Why Cyberattacks Continue to Overpower Banks' Security Tech

Thursday's cyberattack on Wells Fargo — the second the company has acknowledged in nine days — rendered its online and mobile banking inoperable for roughly six hours and continued a wave of denial of service attacks that also has hit JPMorgan Chase (JPM), BB&T (BBT), American Express (AXP) and TD Bank in the past three weeks alone.

In all, at least 13 of the nation's biggest banks have watched their websites bog down since September under similar barrages, with several institutions being assailed repeatedly.

Hacktivists who call themselves the al-Qassam Cyber Fighters have claimed responsibility for the incursions, which the group vows to continue until YouTube takes down a trailer for an anti-Muslim film. YouTube says the video comports with the company's content guidelines, although the company warns viewers that some may find the material offensive.

Why can't the targeted institutions, some of which have extremely sophisticated technology, defend themselves against the onslaught?

The main answer, as we've noted in many previous articles, lies in the massive volume of the attacks, which unleash a torrent of data at websites with the goal of overwhelming them.

"Twelve months ago, the maximum protection for a major financial institution was 10 gigabytes per second," says Dave Ostertag, a global investigation manager with Verizon. "Now we're averaging 40 to 50 gigabytes per second. The entire industry has changed."

Thanks to software that can detect cyber threats and turn away incoming traffic that bears the marks of someone who seems bent on doing harm, banks are generally able to prevent the volleys directed at them from engulfing their websites completely, according to Ostertag. When attackers do manage to overcome banks' cyber defenses, the interruptions that ensue endure for a brief time compared with the duration and intensity of the assault.

"From reports we get every day and how many attacks occur and how long they last, and compared with the time customers can't get through to their banks, the world is doing a great job," Ostertag adds.

Other times, however, the fury of the assault overpowers a bank's cyber defenses. "The attackers obviously have someone who's put a lot of money into infrastructure and these guys have the capability to launch attacks like the world has never seen before," says Ostertag.

Building fortifications that can rebuff attacks and eliminate outages completely will demand defenses that can account for the evolving nature of the threat. "If you morph and change the attack enough it will be difficult to keep up," Ostertag added.

Attackers who earlier sprayed banks' networks with massive amounts of data now target specific web pages, such as a help page or log in page, which they might hit 20 million times a minute, according to Avivah Litan, an analyst with Gartner Research.

One challenge lies in being able to develop software that can distinguish more precisely between friendly and hostile traffic. Security systems in use currently tend to assume that companies will identify the threat and then control for it. "It's not a behavior-based system, it's signature based," said Litan, who adds that systems themselves need to get smarter. "The [denial of service] systems are not as sophisticated as the models banks use for underwriting or fraud detection, but you can't build those models overnight."

Ostertag says that Verizon and other network operators have been able to attenuate attacks by redirecting traffic the operators identify as pernicious. "We have a lot of insight into what's going on, on your network," said Ostertag, who declined to discuss where the denial of service traffic that passes through Verizon's network originates because he said the information is classified.

Litan says the group behind the attacks is believed to consist of roughly 25 people, although she cautions that nobody knows with certainty the number of attackers or who sponsors them. According to Litan, some investigators have matched computer code used in the denial of service attacks to code used in a January 2012 cyberattack on Israel's Tel Aviv stock exchange and El Al, although she adds the attackers may be different people. In November, the al-Qassam Cyber Fighters disavowed any connection to those incidents or to the Iranian government, which U.S. officials have charged sponsors the group.

In the meantime, banks will continue to catch up. "It's not hopeless, but it doesn't look good for the next few months," Litan said. "There's a lot of programming that needs to be done."

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER