Attacks Put Banks on AlertUnderstanding Motives Behind DDoS Attacks
The series of online attacks against major banks that unfolded over the last two weeks has proven to be a catalyst for heightened industry cooperation and information sharing (see More U.S. Banks Report Online Woes).
See Also: Proactive Malware Hunting
One security and fraud executive at a $4 billion banking institution, who asked not to be named, says collaboration among banking institutions, online-banking platform providers, other vendors, industry associations and the government, has been stronger than ever. "There definitely seems to be more of a community effort for the first time here to address this issue. And now we are seeing a real-life situation where we've had to pull together and be prepared," the executive says.
Doug Johnson, vice president of risk management policy for the American Bankers Association and a member of the Financial Services Information Sharing and Analysis Center, says working with the government to prepare for emerging cyberthreats is an increasing priority.
"Through the ISAC we have a deep information-sharing relationship with DHS [the Department of Homeland Security] that transcends any specific event," he says.
That collaboration and information sharing also is getting global attention, says Neira Jones, a financial and cyberfraud expert who oversees payments security for Barclays.
In the U.S., "the environment is more open to communicating about attacks," she says (see EU Banks Not Prepared for Attacks).
Alerts and warnings issued last week by the Federal Bureau of Investigation and the FS-ISAC prove how much communication is improving, says Bill Wansley, a financial fraud and security consultant at Booz Allen Hamilton.
"There was an early warning that there were attacks aimed at these institutions," and that gave the industry time to prepare, Wansley says.
The bank executive who asked not to be named confirms those early warnings are benefitting the entire industry. "I do get notification from those entities and from the vendors to stay abreast of the threats," the executive says. "That has allowed us to address the threats. We're in the middle of it right now, so we are just focused on being prepared."
Lack of Consumer Outreach?
But Greg Nowak of the Information Security Forum, contends the affected banks have not done enough to communicate with consumers about what is actually causing the outages (see Banks Under Attack: PR Missteps).
"The banks that have been affected are missing a great opportunity to communicate and educate their users," Nowak says. "I've tried visiting the sites, and there's nothing on any of the bank sites that says, 'Here's what's going on; here's how you can understand it. Your information is safe.'"
Third-party sites have tracked the attacks and outages well, but the institutions themselves have been too quiet, he adds.
"They seem to be regarding it as a secret," Nowak says. "They say, 'Some people have access issues.' Well, people know they have access issues. [The banks] should be taking the opportunity to explain to their customers the difference between a denial of service attack and some sort of hacking attack that actually puts information at risk."
A Political Motive
So far, the online outages, apparently caused by denial of service of attacks, have hit Bank of America, Chase, Wells Fargo, U.S. Bank and PNC.
Security experts say all five site takedowns are linked, and most likely were caused by the self-proclaimed hacktivist group known as Izz ad-Din al-Qassam Cyber Fighters.
Izz ad-din Al Qassam says it targeted BofA and the others for political reasons - over displeasure with an American film perceived to be anti-Islam (see High Risk: What Alert Means to Banks).
All five institutions that experienced outages have confirmed that no sensitive financial information or personally identifiable information about customers was exposed. Observers say that's because these attacks were motivated by politics, not fraud.
A sixth institution, KeyBank, told BankInfoSecurity on Sept. 27 it, too, had experienced site hiccups and slowdowns, but never a complete outage. "Our sites and systems are not out," says KeyBank spokeswoman Lynne Woodman. "What we are experiencing is a slowdown in online access channels. This is a matter of access, not of failure, outage or compromise."
KeyBank was not among the institutions directly mentioned by Izz ad-din Al Qassam as a target for attack, though some news reports have put KeyBank's site issues in the same category as those suffered by BofA, Chase, Wells Fargo, U.S. Bank and PNC.
On Sept. 27, a day after its online-banking and corporate website took a hit, U.S. Bancorp confirmed its outages were linked to a DDoS attack. The bank continues to monitor site traffic and outages, and it's prepared to take any precautions necessary, says spokeswoman Nicole Garrison-Sprenger.
"The attacks caused intermittent delays for some consumers visiting our website, but we can assure customers that their data and funds are secure," Garrison-Sprenger says. "These issues are related to unusual and coordinated high-traffic volume designed to slow down the system - similar to what other banks have experienced in the past week. We are working closely with federal law enforcement officials to address the issue."
The other banks - Bank of America, Chase, Wells Fargo and now PNC - have been less forthcoming with details, although PNC spokesman Frederick Solomon did say the intermittent interruptions affecting the bank's site were related to "a high volume of activity at its Internet connection." The bank also says it took additional security precautions, based on threats made earlier to take the site down.
FS-ISAC and others are warning of continued attacks against banks. But most attacks, especially those against smaller institutions, will be waged by different groups and for different reasons, says Jay McLaughlin, chief security officer and senior vice president of data center operations for online-banking platform provider Q2ebanking.
For smaller institutions, DDoS attacks are more likely to be motivated by the intent to commit fraud, rather than making a political statement, McLaughlin says.
If a DDoS attack is detected against a smaller institution, it's likely that fraud connected to an incident of account takeover is going on in the background, he says. As a result, it's critical that institutions not be distracted by those attacks; they need to look behind the scenes.
The FBI and the FS-ISAC also made that point in the alert they issued Sept. 17.
"In some of the incidents, before and after unauthorized transactions occurred, the bank or credit union suffered a distributed denial of service (DDoS) attack against their public Web site(s)and/or Internet Banking URL," the alert stated. "The DDoS attacks were likely used as a distraction for bank personnel to prevent them from immediately identifying a fraudulent transaction, which in most cases is necessary to stop the wire transfer."
DDoS attacks are the second half of the equation, McLaughlin says. "The DDoS piece is only useful if the funds can be successfully moved."
By preventing fraud, McLaughlin says institutions mitigate their risk of being hit with a DDoS attack. Security controls built in to the online platform, such as out-of-band authentication and dual-transaction approval should be basic measures all institutions implement, he says.