Thursday's cyberattack on Wells Fargo — the second the company has acknowledged in nine days — rendered its online and mobile banking inoperable for roughly six hours and continued a wave of denial of service attacks that also has hit JPMorgan Chase (JPM), BB&T (BBT), American Express (AXP) and TD Bank in the past three weeks alone.
In all, at least 13 of the nation's biggest banks have watched their websites bog down since September under similar barrages, with several institutions being assailed repeatedly.
Hacktivists who call themselves the al-Qassam Cyber Fighters have claimed responsibility for the incursions, which the group vows to continue until YouTube takes down a trailer for an anti-Muslim film. YouTube says the video comports with the company's content guidelines, although the company warns viewers that some may find the material offensive.
Why can't the targeted institutions, some of which have extremely sophisticated technology, defend themselves against the onslaught?
The main answer, as we've noted in many previous articles, lies in the massive volume of the attacks, which unleash a torrent of data at websites with the goal of overwhelming them.
"Twelve months ago, the maximum protection for a major financial institution was 10 gigabytes per second," says Dave Ostertag, a global investigation manager with Verizon. "Now we're averaging 40 to 50 gigabytes per second. The entire industry has changed."
Thanks to software that can detect cyber threats and turn away incoming traffic that bears the marks of someone who seems bent on doing harm, banks are generally able to prevent the volleys directed at them from engulfing their websites completely, according to Ostertag. When attackers do manage to overcome banks' cyber defenses, the interruptions that ensue endure for a brief time compared with the duration and intensity of the assault.
"From reports we get every day and how many attacks occur and how long they last, and compared with the time customers can't get through to their banks, the world is doing a great job," Ostertag adds.
Other times, however, the fury of the assault overpowers a bank's cyber defenses. "The attackers obviously have someone who's put a lot of money into infrastructure and these guys have the capability to launch attacks like the world has never seen before," says Ostertag.
Building fortifications that can rebuff attacks and eliminate outages completely will demand defenses that can account for the evolving nature of the threat. "If you morph and change the attack enough it will be difficult to keep up," Ostertag added.
Attackers who earlier sprayed banks' networks with massive amounts of data now target specific web pages, such as a help page or log in page, which they might hit 20 million times a minute, according to Avivah Litan, an analyst with Gartner Research.
One challenge lies in being able to develop software that can distinguish more precisely between friendly and hostile traffic. Security systems in use currently tend to assume that companies will identify the threat and then control for it. "It's not a behavior-based system, it's signature based," said Litan, who adds that systems themselves need to get smarter. "The [denial of service] systems are not as sophisticated as the models banks use for underwriting or fraud detection, but you can't build those models overnight."
Ostertag says that Verizon and other network operators have been able to attenuate attacks by redirecting traffic the operators identify as pernicious. "We have a lot of insight into what's going on, on your network," said Ostertag, who declined to discuss where the denial of service traffic that passes through Verizon's network originates because he said the information is classified.
One can see from my story why an angry global citizenry uproar may be responsible for the hack attacks.
I am a federal government whistleblower who had his primary duties taken away for blowing the whistle to expose wrongdoing by former Chairman Bair and others. I blew the whistle on the corruption brought about by the revolving door between regulators and the banking industry; discriminatory lending; unethical behavior by top regulatory officials, etc., but was muted and turned away. I am interested in getting my story out in the public domain. Shockingly, I have been unable to get any journalists at the New York Times or Washington Post to investigate my story as of yet. Shame on Bob Woodward if he has allowed the White House to chill his interest.
Here is the link to my newly published book about the inside story of how government regulators caused the financial crisis. It is the only expose to reveal an insider's account of how regulators' neglectful actions caused the crisis.
http://www.amazon.com/American-Betrayal-ebook/dp/B00BKZ02UM
I can show cronyism between regulators, former regulators, top consultants, and government watchdogs is what led to the financial crisis. Did we not learn anything from Enron, BCCI, and LTCM? When you get regulators and those to be regulated so cozy together (i.e. sleeping in the same bed), you get a dysfunctional, unfair, and corrupt capital system.
Therefore, if there is a member of Congress open to taking a look at just two or three documents which show how the government likely caused the financial crisis, please let me know. I have a lot more documents.
PS - If the government, banks, and their fee-mongering consultants wanted to prevent these types of harmful events, and desired to manage their complexity and risks, they would opt to consider Ontonix or a similar solution. Had regulators used Ontonix, there would not have been a financial crisis. It is that simple. See
http://www.ontonix.com/