A cyberattack on wells fargo in April—the second the company acknowledged in nine days—rendered its online and mobile banking inoperable for roughly six hours and continued a wave of denial-of-service attacks that also hit JPMorgan Chase, BB&T, TD Bank and American Express in the previous three weeks alone.
In all, since September, at least 13 of the nation's biggest banks have watched their websites get bogged down under similar barrages, with several institutions being assailed repeatedly.
Hacktivists who call themselves the al-Qassam Cyber Fighters have claimed responsibility for the attacks, which the group vows to continue until YouTube takes down a trailer for an anti-Muslim film. YouTube says the video comports with the company's content guidelines, although its website warns viewers that some may find the material offensive.
Why can't the targeted institutions, some of which have extremely sophisticated technology, defend themselves against the onslaught?
The main answer lies in the massive volume of the attacks, which unleash a torrent of data at websites with the goal of overwhelming them.
"Twelve months ago, the maximum protection for a major financial institution was 10 gigabytes per second," says Dave Ostertag, a global investigation manager with Verizon. "Now we're averaging 40 to 50 gigabytes per second. The entire industry has changed."
Thanks to software that can detect cyber threats and turn away incoming traffic that bears the marks of someone who seems bent on doing harm, banks are generally able to prevent the volleys directed at them from engulfing their websites completely, according to Ostertag. When attackers do manage to overcome banks' cyber defenses, the interruptions that ensue endure for a brief time given the duration and intensity of the assault.
"From reports we get every day and how many attacks occur and how long they last, and compared with the time customers can't get through to their banks, the world is doing a great job," Ostertag says.
But sometimes, the fury of an assault overpowers a bank's cyber defenses. "The attackers obviously have someone who's put a lot of money into infrastructure and these guys have the capability to launch attacks like the world has never seen before," Ostertag says.
Building fortifications that can rebuff the attacks and eliminate outages completely will demand defenses that can account for the evolving nature of the threat. As Ostertag notes, "If you morph and change the attack enough, it will be difficult to keep up."
Attackers who earlier sprayed banks' networks with massive amounts of data now target specific Web pages, such as a help page or log-in page, which they might hit 20 million times a minute, according to Avivah Litan, an analyst with Gartner Research.
One challenge for banks lies in being able to develop software that can distinguish more precisely between friendly and hostile traffic. Security systems currently in use tend to assume that companies will identify the threat and then control for it.
"It's not a behavior-based system; it's signature based," says Litan, who argues that the systems themselves need to get smarter. "The [denial-of-service] systems are not as sophisticated as the models banks use for underwriting or fraud detection, but you can't build those models overnight."
Ostertag says that Verizon and other network operators have been able to attenuate attacks by redirecting traffic the operators identify as pernicious.
"We have a lot of insight into what's going on, on your network," says Ostertag, who declined to discuss where the denial-of-service traffic that passes through Verizon's network originates because he says the information is classified.
Litan says the group behind the attacks is believed to consist of roughly 25 people, although she cautions that nobody knows with certainty the number of attackers or who sponsors them.
According to Litan, some investigators have matched computer code used in the denial-of-service attacks to code used in a January 2012 cyberattack on Israel's Tel Aviv stock exchange and the airline El Al, although she adds that the attackers may be different people. In November, the al-Qassam Cyber Fighters disavowed any connection to those incidents or to the Iranian government, which U.S. officials have accused of sponsoring the group.
In the meantime, banks will continue to work to catch up with the cleverness of their denial-of-service cyber attackers.
"It's not hopeless, but it doesn't look good for the next few months," Litan says. "There's a lot of programming that needs to be done."