The Fraud Blog with Tracy Kitten

Are ATMs, Online and Switches Too Connected?

'Time Zone' Outage Proves Links May be Too Tight
Are ATMs, Online and Switches Too Connected?

I'm not big on conspiracy theories. But a few blogs that cropped up on Monday about the "massive" ATM and online banking outage that affected the country's top three banks did catch my attention.

Some posts in the blogosphere claim that the so-called "time-zone computer glitch," which knocked off ATMs and online banking sites operated by Bank of America, Chase and Wells Fargo last weekend, was really a cover for the banks' interest in limiting cash withdrawals. Referring to it as a bank-instituted holiday created to devalue the dollar, bloggers argued that top U.S. banks were conspiring to control the public's access to cash.

OK. While I find that theory entertaining, I don't buy it. The banks want the public to withdraw funds and spend money. Nevertheless, the posts grabbed my attention; not because of a suspected conspiracy, but because of the curious nature of an outage that could take down two siloed banking channels at several financial institutions. Something had to be going on here.

The banks aren't talking, but from what I've been able to piece together, it seems ATMs and online banking sites operated by BofA, Chase, Wells, Compass, USAA, SunTrust, Fairwinds Credit Union, American Express, BB&T on the East Coast and PNC all went down for several hours sometime between Saturday afternoon and Sunday morning.

I thought about this and wondered: Could it have been a Windows operating system hack or glitch, now that ATMs at those larger institutions have moved to a Windows platform? It's the only tether, albeit loose, I could come up with that connects the ATM channel to the online channel. Or was more going on here?

I've consistently read for several years now about ATM outages hitting different banks in different parts of the world. Sometimes, those outages affect numerous institutions. Oftentimes, the root of the problem lay with the processor. But this case was different -- ATMs and online bank sites. I'm stumped.

In September, the Chase Bank website went down for three days. In June, Barclays in England saw its ATMs and online banking site take hits. Chase blamed its outage on corrupt software from a third-party, which affected information in Chase's systems. Barclays blamed its outage on a fault traced to a computer center.

Could the cause of this most recent ATM and online outage have been similar? Well, most security experts and analysts I've been able to reach say "no." But to be quite honest, no one really can say what did happen. On Tuesday, I spoke with Julie McNelley, a senior analyst at Aite Group LLC. She suspects malware. "It has all the hallmarks of that, based on the geographic spread of it, the targeted systems and the banks in question," she says.

Yesterday, I spoke with Andy Greenawalt, the CEO and founder of Continuity Control, a New Haven, Conn.-based provider of Web-based software for financial institutions. Greenawalt had no hands-on experience with the outage -- most of Continuity's clients are small institutions. But, like me, the outage piqued his interest, so he did some digging. Here is what he and other security experts in the field believe: The outage occurred at the switch level. And other financial institutions were likely affected, he says, they just weren't blogged about.

"When looking at it from the switching perspective, there's a lot of commonality," Greenawalt says. "There is more commonality than there ever has been," and it explains the connection between the ATMs and the online banking sites.

Aha. That makes some sense, I say.

"Transaction systems are dependent on networks," Greenawalt adds. "The interesting thing about this is the extent of it, and what it says about some of the codependency that had not been forecasted."

One transaction fails, and it leads to a cascading effect, he says, that takes down several transaction links along the chain.

Interesting.

Maybe we are too interconnected. As this outage could soon prove, one hiccup, and access to a significant number of bank accounts is shut down. Until we get to the bottom of the outage, if at all, we can only speculate. But one thing I and most of the experts I spoke with agree on is that the outage was not likely related to the time-zone change. As Greenawalt rightly put it, "We've been living been through time-zone changes for a long time."



About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing bankinfosecurity.eu, you agree to our use of cookies.