Everyone wants to talk about the big ones — the whales. The large, hellacious denial of service attacks that slow or stop a bank's web server and prevent customers from doing business.
And right now, while you're reading this, criminals may be bombarding your bank's website.
These attacks typically occur when cyber crooks flood a bank's web servers with traffic — enough to either shut it down or stop users from performing specific functions online, like making a payment or making good on a bill.
Sometimes this traffic comes from a one specific group of servers, in a denial of service (DOS) attack — think about it like one big computer constantly visiting, say, AmericanBanker.com millions of times within seconds. Other times the attack is launched from many computers in many different parts of the world (in what's called a distributed denial of service attack).
"In the past, there was an underground of attackers. The targets were smaller organizations and these were not very complex attacks," says Jason Malo, a research director at CEB TowerGroup, who specializes in security and fraud.
Since September, 46 U.S. financial institutions have been hit with more than 200 coordinated and timed DDoS attacks, according to a report issued by the FBI April 30.
Hackers started in earnest with Bank of America and the New York Stock Exchange, then targeted mostly large banks, and have moved down to regional banks.
In April, one hacktivist group posted four different announcements of fresh attacks.
Security folks talk about the events in awkward-sounding units called gigabits per second — a data transfer speed of a billion bits per second. Some of the largest attacks are 80 gigabits per second. Double that. Triple that.
Think about sending a month's worth of emails, attachments included, all in a second. That's roughly the equivalent of one gigabit per second.
A respectable attack will be between 10 to 15 gigabits per second, says Michael Smith, a customer security incident response team director at the Internet infrastructure firm Akamai Technologies Inc.
But Smith points out that some attacks are not targeting banks' web pages, but their applications. "Understanding that the overall trend is to use the minimum amount of force necessary, if you can do application attacks through SSL, you need less volume of attack traffic than you would trying to flood the network infrastructure."
Banks have spent so much time hardening their servers, focusing on security and authentication, that it takes less time to fell a bank's web servers than the ones behind a retailer's site.
Better security means it takes more computing power to do smaller tasks, making it easier for an attacker to overwhelm a target by just focusing on, say, username and password protocols - asking a website a million times if 'AAAAA's password is 'AAAAA.'
These attacks are becoming more sophisticated.
For instance, a bank's website can be jammed by an attack targeting just a specific service. Malo references Slowloris malware that allows a single machine to take down another machine's web server with minimal bandwidth and side effects on unrelated services and ports.
"Basically it sends information in packets, as slowly as possible," he says. "So we are speaking in a normal voice, but if I start... to... be... like... this... it makes it like we're still engaged in the conversation, but it exhausts the service sessions."
Malo adds that he'd expect these types of attacks to persist.
Indeed, the real danger of these attacks isn't just a disruption in a person's Internet banking — which costs banks cash because customers now have to be handled through a different, often more expensive channel.
In some cases, these attacks mask more serious intrusions that can compromise a bank's customer data.
While an attack is taking place, criminals could be attempting to extract financial information from a bank using a variety of techniques.
On Christmas Eve, thieves reportedly stole $900,000 from a Bank of the West customer under the guise of a DDoS attack. The news was first reported on the information security blog Krebs on Security.
In the future, some observers say, the attacks will inevitably come from mobile devices, as well as desktop computers and servers in data centers.
"This is eventually going to be an Android vs. iOS" battle, says Ken Baylor, a research vice president at the information security research and advisory company NSS Labs, alluding to the division between the tech giants, one of which polices all the apps its iPhone users download while the other does not.
DDoS attacks are commonly launched over infected devices that are enslaved and turned into botnets — collectives of connected machines linked by malicious software performing specific tasks, like bombarding a bank's website with traffic.