The Fraud Blog with Tracy Kitten

DDoS Attacks: What Banks Report

Wells Fargo, Chase Acknowledge Attacks in 2013

Editor's Update: Since the filing of this blog, BankInfoSecurity has been in communication with Wells Fargo. While distributed-denial-of-service attacks are not explicitly mentioned in the bank's annual 10-K filing with the Securities and Exchange Commission, the bank does mention DDoS attacks in its 10-Q quarterly report filed with the SEC for the period ending Sept. 30, 2012. Wells Fargo also mentions DDoS activity in its annual report to shareholders, acknowledging that it and reportedly other U.S. institutions have been battling increasing DDoS attacks since late 2012.

See Also: BEC Defense: Advanced Tactics to Shield Your Organization

Leading U.S. banking institutions remain quiet about the ongoing distributed-denial-of-service attacks they've suffered since the fall of 2012.

But we can glean some first-hand perspectives from earnings reports that publicly-traded financial services firms file with the Securities and Exchange Commission.

Last month, we pulled the year-end 10-K earnings reports filed by the nation's top 10 banking institutions (see Top Banks Offer New DDoS Details).

Those top 10 include JPMorgan Chase & Co., Bank of America, Citigroup, Wells Fargo & Co., Goldman Sachs Group, Morgan Stanley, U.S. Bancorp, Bank of NY Mellon, HSBC North America and Capital One. Among them, seven acknowledged they had suffered from some sort of DDoS activity in 2012 that impacted online- and/or mobile-banking services. Morgan Stanley, Bank of NY Mellon and Wells Fargo did not mention DDoS.

No Mention of DDoS?

Wells Fargo's failure to mention DDoS in its year-end report garnered attention. Security experts said they found the omission of DDoS information from the nation's fourth-largest bank puzzling because independent DDoS-attack monitoring had confirmed the bank was among the institutions targeted by the hacktivist group Izz ad-Din al-Qassam Cyber Fighters in 2012.

Some experts questioned how seriously banking institutions were taking their SEC filing requirements, at least from a cyber-activity reporting perspective.

Banking institutions are required to report all suspicious cyber-activity, including DDoS attacks, either through their filings with the SEC or in the Suspicious Activity Reports to the Financial Crimes Enforcement Network, says Doug Johnson, who oversees risk management policy for the American Bankers Association, says.

But in its most recent quarterly filing with the SEC, Wells Fargo notes that it, like many other leading U.S. institutions, was targeted by DDoS this year.

In its 10-Q report for the quarter ending March 31, which the bank filed on May 8, it states: "Wells Fargo and reportedly other financial institutions continue to be the target of various denial-of-service or other cyber-attacks as part of what appears to be a coordinated effort to disrupt the operations of financial institutions and potentially test their cybersecurity in advance of future and more advanced cyber-attacks. To date, Wells Fargo has not experienced any material losses relating to these or other cyber-attacks."

Despite security experts' claims that Wells Fargo had been targeted in 2012, it was not until 2013 that the bank acknowledged any significant activity. On April 4, Wells Fargo spokeswoman Sara Hawkins told BankInfoSecurity that the bank's online and mobile-banking channels had been inaccessible for portions of the day on April 4, when Wells Fargo saw "an unusually high volume of website and mobile traffic ... which we believe is a denial-of-service attack."

Whether the bank was actually attacked before that April date has yet to be confirmed.

DDoS Updates

Chase is the only other bank among the top 10 to specifically note being targeted by DDoS in its first-quarter 2013 10-Q filing. The eight others make no mention of DDoS in their reports.

Chase offers a summary that's very similar to the one provided by Wells Fargo: "The firm and several other U.S. financial institutions continue to experience significant distributed denial-of-service attacks from technically sophisticated and well-resourced third parties which are intended to disrupt consumer online banking services. The firm has also experienced other attempts to breach the security of its systems and data. These cyber-attacks have not, to date, resulted in any material disruption of the firm's operations or material harm to the firm's customers, and have not had a material adverse effect on the firm's results of operations."

As we move forward, I remain hopeful these banks will include more detailed information about cyber-activity, including DDoS attacks, in their filings.

It's understandable that these institutions don't want to reveal too much - they don't want to showcase their online vulnerabilities for attackers, nor do they want to instigate panic among their customers.

But it's crucial for the public to understand the impact of these intermittent online and mobile outages U.S. banking institutions have suffered since last September.

About the Author

Tracy Kitten

Tracy Kitten

Former Director of Global Events Content and Executive Editor, BankInfoSecurity & CUInfoSecurity

Kitten was director of global events content and an executive editor at ISMG. A veteran journalist with more than 20 years of experience, she covered the financial sector for over 10 years. Before joining Information Security Media Group in 2010, she covered the financial self-service industry as the senior editor of ATMmarketplace, part of Networld Media. Kitten has been a regular speaker at domestic and international conferences, and was the keynote at ATMIA's U.S. and Canadian conferences in 2009. She has been quoted by, ABC News, and MSN Money.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.