As detailed in press reports over the past several months, sophisticated hackers have used trusted interbank messaging systems to initiate fraudulent transactions resulting in the theft of tens of millions of dollars. Hackers using stolen credentials accessed secure messaging systems to initiate fraudulent transfers after hours, making them appear to come from legitimate users and harder to identify. In response, the Federal Financial Institutions Examination Council (FFIEC) issued a statement warning financial institutions to actively manage the risks associated with interbank messaging and payment system networks. While focused on financial institutions regulatory responsibilities, the FFIEC’s advice is relevant to any organization that relies on trusted third party messaging or access systems, or for organizations that allow trusted third parties to access their own systems.
The FFIEC’s statement does not create any new regulatory requirements for financial institutions, but was issued to draw specific attention to the risks of using trusted client (or vendor) systems. From the messaging system attacks, the FFIEC regulators point out that the attackers were able to:
- Bypass security controls to compromise other systems;
- Obtain and use valid credentials to gain access to trusted accounts;
- Use visibility from the system to gain an understanding of an organizations operations and use that knowledge for fraudulent purposes;
- Use malware to disable security controls and logging to delay detection; and
- Transfer stolen funds or information quickly and across multiple jurisdictions to avoid detection.
FFIEC’s statement offers several suggestions for how financial institutions can mitigate risks posed by interbank messaging systems and payment networks and comply with their regulatory obligations. Financial institutions should:
- Conduct ongoing information security risk assessments that consider new and evolving threat intelligence and adjust their authentication, layered security, and other controls accordingly;
- Perform security monitoring, prevention, and risk mitigation by establishing a baseline environment to detect anomalous behavior and having up to date intrusion detection, antivirus, and firewall rules;
- Protect against unauthorized access by limiting privileged credentials and periodically reviewing access rights and authentication rules.
- Implement and test controls around critical systems regularly
- Manage business continuity risks and plans to ensure the business can recover quickly and maintain operations.
- Enhance information security awareness and training programs; and
- Participate in information sharing forums to identify new cybersecurity threats and incidents.
Again, while the FFIEC’s statement and recommendations focus on risks for financial institutions’ use of interbank messaging and payment networks, non-financial organizations should consider this guidance as well. For nonfinancial institutions, vendor or client portals or access to internal systems could create similar risks to those FFIEC found with the interbank messaging system. Organizations should incorporate the above recommendations into their risk management processes.