The Federal Financial Institutions Examination Council on April 2 issued notices spelling out its expectations for steps banking institutions should take to mitigate risks posed by ATM cash-out schemes and the continued distributed-denial-of-service attacks on public-facing websites.

"Cyber-attacks on financial institutions to gain access to, and alter the settings on, Web-based ATM control panels used by small- to medium-sized institutions are on the rise," the FFIEC says in its announcement of the statements. "The [FFIEC] expects financial institutions to take steps to address this threat by reviewing the adequacy of their controls over information technology networks, card issuer authorization systems, ATM usage parameters and fraud detection processes."

The FFIEC says it also expects financial institutions to address DDoS readiness as part of their ongoing information security and incident plans.

Stephanie Collins, spokeswoman for the Office of the Comptroller of the Currency, says the FFIEC's statements were not issued in response to any particular threat, but was meant to make banking institutions aware of ongoing trends.

"The OCC works with its partners in law enforcement and the intelligence community to keep current on the evolving cybersecurity landscape so we can better inform and help our banks with risk mitigation tactics," she says. "The FFIEC joint statements on DDoS and ATM cash-out are directed at all institutions. However, with regard to the ATM cash-out joint statement, small and mid-size banks are more likely to use Web-based control panels."

Timely Reminders

Payments fraud expert John Buzzard, who oversees FICO's Card Alert Service, says the regulators' advisory about cash-out schemes is a good reminder about ongoing risks.

"I read this as [the] FFIEC sharing information that apparently is a credible threat and not so much a live situation," Buzzard says. "It's a good opportunity for everyone to take pause and make sure that firewalls and hardware security modules are in place, and that passwords are fresh and secure - the basics should be revisited."

From a DDoS perspective, Buzzard says it seems the FFIEC is just reminding smaller institutions that they are vulnerable and could be targeted. "Many of the large financial brands have been hit or have taken precautions to prevent an attack, so this seems like common sense warnings to me," he says.

But one fraud executive with a mid-sized banking institution in the Southeast, who asked not to be named, says getting these types of periodic reminders from regulators serves a purpose. "Smaller institutions are more vulnerable," this executive says. "They are trying to stay competitive with the big banks by offering new products that customers want. But small banks often do not realize the fraud potential of such products, nor can a small bank tolerate the monetary losses that big banks sustain."

Having regulators outline certain areas that need to be paid additional attention is helpful to smaller institutions, the executive adds, because most do not have professionally trained fraud specialists on staff.

Cash-Out Schemes

The FFIEC says it issued the notice about cyber-attacks on ATM and card authorization systems to warn financial institutions about large dollar-value ATM cash-out fraud schemes. In the schemes, criminals are able to withdraw funds beyond the cash balance in customer accounts or beyond other control limits typically applied to ATM withdrawals, the FFIEC says (see 3 Indicted in Cybercrime Scheme).

Criminals perpetrate the fraud by initiating cyber-attacks to gain access to Web-based ATM control panels, which enables them to withdraw customer funds from ATMs using stolen customer debit, prepaid or ATM card account information, according to the notice.