Cyber attacks against U.S. financial institutions are nothing new. In 2012,
however, cyber criminals claiming to be politically motivated conducted several
well-publicized, large-scale attacks on national banks. Two credit unions were
recent victims of the attacks. Defense Secretary Leon Panetta said the scale
and speed of these attacks was unprecedented.
The attacks disrupted online service at the impacted
financial institutions. Other criminal groups launched similar attacks which
served as smoke screens for attacks on customer accounts that diverted funds to
accounts held by criminals at other institutions.
Here are six steps credit unions can take to prepare for a
1. Don’t underestimate the threat of cyber attacks.
It’s true that most credit unions don’t face the same risk
as national banks from attacks by high-profile cyber criminal groups. But the
first thing to understand about cyber attacks is that we can’t predict the next
type of attack to come along. We simply don’t know whether it will come from an
established criminal organization or from a single perpetrator with an axe to
grind. Don’t bet on behalf of your members that your credit union isn’t big
enough to be a target.
2. Mitigate the risk of service interruptions caused by
"distributed denial of services” (DDoS).
What is a ‘distributed denial of services’ (DDoS)? In the
world of internet banking, DDoS generally refers to an attempt to disrupt or
suspend online service by saturating the targeted institution’s network with
external communication requests to overload its server.
Legitimate users either
can’t logon, or can’t use any services because the system is responding so
You may not be able to prevent DDoS attacks, but you can
establish a process to identify them. For example, you can monitor bandwidth
usage, use firewall logs to determine what is being attacked, and use an
intrusion detection system to identify the type of traffic.
3. Perform due diligence on third-party service providers.
Ensure that third parties such as internet service providers
and web-hosting vendors address website problems caused by DDoS attacks.
Confirm that the providers have a contingency plan for these types of attacks.
4. Be prepared to provide timely and accurate information to
Have you ever run a drill at your credit union to simulate
how you would communicate to members that your website has been disabled or
compromised? Have a plan in place to get the word out. The faster you do so,
the better you can control the message and counter any rumors or misconceptions
about what’s going on.
Prepare your staff to monitor social media and search engine
results to find out what’s being said in cyberspace about any interruption to
your online services. You may need extra staff or third-party assistance to
work the phones and to contact local media, if necessary, to be sure the
correct information reaches your members as quickly as possible.
5. Check transfers initiated via online banking when an
When a DDoS attack occurs, the financial institution’s
employees may be busy answering calls
from customers who cannot access the institution’s website
as well as performing other damage
control steps. During the chaos, the institution may fail to
notice fraudulent transactions initiated
through online banking.
When a DDoS occurs, be sure to review transactions initiated
through online banking to identify
suspicious transfers. If necessary, delay executing the
transfers until you verify their legitimacy with
6. Have a strong multi-factor authentication method in place
for online banking systems.
Be sure your authentication process complies with the
Federal Financial Institution Examination
Council’s (FFIEC) updated authentication guidance issued in
The FFIEC expects all financial institutions to have a fraud
monitoring system in place to detect anomalies related to:
1. the initial login and authentication of members
requesting access to the online banking
initiating fund transfers to other parties.
Ken Otsuka is a Risk Management Senior Consultant at CUNA
Mutual Group. For more
information about protecting your credit union from cyber
crime and other risks, contact us at