Hacktivist Attacks: How to RespondTargeted Banks Can Improve Security, Customer Education
In the wake of recent online attacks like the one against Citi, banking institutions must pay greater attention to security and customer awareness, industry experts say.
Institutions and other high-profile organizations also must accept that they are prime targets for distributed denial-of-service attacks, says Wendy Nather, research director at 451 Research, a technology analysis firm that focuses on IT and security.
"The truth of the matter is, in this climate, any organization that represents what's currently being protested will become a target, if they're visible enough, regardless of how they handle their PR or how they treat their customers," Nather says. "They simply have to acknowledge it as a new cost of doing business, and factor it into their infrastructure and security planning."
In response, the Reserve Bank of Australia has announced plans to hire cybersecurity providers to address increases in DDoS attacks launched against Australian banks.
In a statement, the Reserve Bank says existing cybersecurity standards are no longer effective. "Whilst existing firewall and other security controls provide protection against penetration threats, they are not able to safeguard the RBA against distributed denial of service attacks designed to interrupt the bank's connection to the Internet," the RBA says
Australian corporations and government agencies have been hit by DDoS attacks, often waged by hacktivist groups like Anonymous, for political, military and financial gain, the RBA says. Though it would not comment about its security arrangements, the RBA did say the initiative was not linked to any specific threat, and that the bank had interim arrangements to address DDoS attacks.
Neal O'Farrell, who heads up the Identity Theft Council, says exposing and humiliating corporations is the hacktivist's primary aim.
"There can be any number of reasons for attacks on financial institutions like Citi," O'Farrell says. "If the public dislikes or mistrusts big banks, then it's easier to win support by targeting them."
It's also why targeting senior executives at some of the country's top institutions and corporations is becoming more prevalent.
"I can see why hactivists would do it," O'Farrell says. "If you can show that senior executives of a bank are vulnerable to personal identity or data theft, it's an easy way to question and cast doubt on the security of the institution they work for."
DDoS attacks, such as those that hit Citi and other institutions, are relatively basic: They take sites down by flooding them with traffic. And it's easy to spot a DDoS attack by monitoring, which has helped institutions and organizations respond in timely fashion. But it always puts the affected entity on the defensive when their customers cannot access the sites. Ultimately, false traffic used to flood the site has to be filtered out to bring the site back online.
"Banks know when they're being hit by DDoS attacks," Nather says. "For one thing, there are the kinds of attacks where your first hint is a call from a customer, asking why your site is down. For another, traffic runs both ways, and a DDoS attack can affect Internet access for the employees inside the enterprise, so internal users are likely to notice as well."
The industry has responded by developing products and services aimed at curbing DDoS-related outages.
"There are any number of vendors that are offering anti-DDoS features within their products, anti-DDoS appliances and anti-DDoS as a service," Nather says. "When a bank is using any of these successfully, the good news is no news: Customers will never notice that an attack was launched, because it won't affect the site performance."
To this point, the most damaging side to a DDoS attack is the negative effect it has on a corporation's image, after a site is down.
But O'Farrell worries that organized crime could soon get in on the game, riding on the coattails of the precedent set by groups such as Anonymous.
"It started as a form of protest but could easily be hijacked by more ruthless criminal elements," O'Farrell says.
The scary part is that it's become increasingly difficult to determine exactly who is behind these DDoS attacks. Some attacks claiming to be linked to Anonymous could actually be linked to organized crime.
"There are so many different hacking and hactivist groups, often offshoots of others, it's getting harder to verify claims of exactly who's behind a specific attack or if it was even sanctioned by the named group," O'Farrell says.
So far, smaller institutions have not been a focus for hactivists. But as these attacks spread and more players get in on the game, O'Farrell warns small and mid-tier community banks and credit unions could be caught off guard.
"I don't see them as big targets for hacktivists just yet, mainly because they're not so much the focus of consumer anger," he says. "But there's no doubt that other criminal elements will soon be targeting smaller financial institutions, just as they're beginning to target smaller businesses," O'Farrell adds.
Steps to Protect
In protecting against any attack, the risk of exposure of personally identifiable information should be assumed. "Because PII is of little value to a financial institution, if it's not constantly being moved, shared and accessed, it's always going to be a relatively easy target," O'Farrell says.
Investing in new technology is a must. But in addition to protecting and monitoring against DDoS, institutions can take additional measures to ensure better security and customer/member education. Among experts' recommendations:
- Add more authentication, such as SMS/text alerts, to confirm transactions before money is ever transferred from an account;
- Enhance customer and member education. "Many vulnerabilities can be minimized by more vigilant and involved customers," O'Farrell says. "And it's great for building trust and relationships, because you get to talk to your customers much more often about a common worry."
- Add more encryption. Encrypting data is one of the best protections for PII.
- Improve the corporate image. "I think one of the reasons few credit unions have been targeted by hactivists is because consumers like them more," O'Farrell says. "If you're constantly being viewed as a big, bad bank, you're going to constantly be the target of big bad hackers. There's got to be a lesson there." [See Banks Need to Focus on Image.]