Fighting DDoS Attacks
Ever since the onslaught of distributed denial-of-service (DDos) attacks that began in late 2011, the acronym DDoS has become a household term. Once a concern only of the IT or IS departments, these attacks now have the attention of the operational functions at financial institutions. Retail banking, cash management, and back office personnel are now well aware of the damage these attacks can create, and the hysteria that can arise within their respective areas as the result of an attack.
Recently, the Federal Financial Institutions Examination Council (FFIEC) issued a joint statement notifying financial institutions of the risks associated with continued distributed denial-of-service (DDoS) attacks on public websites. The FFIEC expects financial institutions to address DDoS readiness as part of their ongoing information security program, specifically to include:
- Monitoring of incoming traffic to public web site(s)
- Activating incident response plans if a DDoS attack is suspected or occurring
- Ensuring sufficient staffing for the duration of the attack, including the use of previously contracted third-party services
The joint statement issued by Federal Financial Institutions Examination Council (FFIEC) can be viewed at the link below:
Financial institutions have begun bolstering their defenses, in hopes of mitigating the damage of DDoS attacks, or preventing them altogether. However, many are too narrowly focused on increasing bandwidth, engaging third-party traffic scrubbers, and locking down vulnerable systems that could amplify the effects of an attack. Unfortunately, while these actions may be warranted, and provide some benefits, financial institutions are still missing the bigger picture.
While there is no full-proof defense against a denial of service attack, there are several ways in which community and regional FIs can effectively mitigate the risks. How? My firm belief, based on first-hand experience, is that DDoS attacks would not be as significant a concern, if not for the prevalence of account takeover fraud. Account takeover—what does that have to do with a DDoS attack? This: criminals frequently launch DDoS attacks against financial institutions as a means of covering up transactional fraud they’ve perpetrated, or are in the process of perpetrating. Their hope is that an FI will be so focused on trying to restore online banking services, that they’ll miss a fraudulent, outbound ACH, or wire transaction.
In these scenarios, DDoS attacks represent the second half of the equation when it comes to account take over (ATO) – useful when fraud has been successfully perpetrated. However, by preventing the fraud with stronger controls, financial institutions can significantly mitigate the risk of a DDoS attack being launched against them. In other words: adequately prevent the fraud, and you’ll reduce the likelihood of a DDoS attack. So, the question begs—is your FI focused on perimeter defenses and internal infrastructure, or have you taken the time to consider implementing additional security measures to protect the customer and the institution at the transactional level? Where there’s smoke there’s fire – the fraud is the fire, the DDoS attack is the smoke.