This week's cyberattacks against U.S. banks were more widespread than reported, industry experts say.
Though JPMorgan Chase (JPM) and BB&T (BBT) are the only big banks to confirm a denial of service attack on Tuesday, roughly a half dozen institutions endured digital assaults at around the same time, according to Radware, a security firm that has investigated cyber intrusions on behalf of financial firms.
Tuesday's attacks "were the largest attacks we've seen to date in scale," Carl Herberger, a vice president of security solutions at Radware, told American Banker. "The one that was advertised to the world was Chase, but I can tell you that almost on an hourly basis banks were being attacked, which is a very substantial campaign."
"If you actually measure the response time of some of these banks that are being attacked, you can see that they are under duress," Herberger adds. "Most of them labored for hours on end with little or no response."
The attacks followed a threat earlier Tuesday by the al-Qassam Cyber Fighters, a group that has claimed responsibility for a series of incursions since September that have bogged down websites at some of the nation's biggest banks and prevented customers from accessing their accounts.
The group, which has vowed to continue its campaign until YouTube takes down a trailer for an anti-Muslim film, said it would target JPMorgan Chase, Bank of America (BAC), Citibank (NYSE:C), PNC Financial (PNC), Fifth Third Bancorp (FITB), Union Bank, BB&T (BBT) and Capital One (COF) for another round of assaults.
Herberger declined to say which banks beside Chase weathered attacks on Tuesday, citing confidentiality agreements between Radware and its clients.
BB&T spokeswoman Merrie Tolbert said in an email that the Winston-Salem, N.C., bank "experienced intermittent outages yesterday" but said the bank was able to restore service quickly.
Daniel Weidman, a spokesman for Union Bank, said in an email the bank's website also "experienced intermittent outages" on Tuesday before resuming regular operation.
Citigroup, Fifth Third and Capital One spokespeople said their companies' websites functioned normally on Tuesday.
Bank of America's websites also continued to operate without incident, according to a source close to the company.
"If you have a leak in a boat, you can build a bigger boat so the leaks won't mathematically sink your boat," Herberger says. "That's been fundamentally the process many folks have been taking. We see few instances of fixing the leak."
While banks continue to take steps to strengthen security, hackers continue to hone their capabilities and can outmatch banks' best efforts to deter them, experts say.
Hackers "are certainly more sophisticated; it's certainly not the 14-year-old sitting on his dad's PC writing a virus," says Mike Whitt, BBVA Compass' chief information security officer. "This is a business for these guys, and it's really a business that runs in kind of parallel to the legitimate market, so the actors can be anyone from organized crime, or even terrorist organizations, even state-sponsored attacks."
According to Whitt, banks have an especially tough job because they are not security companies and have limited resources to devote to thwarting attacks, while attackers have "somewhat unlimited" resources "because most of the money that they are using is through ill-gotten gain."
If a bank needs hardware, it has to go through a process to get it approved. "If one of these bad guys needs a couple more PCs, they find PCs that are on the Internet and they take them over, own them, and then they have additional hardware resources," Whitt says.
