ATM Outage: More Hype Than Hack?

Institutions Reject Claims that Malware Shut Down ATMs, Sites
ATM Outage: More Hype Than Hack?
The ATM and online banking outage that allegedly struck several of the nation's top financial institutions, including Bank of America, Chase, U.S. Bank, Wells Fargo, Compass, USAA, SunTrust, Chase, Fairwinds Credit Union, American Express, BB&T on the East Coast and PNC, over the weekend of Nov. 6, may have been more hype than reality.

Tara Burke, a spokeswoman for BofA, the country's largest bank, with $2.36 trillion in assets, says none of the bank's systems were affected by malware, as was suggested as a possible reason for the outage, and that only "very minor systems issues" adversely affected deposits and withdrawals for a few customers.

Charlie Lai, chief information officer of Fairwinds Credit Union, a $1.5 billion institution serving central Florida, calls reports of the massive ATM and online outage "ridiculous." "Nothing happened here," he says. "This is complete fiction, and I'm trying to figure out where it started."

'A Non-Issue'

Reports hit the blogosphere last week about a widespread ATM and online banking site outage that hit several financial institutions simultaneously over the first weekend in November. Ultimately, the blogs alleged that banks were blaming the outage on a computer glitch related to the time-zone change. "That's what was interesting to me -- to say the outage revolved around daylight saving time," Lai says. "Daylight saving time comes twice a year and it's a non-issue."

Chase, which saw its online banking site go down for three days in September, declined to comment.

Nicole Sturgill, a research director for TowerGroup who focuses the ATM channel, says reports about the outage struck her skepticism. "Why has this not raised more red flags?" she says. "Considering how fast the Chase outage got there last time, this makes me a bit suspicious. ... What concerns me is that we are we making a story about regular stuff -- there are always some ATMs that are down, and weekends are when banks are doing online-banking upgrades. Was it all of the institutions' locations that were down, or was it just in some locations? These are things we just don't know."

Thought-Provoking Discussions?

The story did have some merit, as some ATMs and online accounts were affected. BofA's Burke confirms that ATMs and online banking accounts were impacted by a "system's glitch," but it had nothing to do with the time zone change. "It was a very limited issue that actually happened on Saturday," she says. The glitch, though, was somewhat widespread, in that it was not limited to a specific geographic region, Burke says. "It was all over, but it was resolved very quickly."

Despite that the outage was not quite so massive, it did fuel discussions among the industry's security gurus, as they speculated about what could have caused siloed channels across disparate institutions' networks to go down.

Julie McNelley, a senior analyst at Aite Group LLC who covers banking and payments fraud, speculated that the outage could have been blamed on a malware attack. "It has all the hallmarks of that, based on the geographic spread of it, the targeted systems and the banks in question."

As most financial institutions rely on third parties for some outsourced management of their ATM and online-banking channels, the notion that a vendor could have been impacted did not seem so far-fetched. "One of the commonalities with both online and ATM is that a lot of it is outsourced to a handful of vendors, and that could explain why an attack may have been successful on this scale," McNelley said. "If it was some sort of malware or hacking attack, they could have been targeting the systems of a few vendors."

Fairwind's Lai, who says he was quick to check operational data and ATM logs after reading about the alleged outage in a Google search, says he did confirm with Elan Financial Services, which runs Fairwind's 55 ATMs in central Florida, that nothing had been impacted at the vendor level. "Besides," he says, "it would not explain the online glitch they claimed. Elan has nothing to do with our online channel."

Elan could not be reached for comment. First Data Corp., the country's largest transaction processor and owner of the STAR ATM and debit network, declined to comment.

Connecting the ATM and online channels to a single outage was difficult for most, which made reports of impacts to these two siloed channels interesting.

Gary Faulkner, an executive vice president with Dallas-based Morphis Inc., which supplies currency supply-chain-management software, said simply: "In my mind, Web banking and ATM banking are no way dependent on each other; therefore, the spontaneous and simultaneous failure of both seems odd, at best, and sinister, at worst."

Andy Greenawalt, the CEO and founder of Continuity Control, a New Haven, Conn.-based provider of Web-based software for financial institutions, speculated that the outage could have related to transaction switching at the processor level. "We kept coming back to the switching systems that connect the ATMs and online," he said. "It could have been a failed transaction. That's the only common ground that really exists."

In fact, Greenawalt said, "There is more commonality than there ever has been," when it comes to transactions. "The interesting thing about this is the extent of it, and what it says about some of the (system) codependency that had not been forecasted," he added.

Lessons Learned:

  • Due diligence of third-party systems: Institutions should understand and know how the third-party vendors they work with for transaction processing, check-image storage, etc., protect information, McNelley says. "This could have been a very targeted attack, where some malware or hackers found some vulnerability in a few specific areas," she says;
  • Malware: Institutions should know the measures third-parties are taking to protect them from malware," Greenawalt says. "With any of these systems that are not widely known, they have vulnerabilities; but no one really knows a lot about it or does a lot of testing," he says. "If someone did have inside knowledge and inside access, it's possible they could launch an attack, even if it's on fringe of being likely"; and
  • The switch: Institutions should understand codependencies that exist at the switch level, among and between channels and transactions.

About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.co.uk, you agree to our use of cookies.