• United States



by Staff Writer

FBI issues advisory to financial institutions, but customers should take notice too

Sep 11, 20134 mins
Application SecurityCybercrimeData and Information Security

The FBI has warned financial institutions of possible impending DDoS attacks, but others are saying consumers may be at just as much risk

On the anniversary on the terror attacks in New York and Washington D.C., the FBI has issued a warning to financial institutions regarding DDoS attacks based on claims made by supporters of Anonymous. Trend Micro has added to these warnings, with some advice for the rest of us, which apply to every day, and not just 9/11.

The FBI’s Private Sector Advisory centers on threats made by those behind Anonymous’ OpUSA and OpIsraelReborn.

“Op USA is described as a cyberattack on U.S.-based web sites and servers, with a focus on the financial industry. Organizers previously claimed Op USA was in response to alleged war crimes the U.S. has committed against Iraq, Afghanistan, and Pakistan,” the agency’s advisory states.

The two campaigns have promised DDoS attacks against U.S.-based financial firms, on selective dates of importance such as 9/11, but if such attacks have taken place, no one noticed. Such attacks have constantly targeted the finance sector this year, and service outages have been few and far between. The reason for this is due largely to the IT teams supporting the financial firms adapting to the tactics used by the attackers, and segmentation of key assets (apps and services, operations software) away from the commonly targeted infrastructure.

However, while criminals and cyber activists target the infrastructure, an entirely separate demographic is just as vulnerable to scams and other financially-based crime. In an email to CSO, JD Sherry, the Vice President of Technology and Solutions for Trend Micro, shared his thoughts on the topic.

Mr. Sherry’s advice started with a reminder that leaving money in the bank is still a safe bet, because deposits are still insured, even against cybercrime. But given the topic, your editors at CSO advise you to talk to your bank and learn the limits on such cybercrime protections, including any liabilities you may have to shoulder in the event of a monetary loss.

Phishing happens, and no one is exempt from a criminal’s net. Most financially motivated crimes start with an email. It’s the fastest way to reach a potential victim.

“One of the more popular ways that cybercriminals target customers involves hacking a bank, obtaining email addresses and building a site that looks identical to the banks site. Just about any updated security software will help identify Phishing emails, as well as warn users of links to hazardous sites,” Sherry said.

“Be cautious of any email you receive from your bank, especially if it asks you for a password. Call your bank if you do receive an email to confirm they sent the email, and if they did not, report this email to the bank as a Phishing scam.”

Passwords are another concern, and they’re also the most problematic security feature around. Machines can crack passwords faster than a typical person can think them up, and even then a machine can crack most creative passwords in a matter of days or weeks. When money is involved, criminals will take their time. The best defense here, Sherry noted, is to keep the passwords used for financial accounts private, and to not reuse them for other services.

[Social engineering: Study finds Americans willingly open mailicious emails]

“Keeping your password to yourself is the best security measure you as a bank customer can take. While having a long password and regularly changing it are always suggested, no amount of characters in a password will help if it is given away in a Phishing scam,” he said.

“Also look for banks that have multi-factor authentication capabilities such as tokens to reduce the risk of your username and password being compromised and providing the keys to the financial kingdom.”

Further, you should enable and actively monitor all of the various alerts offered by their financial institution. Most mobile banking and Web-based apps offer alerts via email and text message, covering failed logins, transaction types, such as ACH, wire transfers, and triggered limits, such as when a transfer or purchase is over a set amount.

Such alerts allow you to “catch fraudulent and malicious activity against your banking accounts and credit card companies in real time.”

“This speeds the process of reconciliation much quicker than waiting to see if youve been compromised at the end of the month when your bank or credit card statement is received.”

Finally, it’s critical that consumers keep their systems patched with the latest operating system updates, as well as keep all of their third-party software updated, such as browsers, PDF readers, video players, etc. This helps to prevent financial-based malware from being installed via software exploits that target unpatched systems.