Bank Attacks: What Have We Learned?

How to Prepare for Next Wave of DDoS Strikes

By , October 15, 2012.
Bank Attacks: What Have We Learned?

In the wake of eight sophisticated distributed denial of service attacks aimed at leading U.S. banks in recent weeks, financial institutions are bracing for more.

See Also: The Evolution of Advanced Malware

The hacktivist group Izz ad-Din al-Qassam, which took credit for the online outages, said it planned to spend the weekend of Oct. 13-14 planning its next wave of attacks. And if the trend continues, those attacks could come as soon as Oct. 16, because the previous waves both started on Tuesdays.

So, what lessons have the industry learned from these incidents? First and foremost, it's clear banking institutions have to take these threats seriously, says Bill Wansley, a fraud expert at financial-services consultancy Booz Allen Hamilton.

The advance warnings the hacktivists provided indicate they "have a certain level of confidence that they can make these claims and successfully pull the attacks off," he says.

Through posts on Pastebin, the hacktivists gave banks at least 24 hours advance warning.

That also means that when a site goes down, the targeted institution can't really deny it was hit, Wansley adds.

And even if they have yet to be attacked, all banking institutions should reach out to customers now to explain how these highly-publicized DDoS attacks work and to spell out the steps they are taking to protect accounts, says Gregory Nowak of the Information Security Forum.

"Failure to communicate makes the banks look bad," he says.

Communication is Key

In the wake of the eight attacks, which were far more sophisticated than most previous DDoS attacks, it's time for banks and credit unions to review their defensive strategies, enhance their anomaly detection and get response plans in place, experts say. Banks also need to be aware that the attacks could be precursors to fraud on other channels, they note.

Financial institutions also can learn lessons from how the affected banks handled communication. All the banks acknowledged their online-banking sites suffered intermittent outages. But only two, Capital One and PNC, went so far as to say the outages were linked to DDoS attacks.

CapOne in the days following the attack posted a note on its site Oct. 9 about the outage, saying the online-banking site was suffering from intermittent outages related to high volumes of traffic. "Other banks have experienced similar issues in recent weeks due targeted efforts designed to flood online systems, also known as a Distributed Denial of Service attack," CapOne said. "We want to thank you for your patience and assure you that your customer and account information was not exposed. We are working with federal law enforcement and other authorities to investigate these attacks and further enhance defenses against these types of events."

PNC, which has been the most forthcoming about the reasons for its online outages, posted a notice on its website detailing the takedown.

"Beginning at 6:45 a.m. on Sept. 27, 2012, PNC's Internet connection experienced sustained attacks that flooded our Web sites with an extremely high volume of electronic traffic from thousands of locations around the world," the notice states. "This flood of traffic, commonly known as a distributed denial of service (DDoS) attack, was intended to crowd out legitimate customers at PNC's Web sites, preventing them from accessing online banking and other Internet-based services. ... The attack had been pre-announced by an extremist group calling itself Izz ad-din Al qassam, and PNC was in contact with regulators, federal law enforcement officials and Internet security experts from the beginning."

The notice goes on to say the attack continued for 31 hours and did not end until the afternoon of Sept. 28.

PNC's approach to communications provides an example that others should follow, Nowak says.

"Banks can use the website to include links to talk about security and explain the attacks," he says.

Attacks Are Sophisticated

The first wave of DDoS attacks started Sept. 18. The targets included Bank of America, Chase Bank, Wells Fargo, PNC Bank and U.S. Bancorp.

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE PCI: 5 New Security Requirements

Five best practices noted in version 3.0 of the PCI Data Security Standard will become requirements...

Latest Tweets and Mentions

ARTICLE PCI: 5 New Security Requirements

Five best practices noted in version 3.0 of the PCI Data Security Standard will become requirements...

The ISMG Network