The Fraud Blog with Tracy Kitten

Why Banks Can Expect More Attacks Layers of Security, Hack Response Plans Are Necessities

Worries about cyberattacks backed by nation-states are on the rise, and have been for some time. And U.S. banks are prime targets.

See Also: Effective Cyber Threat Hunting Requires an Actor and Incident Centric Approach

It's not just monetary gain these hackers are after, either. It's intellectual capital.

Cyberattacks offer nation-states the ability to attack others with plausible deniability that is not easily achieved in the physical world. 

The website glitches and outages that affected Bank of America and Chase last week are rumored to be just that sort of attack. In fact, financial fraud sources say both banks were hit with denial-of-service attacks likely backed by Iran.

Experts say banks better brace themselves, and they're right. With the U.S. election approaching, institutions can count on more DDoS attacks sponsored by nation-states.

An NBC news report supports the Iranian connection, too. One security expert tells NBC that claims made by the hacktivist group known as Izz ad-din Al qassam, which took credit for the BofA site takedown, were just a cover-up.

The group said it targeted BofA because of displeasure over an American film perceived to be anti-Islam (see High Risk: What Alert Means to Banks).

Attacks Expected

The hits that targeted BofA and Chase have gotten the industry's attention. The outages prompted the Financial Services Information Sharing and Analysis Center's last week to increase the U.S. banking industry's cyberthreat level from "elevated" to "high."

Doug Johnson, vice president of risk management policy for the American Bankers Association and a member of FS-ISAC, told me banks of all sizes should prepare now for increasing attacks. "They could be subject to a threat," he says.

Experts have been predicting a rise in nation-state attacks since early this year. Back in February, Bill Wansley of Booz Allen Hamilton, for example, told me that hacks backed by nation-states would pose increasing threats.

And Wansley's predictions were not isolated. Roel Schouwenberg of Kaspersky Lab, which in mid-July discovered the cyberespionage toolkit Gauss, told me basically the same thing: that nation-states will increasingly use malware for cyberespionage and cybersurveillance aimed at banks. The goal: To steal online banking credentials and other sensitive information.

When it comes to the BofA and Chase attacks, the Iranian connection makes sense. "Cyberattacks offer nation-states the ability to attack others with plausible deniability that is not easily achieved in the physical world," says Joseph Steinberg, CEO of online-security provider Green Armor Solutions.

"The success of the Stuxnet virus and other targeted forms of cyberattack have shown hackers the value of such an approach," Steinberg adds. "I believe this is a trend that will continue."

And Shirley Inscoe, a fraud analyst at consultancy firm Aite, says the timing of the attacks around the election is key. "What better time to stage a terrorist event than in an attempt to disrupt our election process in one way or another?"

Mitigating Risks

A fraud alert issued Sept. 17 by FS-ISAC, the Federal Bureau of Investigation and the Internet Crime Complaint Center, suggests 17 steps institutions should take to mitigate risks posed by cyberthreats (see Alert: Banks at High Risk of Attack).

Among those steps:

  • Educate employees about phishing e-mails and suspicious attachments;
  • Monitor site traffic spikes, which could indicate a DDoS attack;
  • Limit employees' ability to remotely access internal networks and work-related e-mails from personal devices.

On June 28, the FS-ISAC issued a separate threat update for its members that specifically addresses DDoS and hacktivism concerns.

"Traditional preventive measures, such as bandwidth over-provisioning, firewalls and intrusion prevention systems, continue to provide some protection. However, traditional measures are ineffective against today's DDoS attacks," the FS-ISAC says, calling for the use of layered defenses.

And what should institutions tell customers who express concern about the potential for their accounts being hacked by nation-states?

Banks and credit unions should ensure that their tellers and other branch personnel are well-educated about all the security steps the organization is taking and can communicate that information clearly to customers.

Banks are going to be targeted by hackers. The more they do now to communicate their security steps to customers and prepare breach response strategies, the better off they will be.



About the Author

Tracy Kitten

Tracy Kitten

Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 20 years' experience, Kitten has covered the financial sector for the last 13 years. Before joining Information Security Media Group in 2010, where she now serves as director of global events content and executive editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.




Around the Network