With Target as a primary example, the systems breach of a major retailer has proven to be a trifecta of cyber-related criminal activity from the onset, affecting not only the retailer and their customers, but the financial services industry in general.
First, there’s the eye-opening fact that any one individual or group is actually capable of infiltrating systems, not of smaller regional chains or mom and pop stores, but that of international retail giants; and doing so with what appears to be remarkable ease.
Second, the ability of the criminals to effectively continue their operation under the radar for a relatively long span of time, allowing them to steal and proceed to sell of millions of identities on the black market.
Third, these breaches are spawning secondary and separate crime sprees with the increase of spam and phishing emails under the guise of customer service emails from Target, Neiman Marcus or even a financial institution; thereby, taking advantage of the now more vulnerable consumer market.
Given the enormity of all that has occurred (with probably more to come), you and your staff should be reviewing your bank’s insurance policies in addition to security processes and protocols in order to mitigate risk and losses, in order to protect not only your bank, but your customers as well. Consider the following:
- Does your bank have up-to-date procedures in place for handling situations on a large scale? Have you and your staff reviewed them lately, given all the recent retail breaches? Typically, such criminal activity happens case-by-case and your bank staff can handle accordingly; however, given the scope of the recent retail breaches, is your bank prepared to handle mass account changes, be it proactively or by customer request?
- Is a plan in place to communicate your bank’s procedures to your customers and offer to assist them in safeguarding accounts? Consider sending notifications to customers by mail rather than or in addition to email. When Target notified customers that free credit monitoring services would be available to them, many were dubious of the emails received, suspecting spam. A letter may offer additional credibility.
In addition, provide suggestions on steps to take to prevent their systems and accounts from being infiltrated. Educate your customers (and your employees) on the dangers associated with opening attachments or clicking on links in unsolicited emails. Remind them to be vigilant in monitoring emails as they may see an increase of spam/phishing emails, some possibly posing as a bank or breached retailer. Encourage that they only download reputable apps onto mobile devices. Be aware of so-called “electronic wallets” as many are designed to harvest bank credentials for others’ malevolent use.
- With the increase of spam/phishing comes the potential increase of DDoS (Distributed Denial of Service) attacks on systems, used as a distraction to divert staff resources and attention from the criminal’s real goal—fraudulent wire transfers. The following are some basic reminders to help prevent DDoS attacks:
- Be up-to-date with security patches and anti-virus software on desktop/laptop machines and servers. Ensure that workstations utilize host-based IPS technology and/or application whitelisting to prevent the execution of unauthorized programs.
- Monitor for spikes in website traffic as these may indicate potential DDoS activity. Implement a plan to ensure that employees handling wire transfers are notified so that wire transfer requests can be more closely scrutinized.
- In addition to bank-hosted security software for browser security and protecting online sessions, consider software that detects, and possibly removes malware from your customer’s machine. Ensure employees do not leave USB tokens in computers connecting to payment systems. Do not allow employees to freely access the Internet or emails on the same computers used to initiate payments. Conversely, do not allow employees to access administrative accounts from home computers connected to home networks.
- Consider implementing time-of-day login restrictions for employees with access to payment systems. Monitor employee logins that occur outside normal business hours.
- Restrict access to wire transfer limit settings. Reduce employee wire limits in automated wire systems by ;requiring a second employee to approve larger wire transfers and limit systems from which credentials used for wire authorization can be utilized. If wire transfer anomaly detection systems are used, consider changing “rules” to detect this type of attack and, if possible, create alerts to notify bank administrators if wire transfer limits are modified.
- Review intrusion detection and incident response procedures and consider conducting a mock scenario testing exercise to ensure familiarity with the plan. Secure and/or store manuals offline or restrict access to training system manuals with enhanced access controls.
We encourage you to not take a wait-and-see approach. From all appearances, cyber-related crimes will only continue to increase in breadth and scope. Consider joining established groups such as FS-ISAC, Community Institution Council and Payments Risk Council to take advantage of security alerts and information they share. Talk with your peers–get involved with organizations such as the American Bankers Association, state bankers associations and others to help you and your staff learn and determine best practices and steps for your bank to mitigate risk for both your bank and your customers.
Communication tools available for bankers
Retail breaches have left victims vulnerable to phishing attacks. ABA’s advocacy resource, AMPLIFY, has added sample tweets, Facebook posts and a press release reminding consumers not to fall victim to these phishing scams. Visit amplifybankers.com.
Any discussion relating to policy language and/or coverage requirements is non-exhaustive and provided for informational purposes only. For details on coverage provided by your specific policy, please refer to your policy.