Take On Payments, a blog sponsored by the Retail Payments Risk Forum of the Federal Reserve Bank of Atlanta, is intended to foster dialogue on emerging risks in retail payment systems and enhance collaborative efforts to improve risk detection and mitigation. We encourage your active participation in Take on Payments and look forward to collaborating with you.
Federal Reserve Web Sites
Other Bank Regulatory Sites
July 22, 2019
Ransomware Attacks Continue
Ransomware attacks have only continued since I addressed the problem in a recent post, and they've continued to target municipal and state agencies. Riviera Beach (May) and Lake City (June), both in Florida, were successfully attacked. Lake City paid a bitcoin ransom of approximately $470,000 while Riviera Beach paid about $600,000, also in bitcoin. These attacks took place soon after the one in Jackson County, Georgia, whose government paid $400,000 for decryption keys. While law enforcement officials recommend that victims not pay ransom for fear that doing so encourages the criminals to continue their attacks, the affected agencies often view paying the ransom as a cost-effective way to restore operations as soon as possible. Moreover, Lake City and Riviera Beach were both insured against such attacks, with a $10,000 and a $25,000 deductible, respectively. It appears that in all three of these instances, when they got their ransom, the criminals supplied the necessary data that allowed officials to regain control of the systems.
So how can governments, schools, hospitals and doctors' offices, financial services, and consumers best protect their systems from these nefarious attacks? It's not easy—criminals are constantly developing new malware to get into systems. However, here are some critical guidelines from IT security professionals that can help us all avoid or minimize the impact of a ransomware attack.
- Perform data backups at least daily, and keep at least one backup copy offsite or on portable storage devices not connected to the network.
- Avoid using end-of-life operating systems and software that cannot be updated to address known vulnerabilities.
- Install software updates and security patches as soon as possible, and follow established change control guidelines.
- Evaluate segmenting your network into separate zones to minimize the spread of a ransomware infection.
- Train and test employees regularly about how criminals use phishing attacks to load malware onto computers that can then compromise system access credentials.
- Require employees to use strong passwords.
- The IT security community is divided about how frequently passwords should be changed, but do so at least every six months.
- Maintain comprehensive access controls so that only the employees that require access to individual system have such rights, especially regarding remote access.
- Use reliable security software and, as the second bulleted item recommends, keep it updated. Evaluate adding special trusted anti-ransomware tools, some of which are free.
- Evaluate your cybersecurity insurance policy in terms of its ransomware coverage.
In addition, every agency and organization should develop a ransomware response plan that can be implemented as soon as an attack has been detected. While the immediate focus should be on minimizing the impact of the attack, elements for business continuity, law enforcement notification, media communications must also be part of the plan.
We hope you won't be a victim, but simply keeping your fingers crossed isn't an effective plan.
By David Lott, a payments risk expert in the Retail Payments Risk Forum at the Atlanta Fed
- Looking for Partners in Safer Payments
- The Range of Un-Friendly Fraud
- Payments Webinar October 10: Cash in the 21st Century
- "Insuring" Ransomware Will Continue to Flourish
- Designing Disclosures to Be Read
- Is There a Generation Gap in Cash Use?
- What the Most Convenient Food Tells Us about Payments
- Is Friction in Payments Always Bad?
- Why Should You Care about PSD2?
- At the Intersection of FinTech and Financial Inclusion
- October 2019
- September 2019
- August 2019
- July 2019
- June 2019
- May 2019
- April 2019
- March 2019
- February 2019
- January 2019
- account takeovers
- ATM fraud
- bank supervision
- banking regulations
- banks and banking
- card networks
- check fraud
- consumer fraud
- consumer protection
- credit cards
- cross-border wires
- data security
- debit cards
- emerging payments
- financial services
- financial technology
- identity theft
- law enforcement
- mobile banking
- mobile money transfer
- mobile network operator (MNO)
- mobile payments
- money laundering
- money services business (MSB)
- online banking fraud
- online retail
- Payment Services Directive
- payments fraud
- payments innovation
- payments risk
- payments study
- payments systems
- phone fraud
- remotely created checks
- risk management
- Section 1073
- skills gap
- social networks
- third-party service provider
- trusted service manager
- Unfair and Deceptive Acts and Practices (UDAP)
- wire transfer fraud
- workforce development
- workplace fraud