FDIC rep says agency becoming nervous about false, malicious posts

Just as banks use social media, FDIC tweets and posts and friends as well, but lately an agency official voiced concerns over new risks that such communications could pose to the deposit insurance fund.

In particular, said Meg Hanrahan, senior examination specialist/Emerging Issues, at the ABA Risk Management Conference, individuals or groups could maliciously post false or vicious statements, reviews, or other comments on Facebook or other such media about the agency, its fund, or a given financial institution. Conceivably-though it has not happened yet-concerns could go viral and cause depositor panic.

"We realize that between Twitter and Facebook and all the blogs out there there's a high risk that if someone puts something [false] out there it could cause a run at a bank or cause some other issue. For us, our real concern is our deposit insurance fund. If someone sends out a tweet, or posts something on Facebook, how can that affect us?"

She cited a recent case where someone hacked the Associate Press Twitter feed with a false story that the White House was under attack. "The market dropped a huge amount in six seconds. Hopefully that couldn't happen to our fund. But, I mean, if there's all of a sudden a run because somebody put something out there, we need to know about it," she says.

Likewise, Hanrahan says, banks are becoming aware of such dangers. "You don't want someone sending out some feed about your bank and starting a problem," she says. "People can get to panic about their money, so this is something that we are watching, and banks are starting to watch too."

As an example of FDIC's growing concern in this area, in early May, the FDIC's Dallas Regional Office posted a presentation on its website about identifying and mitigating cyber fraud. Part of that presentation covered the use of social media to perform a denial of service attack through social media, including the organization of a flash mob.

The presentation included these "best practices":

• Assess your organization's risk for a denial of service (DoS). If your organization relies heavily on web-based services consider the potential impact to your operations if hit by a DoS and develop an appropriate mitigation plan.

• Develop a checklist of actions to take in the event of a DoS and have contact information for your internet service provider and your web hosting providers readily available. If you use a web host for your services, be familiar with their DoS mitigation policies and plans.

• Be familiar with the services your ISP might offer to mitigate a DoS, such as temporarily increasing your bandwidth, switching your IP address, and blocking attacking IP addresses.

• Understand your normal amounts of daily network traffic as well as the performance of your system. Many DoS attacks may not bring the site down but can significantly reduce service. Properly configured performance monitoring can be a major help in detecting an attack early.

Separate or compartmentalize critical services:

Separate public and private services.

Separate intranet, extranet, and internet services.

Create single purpose servers for each service such as HTTP, FTP, and DNS.

• Review US-CERT cyber security tip "Understanding Distributed-Denial-of-Service Attacks".

Back at ABA's Risk Management Conference, Hanrahan summarizes this issue: "It's definitely a new thing we're all getting nervous about."