Today the OCC put out an alert to its banks on the recent spate of DDoS attacks. The regulators acknowledged the existence of different attacker groups – some politically motivated and others financially motivated. They are also acknowledging that these DDoS attacks have in fact led to or been associated with fraud and customer account takeover.
The regulators do an excellent job of telling banks what to look out for, i.e. what some of these attacks look like. They are also correct in putting the banks on notice that:
a) They must ensure third party service providers (e.g. ISPs) are prepared for these events and doing all they can
b) They must disclose these incidents to the regulators and law enforcement
c) They must deploy layered security as outlined in the FFIEC guidance to mitigate financial damage from these attacks.
It’s reassuring to see that the OCC takes these threats very seriously. No doubt, they will step up their enforcement of FFIEC guidance on Internet banking security. That’s actually a good thing because regulators drive security action and spending, even though we would all like to think that this focus on security would exist independently in all cases and across the board – even without the regulators.
That simply isn’t the way it is. Some banks do spend enough on security – but many do not. This will help ensure that all – and not just some – of the banks regulated by the OCC at least, are putting the requisite resources into defending against DDoS attacks and their attending damage.
This is definitely a threat to the day to day workings of our financial systems. Thankfully there are lots of backup routes into a bank, e.g. branch, ATM machine, call center. But many users and customers depend on the internet and it’s very disruptive to business when it’s down.
In the meantime, add DDoS attacks to the checklist of things to worry about when trying to prevent fraud. Hopefully this will get the security, networking and fraud folks at the target financial institutions working more closely together.
The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.