and other controls as appropriate in response to changing levels of risk.”
“Banks need to have a heightened sense of awareness regarding these attacks and employ appropriate resources to identify and mitigate the associated risks,” it wrote. “Preparations may include ensuring sufficient staffing for the duration of DDoS attacks in conjunction with pre-contracted third-party servicers that can assist in managing the Internet-based traffic flow.”
Banks should ensure that their incident response effectively involves the appropriate personnel across multiple lines of business and external partners, the OCC says. They should also consider conducting due diligence reviews of service providers, such as ISPs and Web-hosting services, to ensure they have taken the necessary steps to identify and mitigate risks stemming from DDoS attacks.
Because groups conducting DDoS attacks may shift tactics and targets, banks should share information on attacks and risk mitigation strategies with other institutions and service providers, the OCC advises. Information-sharing organizations, such as the Financial Services Information Sharing and Analysis Center (FS-ISAC) and United States Computer Emergency Readiness Team (US-CERT), can facilitate these efforts and serve as resources.
“As part of their contingency planning process, banks should be prepared to provide timely and accurate communication to their customers regarding Web site problems, risks to customers, precautions customers can take, and alternate delivery channels that will meet their banking needs,” the OCC alert adds. “Banks should consider the recent DDoS attacks and concurrent fraud against customer accounts as part of their ongoing risk management program. Consideration should extend throughout the banks' risk management process and encompass risk assessment, risk mitigation techniques, response plans, related policies and procedures, testing, training, and customer education.”
Existing regulatory guidance addresses actions banks should take to mitigate risks associated with information security. The "Information Security" booklet of the Federal Financial Institution Examination Council's Information Technology Examination Handbook discusses the overall management of information security-related risk. Guidance addressing attacks against customer accounts is contained in the FFIEC's "Authentication in an Internet Banking Environment," issued in 2005, and its "Supplement" published in 2011.
The OCC expects institutions affected by a DDoS attack to report it to law enforcement authorities and notify their supervisory office. Banks should also voluntarily file a Suspicious Activity Report (SAR) if the DDoS attack affects customer account information or critical systems. Events that involve account takeover activity may also require filing a SAR, as discussed in guidance the Financial Crimes Enforcement Network issued last year.