Hackers Attack Community Bank

Do you think your customer accounts are safe? Do you think hackers only attack computer systems? Do you believe your institution is too small to be of interest to international criminals? Well, you may need to think again.

Last weekend, the Platte Valley State Bank, Kearney, Nebraska, a community bank with $364 million in assets, discovered that Malaysian hackers had managed to figure out debit card numbers for some of their customers. The criminals' methods were decidedly low tech, not much more sophisticated than picking numbers out of the air. [We're omitting details to avoid providing a "how-to".] The hackers then tested the validity of numbers by initiating small ($13.99) transactions to see which ones would fly. Fortunately, the bank's installed fraud detection and prevention measures allowed it to quickly spot the bogus charges and institute measures to keep customer accounts from being negatively affected. The unauthorized charges were reversed in speedy fashion, customers were contacted, and arrangements were made to issue debit cards with new numbers. The bank's president was quoted as saying "Platte Valley also has implemented additional fraud prevention processes and technology features to lessen this type of fraud exposure and help prevent it from re-occurring in the future."

Let's say, however, that this had been a sophisticated attack, an actual hack into a financial institution's customer information (unlike the situation in this case). What should financial institutions do to prepare for -- and avoid -- an actual network hack?

In the cyberworld, 24/7 vigilance is necessary. If your institution is currently monitoring your systems for possible intrusions only during business hours Monday through Friday, you need to rethink that system. Hackers don't observe normal business hours.
In the aftermath of a successful hack, even one where the apparent dollar amounts are relatively small, you will incur costs and you should consider procuring cyber-insurance to help you cover such unexpected expenses. Those expenses may include overtime for employees, hiring computer forensic experts, issuing new checks and account numbers in some other instances, paying for public relations assistance, and mailing letters.
A SAR must also be filed when there is a computer intrusion.
The Interagency Guidelines for Safeguarding Customer Information (the InfoSec Guidelines) include in suggested security measures a critical incident response plan. Do you have one? Does it provide a roadmap for action to take in the event you suffer a similar incident?
Experts say that failure to apply necessary security patches in a timely manner and using hardware/software in a "plug-and-play" state, without changing the default settings, can contribute to vulnerability. Make sure you are on top of patches and have configured your firewall(s) and other systems correctly.
Realize that once you communicate the hacking information to customers, it's only a matter of time before the story appears in the media. Be prepared for media inquiries. Consider taking a proactive approach and having a press release prepared so that you can put forward the most reassuring, positive message possible.

Review the offerings of the advertisers and sponsors on BankersOnline who offer products and services that can help make your network more secure or can help with fraud detection and prevention.

Articles