The Fraud Blog with Tracy Kitten

FDIC Warns Consumers About DDoS

Is Notice Precursor to More Regulatory Oversight?
FDIC Warns Consumers About DDoS

When online-banking sites are down, consumers get nervous. Streams of Facebook comments and Twitter feeds over the last seven months from consumers frustrated with intermittent online outages affecting numerous U.S. banks and credit unions prove that point.

See Also: New OnDemand | Reacting with Split-Second Agility to Prevent Software Supply Chain Breaches

We've linked back to some of those comments in our various reports about U.S. institutions' websites adversely affected by hacktivists' distributed-denial-of-service attacks.

Many of those affected institutions have responded to their customers by replying to social networking posts and feeds. Some also have posted information about why consumers are experiencing intermittent issues related to accessing their online-banking accounts, noting that DDoS attacks are to blame.

Banks and credit unions have pointed out that when online-banking is down, consumers have several other banking channels, such as mobile, call center and ATM, from which to choose. But are they doing enough to educate their customers? And do consumers really understand why their online access has been disrupted?

Those are questions federal banking regulators appear to be asking, and the tone of their questioning suggests they soon could be holding banking institutions to a higher DDoS-disclosure standard.

The Federal Deposit Insurance Corp., in its spring edition of FDIC Consumer News, specifically calls out DDoS attacks, noting that regulated banking institutions are required to notify the public if sensitive data is ever breached during these attacks.

The FDIC defines DDoS as an assault that occurs "when criminals deliberately inundate computers that handle Internet traffic (also called Web servers) with so many requests at the same time that they cause a financial institution's site to 'crash' for anywhere from a few minutes to several days." The FDIC notes that federal banking regulators are reviewing how individual banking institutions manage DDoS attacks and other cybersecurity threats.

"Part of that is making sure every bank has contingency plans for how to handle a prolonged service interruption," Michael Benardo, manager of the FDIC's Cyber Fraud and Financial Crimes Section, states in the FDIC consumer notice. "The motive behind most denial-of-service attacks to date has been to damage the targeted institution's reputation by keeping customers from accessing its Web site or online banking system and causing people to believe something is seriously wrong with the bank. In reality, denial-of-service attacks to date have done little more than temporarily inconvenience Internet banking customers. The financial industry has responded well to these attacks, and customer information and accounts have remained secure."

This is the first time we've seen a banking regulator directly address DDoS with the public, and the move likely foreshadows steps regulators will be taking to scrutinize how banks and credit unions address DDoS with the public.

While some banking institutions may balk at this, most will feel a sense of relief - they've been getting mixed messages from various banking associations, law enforcement and even regulators about exactly how much they should disclose about DDoS activity - and to whom.

Perhaps now they'll have some clarity - and that's a good thing. More regulatory oversight here is something the banks want and need.

DDoS Disclosure, So Far

Banking institutions have taken steps to conform to regulatory oversight - namely by reporting DDoS attacks and other cyber-activity in their filings with the Securities and Exchange Commission (see Top Banks Offer New DDoS Details).

Some contingency plans are noted in those filings, but most banks make it clear it's difficult to anticipate some of the risks that might accompany these attacks.

Citigroup, which filed its 10-K report March 1, points out that DDoS attacks in 2012 did result in unspecified losses, and preparing for future attacks will likely mean making unspecified investments in yet-to-be determined technologies and risk-mitigation strategies.

"While Citi's monitoring and protection services were able to detect and respond to these incidents before they became significant, they still resulted in certain limited losses in some instances as well as increases in expenditures to monitor against the threat of similar future cyber-incidents," Citi states. "Citi's computer systems, software and networks are subject to ongoing cyber-incidents," including unavailability of service, the bank adds.

The FDIC is not the only federal banking regulator to acknowledge DDoS. In February, the National Credit Union Administration warned that the fraud risks that could be associated with DDoS attacks should be taken seriously. That warning came on the heels of a similar warning issued in late December by the Office of the Comptroller of the Currency, which also noted account takeover risks federal investigators had associated with DDoS.

But the FDIC's advisory stands out, because it sets an example for how banking institutions should be communicating more directly with consumers about how DDoS can affect them.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.