Worries about cyberattacks backed by nation-states are on the rise, and have been for some time. And U.S. banks are prime targets.
It's not just monetary gain these hackers are after, either. It's intellectual capital.
Cyberattacks offer nation-states the ability to attack others with plausible deniability that is not easily achieved in the physical world.
The website glitches and outages that affected Bank of America and Chase last week are rumored to be just that sort of attack. In fact, financial fraud sources say both banks were hit with denial-of-service attacks likely backed by Iran.
Experts say banks better brace themselves, and they're right. With the U.S. election approaching, institutions can count on more DDoS attacks sponsored by nation-states.
An NBC news report supports the Iranian connection, too. One security expert tells NBC that claims made by the hacktivist group known as Izz ad-din Al qassam, which took credit for the BofA site takedown, were just a cover-up.
The group said it targeted BofA because of displeasure over an American film perceived to be anti-Islam (see High Risk: What Alert Means to Banks).
The hits that targeted BofA and Chase have gotten the industry's attention. The outages prompted the Financial Services Information Sharing and Analysis Center's last week to increase the U.S. banking industry's cyberthreat level from "elevated" to "high."
Doug Johnson, vice president of risk management policy for the American Bankers Association and a member of FS-ISAC, told me banks of all sizes should prepare now for increasing attacks. "They could be subject to a threat," he says.
Experts have been predicting a rise in nation-state attacks since early this year. Back in February, Bill Wansley of Booz Allen Hamilton, for example, told me that hacks backed by nation-states would pose increasing threats.
And Wansley's predictions were not isolated. Roel Schouwenberg of Kaspersky Lab, which in mid-July discovered the cyberespionage toolkit Gauss, told me basically the same thing: that nation-states will increasingly use malware for cyberespionage and cybersurveillance aimed at banks. The goal: To steal online banking credentials and other sensitive information.
When it comes to the BofA and Chase attacks, the Iranian connection makes sense. "Cyberattacks offer nation-states the ability to attack others with plausible deniability that is not easily achieved in the physical world," says Joseph Steinberg, CEO of online-security provider Green Armor Solutions.
"The success of the Stuxnet virus and other targeted forms of cyberattack have shown hackers the value of such an approach," Steinberg adds. "I believe this is a trend that will continue."
And Shirley Inscoe, a fraud analyst at consultancy firm Aite, says the timing of the attacks around the election is key. "What better time to stage a terrorist event than in an attempt to disrupt our election process in one way or another?"
A fraud alert issued Sept. 17 by FS-ISAC, the Federal Bureau of Investigation and the Internet Crime Complaint Center, suggests 17 steps institutions should take to mitigate risks posed by cyberthreats (see Alert: Banks at High Risk of Attack).
Among those steps:
- Educate employees about phishing e-mails and suspicious attachments;
- Monitor site traffic spikes, which could indicate a DDoS attack;
- Limit employees' ability to remotely access internal networks and work-related e-mails from personal devices.
On June 28, the FS-ISAC issued a separate threat update for its members that specifically addresses DDoS and hacktivism concerns.
"Traditional preventive measures, such as bandwidth over-provisioning, firewalls and intrusion prevention systems, continue to provide some protection. However, traditional measures are ineffective against today's DDoS attacks," the FS-ISAC says, calling for the use of layered defenses.
And what should institutions tell customers who express concern about the potential for their accounts being hacked by nation-states?
Banks and credit unions should ensure that their tellers and other branch personnel are well-educated about all the security steps the organization is taking and can communicate that information clearly to customers.
Banks are going to be targeted by hackers. The more they do now to communicate their security steps to customers and prepare breach response strategies, the better off they will be.