April 02, 2014

FFIEC warns of ATM, card, DDoS attacks

April 3, 2014 – NCUA and other regulators in the Federal Financial Institutions Examination Council pointed to an ongoing rise in cyberattacks in a statement Wednesday and reminded financial institutions of the steps they must take to guard systems and data.

FFIEC members pointed to the risks associated with cyber-attacks on ATM and card authorization systems and continued distributed denial of service, or DDoS, attacks on public-facing websites.They also noted the steps regulated institutions are expected to take to address these attacks and highlighted resources to help them mitigate risk.

"Cyber-attacks on financial institutions to gain access to, and alter the settings on, Web-based ATM control panels used by small- to medium-sized institutions are on the rise," the council said, adding that institutions are expected "to take steps to address this threat by reviewing the adequacy of their controls over information technology networks, card issuer authorization systems, ATM usage parameters, and fraud detection processes … [and] to have effective response programs to manage this type of incident."

The agencies included with their statement two attachments, one addressing DDoS attacks, risk mitigation and resources; and the other focusing on ATMs and card authorization systems.

They said DDoS readiness should be addressed as part of an institution's ongoing information security and incident plan. To that end, each institution should:

  • monitor incoming traffic to its public website;
  • activate incident response plans if it suspects that a DDoS attack is occurring; and
  • ensure sufficient staffing for the duration of the attack, including the use of pre-contracted third-party servicers, if appropriate.