Explaining DDoS to Consumers Banks Work to Balance Communication with Risk Mitigation

Leading institutions are increasingly taking steps to mitigate fraud risks and online banking site outages linked to distributed-denial-of-service attacks. But they are struggling to find a balance between keeping customers informed and giving attackers too much publicity, experts say.

See Also: More Threat Vectors, More Security & Compliance Challenges

"When the attacks are acknowledged, the hacktivists seem to thrive on that," says Bill Nelson of the Financial Services Information Sharing and Analysis Center. "It's a propaganda war going on."

But the Office of the Comptroller of the Currency has suggested banking institutions ensure incident-response strategies involve timely communication with consumers.

"As part of their contingency planning process, banks should be prepared to provide timely and accurate communication to their customers regarding Web site problems, risks to customers, precautions customers can take, and alternate delivery channels that will meet their banking needs," the regulatory alert stated.

Banking institutions' communication with customers about the attacks, however, has varied widely. And fraud expert Avivah Litan, a Gartner Research analyst, contends that some banks have not done enough to communicate with consumers.

"Banks do need to have a clear, explicit communication plan for customers that addresses concerns they will undoubtedly have," Litan says. "This is the big elephant in the room that the banks do not want to deal with. They don't want to call attention to the fact that they are undergoing DDoS attacks that they can't always prevent and withstand."

New Activity

The hacktivist group Izz ad-Din al-Qassam Cyber Fighters again this week posted an update on the open forum Pastebin, promising more attacks against U.S. banks.

On the morning of Jan. 8, the group promised more DDoS attacks in protest of a YouTube video deemed offensive to Muslims. "Perhaps more attacks make them wiser to be able to choose a simpler solution," the Pastebin post states. "Dissatisfaction of customers of the banking services is increasing, but, by contrast, the banks responsibility about the disruptions of their activities is reducing day by day."

On Jan. 1, the hacktivist group, which has taken credit for DDoS attacks that have struck U.S. banks since mid-September, bragged on Pastebin that it had successfully interrupted online service to nine leading U.S. banks since the kickoff of its second campaign in early December. The group also put other institutions on notice: "Rulers and officials of American banks must expect our massive attacks! From now on, none of the U.S. banks will be safe from our attacks."

Since the hacktivists' Jan. 1 update, BB&T, Fifth Third Bank and Ally Financial Corp. have confirmed online banking access issues related to high volumes of traffic consistent with a DDoS attack. In addition, PNC confirmed sporadic site access issues, but it did not specify the cause.

The hacktivist group took credit for December attacks against JPMorgan Chase, Bank of America, Citigroup, Wells Fargo, U.S. Bancorp, PNC Financial Services Group, BB&T Corp., Suntrust Banks and Regions Financial Corp. The group says the attacks have been waged to protest a YouTube video deemed offensive to Muslims (see 5 Banks Targeted for New DDoS Attacks.)

In December, Regions and SunTrust were the only institutions named by the hacktivists for which abnormal traffic patterns could not be confirmed. And during the first campaign, which ran from mid-September to mid-October, all of the same institutions were affected, as well as HSBC Holdings and Capital One.

Banks Offer Updates

On Jan. 3, Fifth Third spokeswoman Barbara Grimsley said high volumes of traffic hit the bank's website during the early part of the week, but that online access issues were only temporary.

"This slowdown has not impacted customer accounts," Grimsley said. "This situation appears to only be isolated to 53.com and does not involve customer data. Customer account information is secure."

On Jan. 4, Ally spokeswoman Gina Proia said customers' ability to access the online bank's site had been interrupted on Jan. 3. "Ally has been the target of a cyber-attack, which has caused some customers to intermittently experience a disruption in accessing our website," she said. "We believe the attack is similar to what other financial institutions have experienced, and we have enacted defensive measures to address the issue."

The bank has not found any indications of fraud, Proia said, and the bank has encouraged customers experiencing difficulty accessing the site to contact Ally's call centers or log on to their accounts through the mobile banking application.

BB&T spokeswoman Maria Lachapelle said Jan. 3 that BB&T's site suffered sporadic outages during the morning because of high traffic volumes, but that the bank was taking steps to educate customers about alternative banking channels to pursue. "We have other ways to serve them," such as in-person at the branch or via the call center, she said.

PNC, which confirmed Jan. 4 that its site had experienced sporadic access issues a day earlier, offered no explanation. But PNC spokeswoman Marcey Zwiebel said the bank was taking steps to communicate directly with customers.

"We regret that some customers have been affected by the measures we have taken to ensure that access," Zwiebel said. "We are communicating directly with our customers about this and working with those having access issues to help identify alternatives."

In a Jan. 3 e-mail sent directly to PNC customers, the bank acknowledged that many U.S. banks are experiencing unusually high volumes of online traffic that is flooding their Internet connections.

"This volume of traffic is consistent with threatened cyber-attacks on the U.S. banking system and is designed to cause access delays for legitimate Internet customers," the e-mail stated. "For several weeks, PNC has taken steps to block this traffic and maintain online and mobile banking access for the vast majority of its customers. In some cases, those measures also may have blocked access to a small percentage of legitimate PNC customers for an extended period."

Communications with Consumers

Some banks have been more forthcoming about their site outages than others. While PNC, for instance, has been more open to using social media sites such as Facebook to communicate with customers about the attacks, other institutions have remained silent.

In a Jan. 4 Facebook response to customer complaints about slow site accessibility, PNC states that it's aware of the issues and is taking action to address the disruptions.

"That is why we are communicating directly and separately with our customers to help address specific concerns," the PNC Facebook post states. "PNC customers that continue to experience access issues may contact us through a private message here on Facebook."

Chase, SunTrust and Regions have refrained from confirming or commenting about reported traffic issues. And since the launch in December of the second campaign, BofA, CapOne, Citi, HSBC, Wells Fargo and U.S. Bank have steadily decreased their public communications, despite concerns voiced by some of their customers.

On Jan. 4, several customers posted updates on CapOne's Facebook page, saying they continued to have trouble accessing the site. CapOne responded, merely asking customers to contact them directly.

"The website is back up and running now," the bank states in its Facebook response. "Please try it again and if you still cannot access it, give us a call at the number on the back of your card or statement."

Choosing a Strategy

Choosing the best way to communicate about the steps a bank is taking to address DDoS attacks depends on a number of factors, such as the size of the institution, the institution's social-networking policy and the impact increases in traffic have had on the institution's website.

"Whether a financial institution wants to turn to an enhanced use of social-networking is up to each individual institution," says Doug Johnson, vice president of risk management policy for the American Bankers Association.

But Gartner's Litan stresses that customers will assume the worst if banking institutions fail to share information about outages.

"The banks should just be upfront and tell them the Internet channel is coming under attack, but they are still securing their information and money and are able to provide continuous service through other channels, e.g., the phone, branch and ATM," she says. "The sooner they do this, the better off everyone will be."


About the Author

Tracy Kitten

Tracy Kitten

Executive Editor, BankInfoSecurity & CUInfoSecurity

A veteran journalist with more than 18 years' experience, Kitten has covered the financial sector for the last 11 years. Before joining Information Security Media Group in 2010, where she now serves as the Executive Editor of BankInfoSecurity and CUInfoSecurity, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by CNN.com, ABC News, Bankrate.com and MSN Money.





Around the Network