The cyberattacks against Bank of America (BAC), JPMorgan Chase (JPM), Wells Fargo (WFS), PNC (PNC) and U.S. Bancorp (USB) in the past week and a half may not have been sophisticated, but they are wreaking havoc among their victims.
"I hate to sound like sensationalist, but it sounds like the financial Armageddon we're all waiting for," says Avivah Litan, vice president and distinguished analyst at Gartner Research. The cyberhacktivists "have overwhelmed the pipe bandwidth, so there's nothing anyone can do unless they can find the end points that are launching the attacks." Litan's sources say the denial-of-service attacks are being flung from about 3,000 computer end points and are averaging to be 100-gigabyte attacks."
"They're flooding bank sites and bank networks," Litan says. "Usually denial-of-service attacks max out at 60-70 megabits. There's nothing banks can do; it's a bandwidth issue for [network providers like] Verizon and AT&T. Even if Verizon increased their bandwidth to 500 gigabits, attackers would up it" and overwhelm the provider's capacity.
Another interesting fact Litan learned this morning is that the attackers write to each other in English. "My sources in the network business don't think it's an Iranian group or a foreign group. No one knows who it is." The group that has taken credit for the recent spate of attacks, "Cyberfighters of Izz ad-din Al qassam" has said in its messages on a website called PasteBin that it was protesting the YouTube movie "Innocence of Muslims," and insisting that it would continue its attacks until the video was "erased."
However, except for PNC, the attacks on banks appear to have stopped.
Another unknown is whether or not fraud has occurred during the denial-of-service attacks. "If the fraud prevention people don't have a separate pipe into the system, they can't access them, either," Litan points out.
The attacks are also causing damage to consumer perception among customers who expect their bank to be always on and always available.
In a denial-of-service attack, a number of people, a botnet or a group of botnets click on a website repeatedly so quickly and on such a scale that no one else can get through. It's a lot like a traffic jam on a throughway — the sheer volume of cars on the road prevents each car from going at a normal speed. Another, perhaps more apt analogy is that it's like having a group of protesters in a bank's lobby preventing customers from coming in.
On the spectrum of security threats and how scary and destructive they can be, denial-of-service attacks are usually relatively mild. No one is breaking into anything, no one is stealing account information or money, nothing is being improperly accessed. The computers that do the real work of processing payments, loans and balance transfers are not affected. But the scale of the recent attacks could lead to serious problems.
"These people may not know how to take over a bank account, but they certainly could figure it out quickly," Litan says. "It's a classic technique that's been used against banks, to distract their attention and then take money out of accounts. That's been going on for at least a year and a half."
Stopping a denial-of-service attack is difficult, Litan says. It's hard to pinpoint the source; intrusion detection systems typically produce a lot of false positives. "If you get 100 alerts and only three are meaningful, how do you know which three are meaningful?" she says. "You need a more intelligent system that doesn't have such a high false positive rate, that's automated and blocks bad transactions with confidence. You don't want to stop people from going to your website."