Today the OCC put out an alert to its banks on the recent spate of DDoS attacks. The regulators acknowledged the existence of different attacker groups – some politically motivated and others financially motivated. They are also acknowledging that these DDoS attacks have in fact led to or been associated with fraud and customer account takeover.
The regulators do an excellent job of telling banks what to look out for, i.e. what some of these attacks look like. They are also correct in putting the banks on notice that:
a) They must ensure third party service providers (e.g. ISPs) are prepared for these events and doing all they can
b) They must disclose these incidents to the regulators and law enforcement
c) They must deploy layered security as outlined in the FFIEC guidance to mitigate financial damage from these attacks.
It’s reassuring to see that the OCC takes these threats very seriously. No doubt, they will step up their enforcement of FFIEC guidance on Internet banking security. That’s actually a good thing because regulators drive security action and spending, even though we would all like to think that this focus on security would exist independently in all cases and across the board – even without the regulators.
That simply isn’t the way it is. Some banks do spend enough on security – but many do not. This will help ensure that all – and not just some – of the banks regulated by the OCC at least, are putting the requisite resources into defending against DDoS attacks and their attending damage.
This is definitely a threat to the day to day workings of our financial systems. Thankfully there are lots of backup routes into a bank, e.g. branch, ATM machine, call center. But many users and customers depend on the internet and it’s very disruptive to business when it’s down.
In the meantime, add DDoS attacks to the checklist of things to worry about when trying to prevent fraud. Hopefully this will get the security, networking and fraud folks at the target financial institutions working more closely together.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.