Breaking protocol: DDoS attacks
Breaking protocol: DDoS attacks

A spate of recent DDoS attacks forced banks to change their threat response – and that's a good thing, reports Teri Robinson.

When the first wave of distributed denial-of-service (DDoS) attacks hit several, large financial institutions in the fall of 2012, a scramble ensued to get websites back up and quell the fears of understandably rattled customers. By the time the third and final wave rolled through in early 2013, banks had learned how to shut down attacks quickly and had taken significant steps to restore the public's faith.

While the concentration of incursions left in their wake a heightened awareness, the series also ushered in major changes to the way banks handle such incidents, marked by an unprecedented level of communication among banks, their executives, government agencies and customers.

Our experts:
Bank on it

  • John Carlson, executive vice president, BITS
  • Avivah Litan, distinguished analyst, Gartner
  • Al Pascual, analyst, Javelin Strategy & Research
  • Ashley Stephenson, CEO, Corero Network Security

Although bigger banks have learned to mitigate the impact of DDoS attacks, and indeed the large-scale campaigns have tapered off, experts say the financial industry, particularly smaller banks, are still at risk. There's little doubt that DDoS attacks on the rise – a Digital Attack Map, developed by Google and threat-monitoring company Arbor Networks, shows that the U.S. is one of two countries to get hit every day for a five-month period in 2013 – and these strikes and the threat of further attack, pose a significant threat.

“Knocking over” banks is nothing new. Frank and Jesse James, Butch and Sundance, Bonnie and Clyde, Willie Sutton all have relentlessly – and often successfully – tried to breach whatever passed as the top-of-the-line bank security of the day. But those outlaws were lured by money buried deep in the bank vault. The large-scale DDoS campaigns of 2012 and 2013, by and large, were driven by ideology, with no other goal but to shake things up and grab headlines. And, that they did, with the first attacks – breathtaking in their scope and impact – coming on the eve of the 2012 presidential election to maximize their PR value.

The nature of the attacks originally led security experts to believe that the campaigns were the work of forces within the Iranian government – a charge that officials there have denied. “The big difference in 2013 is nation-states started using [DDoS attacks] as tools for retribution for the U.S.,” says Avivah Litan, a distinguished analyst at Gartner.

Though these assaults didn't result in theft of money, there were copy cats and other criminals who took advantage of the attacks to breach accounts and steal funds, she adds. The super-sized campaigns, which commandeered servers to compromise bank websites instead of individual laptops and PCs as previous attacks had done, pointed to the burgeoning skills of actors inside Iran with planning and instigating internet campaigns.

For example, the hacktivist group Iz ad-Din al-Qassam Cyber Fighters claimed credit for the attacks, dubbed Operation Ababil (after a story in the Quran about Mohammad dispatching swallows to defeat elephants and defend Mecca). The campaign was reportedly waged to issue a biting indictment of “unfavorable” U.S. policies and in protest of a YouTube video that Muslims found offensive.

The first campaign was launched against 10 of the biggest names in banking – HSBC Holdings, Citibank, Capital One, JPMorgan Chase, U.S. Bancorp, SunTrust Banks, Bank of America, PNC, Wells Fargo and Regions Bank. Initially, the financial institutions were caught offguard and slow to react as large volumes of unwanted traffic flooded their networks, blocking customers from their accounts and otherwise disrupting business.

But, if there were any doubts that banks were under siege, Iz ad-Din al-Qassam dispelled them by issuing a series of warnings on Pastebin leading up to a second DDoS campaign. However, this time, as banking giants JPMorgan Chase, Wells Fargo, U.S. Bancorp, PNC, SunTrust Banks and Citibank saw unwelcomed traffic pour into their networks, they were prepared for the onslaught. Though they couldn't prevent the attacks, even with pointed warnings, they quickly shut them down with minimal disruption.

“Banks became more proficient in stopping DDoS or mitigating the effect,” says Al Pascual, an analyst at Javelin Strategy & Research.