Cybersecurity Alert from Sawyers & Jacobs: ATM, Debit Card, Credit Card, and Bill Pay Threats
Recent Trends and How to Mitigate Your Bank's Risk
This alert came to SFE through Sawyers & Jacobs.
We are making our clients and friends aware of several cybersecurity threats we've seen in our recent travels, work with clients, and in our ongoing dialogue with bankers, law enforcement, regulators, and technology services providers.
What Have We Seen?
Significant threats to banks' ATM, debit card, credit card, and bill payment services that range from:
- Massive unauthorized withdrawals from ATMs using fake cards. For example, a Virginia bank was hit with a $2.4 million loss due to two such intrusions over an eight-month period.
- Unauthorized access to banks' debit card processor administrative platforms where hackers have turned off or manipulated controls.See #1.
- Credit card fraud using fake cards in foreign countries at willing or bogus merchants. For example, a customer credit card was used for over $80,000 in fraudulent transactions in a 37-minute period, despite the bank having fraud detection in place with the credit card processor and the customer getting an alert on his smartphone and responding that "NO" the transactions were not being initiated by him.
- Bill pay fraud where new payees are set up on the banks' bill pay service and fraudulent transactions are initiated. For example, one case involved an attempted $120,000 in transactions from one customer account.
Why Are We Letting You Know?
For those who know our firm, Sawyers & Jacobs, we do not send these alerts unless we believe there is reason to be concerned and to be especially diligent. We expect this activity to continue, especially at banks that are more vulnerable to such activity due to inadequate controls or weak IT Audit & Cybersecurity Assessment coverage that has not addressed such threats and recommended mitigating controls.
What Should You Do?
While this remains a fluid situation, we have the following advice to mitigate your bank's risk:
- First and foremost, if your bank STILL does not have 24/7 coverage of your Intrusion Prevention System (IPS) by a qualified Managed Security Services Provider (MSSP), you are at tremendous risk. Your bank could have an intruder on your network right now and you would not know it. Engage an MSSP to monitor your IPS on a 24/7 basis so malicious traffic INSIDE your network can be detected.
- If your bank has purchased a SEIM (Security Information & Event Management) system that is no more than a fancy dashboard and is not monitored 24/7 by experienced professionals, you are at risk. We are seeing banks buy these systems, which creates a false sense of security because they appear to be doing something sophisticated when, in fact, they are only being watched during regular business hours by bank employees who are not cybersecurity professionals. This is not always the case, but often this trend results in banks having unrecognized exposure to cybersecurity risk.
- Perform internal vulnerability scans of your bank's network to spot any problems.
- Maintain a strong patch management program.
- Determine who has access to your bank's administrative platforms for ATM, debit card, credit card, online banking, and bill pay and identify whether multifactor authentication is in place for such access. We are seeing intruders gain bank employee credentials to access these platforms.
- Review user activity on such administrative platforms to detect unusual activity that might be perpetrated by an intruder on the network.
- Set your bill pay system to require out-of-band authentication (i.e., a code sent via text to a cell phone) before new payees can be added.
- Set maximum amount thresholds for bill pay transactions.
- Review and note any spikes in new users being added to any of the systems above or any increase in normal activity.
- Check insurance coverage (Understand that insurance coverage may not apply depending on the specifics of the intrusion/fraud and whether the bank has the required controls in place).
- Don't let excessive phishing testing be your only line of defense. In the best banks, 3-5% of people will still click. Invest your security dollars in the layers beyond that first click so intrusions can be stopped before bank or customer funds are lost.
- Do not engage convicted felons to perform your cybersecurity testing and do not work with IT audit firms who resell such services.
- Test your wire transfer systems to mitigate the risk of fraudulent wire transfers, unsecured funds, lack of out-of-band authentication of customer requests, emailed yet unverified requests, and other critical controls surrounding this high-risk system.
- Review access to your core banking system and the application that allows debits and credits to be entered online to customer accounts. Restrict such access to authorized employees and consider turning off such access after normal business hours.
- Assess your bank's susceptibility to Business Email Compromise (BEC) as we continue to see this method used to infiltrate bank executives' email in attempts to execute fraudulent wire transfers.
- Engage qualified firms to perform comprehensive IT Audits and Cybersecurity Assessments (including penetration testing, vulnerability scanning, and social engineering tests) to determine your preparedness for such incidents and how your bank can mitigate its risk.
- Review your ATM, debit card, and credit card fraud detection systems to verify that parameters are set correctly. Understand that these systems mostly "DETECT" but do not "PREVENT" fraud. Some items to check:
- Velocity of transactions (What triggers are in place to detect multiple transactions in a short-period of time?)
- Point-of-Sale (POS) purchase amount limits (What is the maximum amount a customer can purchase in one transaction or at one merchant?).
- Bank alerts (When your bank's fraud detection system sends an alert to bank personnel, who is getting those alerts, what action does he/she take, and will he/she get those alerts and act on a weekend or holiday?).
- Customer alerts (When the customer gets an alert and replies "No" that the transaction should not be allowed, what does your processor do?).
- Warranties (Does the bank's fraud detection system provide any type of warranty to make the bank and the customer whole in such incidents)?
- Daily withdrawal limits (What are your system's ATM daily withdrawal limits and what is the likelihood of those being changed by an unauthorized party?).
This is a partial list of recommendations. Contact your IT auditors, cybersecurity testing professionals, consultants, and others who can discuss your specific situation and help your bank manage its risk.
How Tight Should We Lock Our Systems Down?
Banking is a risk-reward business where one must continue to deliver convenient services but with the proper controls in place. The list above proves once again that this is a never-ending battle and that new threats emerge every day. Systems must be constantly calibrated. Your audit or exam findings from last year might mean very little in the new environment and current threat landscape.
Are Smaller Banks More Susceptible?
Recent statements made by some in the industry that community banks are more susceptible to such intrusions and fraud because they have less robust implementation of cyber security controls, budgets, or third-party vendor vulnerabilities are simply uninformed, in our opinion, and not what we see in the real world. Community banks are often more secure than larger banks because they can better define their environment, are not constricted by legacy systems, and can install affordable yet sophisticated systems and controls that can be monitored and tested on a 24/7 basis. Cybersecurity preparedness is certainly relative. Bank size is not an indicator of risk. Any bank, any system, any customer...can be hacked. None are hack-proof.
What Lies Ahead?
We encourage you to be especially diligent over the upcoming Labor Day weekend as chatter indicates that organized cybercriminals may be planning a massive fraud over a weekend where fake cards can be used to withdraw funds from customer accounts.
We wanted you to have this information now so we could serve as your early warning system and perhaps help you prevent these events from happening at your bank. We will continue to monitor these situations as we work with client banks on incident response as well as preventive measures in conjunction with our scheduled engagements. Expect other alerts as they are warranted.