The Federal Financial Institutions Examination Council (FFIEC) agencies issued joint statements in April to notify financial institutions of the risks associated with cyber-attacks on ATM and card authorization systems, and the continued distributed denial of service (DDoS) attacks on public websites.
The statements describe steps the regulators expect institutions to take to address these attacks and highlight resources they can use to help mitigate the risks posed by such attacks.
‘Unlimited Operations’
The agencies warned institutions of a type of ATM cash-out fraud the U.S. Secret Service characterizes as “Unlimited Operations.”
The is a category of ATM cash-out fraud where criminals withdraw funds beyond the cash balance in consumers’ accounts or beyond other control limits typically applied to ATM withdrawals.
Criminals perpetrate the fraud by initiating cyberattacks to gain access to Web-based ATM control panels, which enables them to withdraw funds from ATMs using stolen debit, prepaid, or ATM card account information.
“Unlimited Operations” may cause financial institutions to incur large dollar losses. Therefore, regulators expect institutions to take steps to address this threat by reviewing the adequacy of their controls over their information technology networks, card issuer authorization systems, systems that manage ATM parameters, and fraud detection and response processes.
DDoS attacks
Regulators expect financial institutions to address DDoS readiness as part of ongoing information security and incident response plans. In accordance with regulatory requirements and the FFIEC Information Technology Handbook on Business Continuity Planning and Information Security, regulators expect institutions to take these steps: