Banks fend off cyberattacks

-A A +A

Money > Financial institutions not immune to security issues and scams

By Arin McKenna

Second of a two-part series

The Wall Street Journal reported last week that major U.S. banks are seeking government action to stop or mitigate intensifying cyberattacks against American banking institutions. Wells Fargo, JPMorgan Chase, Bank of America and Citigroup are some of a dozen major institutions targeted since early 2011.

The attacks have largely been in the form of distributed denial-of-service, using a network of infected computers to overwhelm computer systems and disrupt websites. The volume of the attacks is 10 to 20 times greater than previously recorded denial-of-service intrusions.

Financial institutions have spent millions of dollars responding to the assaults. Washington officials attribute the attacks to the Iranian government, which denies involvement.

Concern about the attacks intensified in September when the FBI published a fraud alert warning financial institutions that cyber criminals may be using DDoS to mask fraudulent wire transfers.

The alert warned that criminals were using social engineering techniques such as spam and phishing emails to target financial institution employees, hoping to gain access to internal networks and steal employee and administrative credentials. The intruders could then control all aspects of a wire transaction, including approval.

The unauthorized transactions were sometimes preceded or followed by a DDoS attack, most likely to distract bank personnel and prevent them from immediately identifying the fraudulent transaction.

The wire transfer scam may be of even greater concern to local banks than the nationwide DDoS attacks, since the FBI reported that small-to-medium sized banks or credit unions were most frequently targeted.

“We haven’t had that happen, thank God. But we have a tremendous amount of training,” Los Alamos National Bank CEO Bill Enloe said. Enloe pointed out that the bank is subject to cyberattacks daily, with many of those originating in Eastern Europe.

“We have a company that all year round tries to penetrate our system and use social engineering to get into the system, both through our customers and our employees. So we take it very seriously, as all banks do.”

Del Norte Credit Union has also had security experts from Crowe Horwath LLP run “penetration assessments” and recommend changes.

“We wanted to get the best minds in the industry to come out and take a look at our controls and make sure they were adequate,” said DNCU President/CEO Chuck Valenti. “They performed a number of tests and were able to identify any weaknesses in those areas and correct them.”

The firm tested the bank against a number of highly sophisticated techniques to gain access to a system.

“One of the things they did is attempt to gather employee information and names from public sources, either from our website or from other places, and then they would attempt to gain unauthorized access to our locations,” Valenti said.

“For example, they would find out who the IT person at Del Norte was and they would call and say, so-and-so asked me to check on the computer system. Could you please let me in?”

One social engineering technique aimed at employees involves dropping thumb drives or CDs with tempting labels such as “confidential payroll information” in areas employees are likely to find them. The disk or thumb drive is loaded with a Trojan horse that allows hackers to gain access to internal systems if an employee puts it in their computer.

Often companies save the criminal the trouble of going to such lengths. Crowe Horwath noted that a surprising number of companies do not change standard passwords installed on systems such as computers, phones or even burglar alarms. Thieves simply have to type the default password to gain access.

Enloe said the most difficult scams to prevent are those involving customers.

“We still get burned occasionally with the social engineering part, because it’s almost impossible to stop, especially with mobile banking and mobile phone banking now. Someone gives out their information to somebody so they have access to their account, and they can move money,” Enloe said.

“So in those situations we concentrate on the fact they still have to get the money out of the bank somehow, either open up a false account and move it into that account to withdraw it, or they have to withdraw it through the teller line or they have to wire it to somewhere through our wire department or they have to set up an ACH automatic clearing house where it’s transferred somewhere else electronically. So we do a lot of security levels on those three areas to catch the money before it gets out of the bank.”

Bank employees look for flags such as new accounts, abnormal transactions for customers or large purchases, and then take steps to verify the validity of the transaction.

Simply not giving out personal information by phone or email is the best way to avoid those scams, officials said.

In addition to phishing (email scams) and vhishing (voice/telephone scams), customers must beware of pharming, where customers are directed to a fraudulent website designed to look like the real thing and asked to input personal information.

Enloe also warns consumers to beware of people they meet on social networking sites trying to convince them to open a joint account. “It’s amazing the ways that people get tricked into transferring money to people that they shouldn’t, through the bank, and credit unions and all financial institutions,” Enloe said.

Valenti said the credit union has been fortunate not to suffer any losses in those areas. He credited an astute employee with preventing an even more sophisticated attack.

“It’s a big chess game, between the thieves and the banks. Banks lose millions of dollars a year to those methods. We’re not immune to that,” Enloe said. “We have a full time staff that works on electronic fraud continuously and we still get burned, as do all financial institutions.”