GLENDALE, Calif.-Clearpath FCU here is working to recreate its website after a Distributed Denial of Service (DDoS) attack took it down. The attack was not part of the much-rumored wave of interruptions that had threatened to take place on May 7.
"It happened about two weeks ago," said Clearpath FCU's EVP/CFO John Lee. "We were surprised because we are not a big financial institution by any means."
The $78-million Clearpath FCU is not alone. Patelco CU and University (of Texas) FCU are also recent victims. "We haven't been contacted by any federal or state agencies, but we did file a report with our local officials here in Glendale," said Lee.
While no credit union or member data was compromised, the affected website was shut down once the hosting company realized that an attack had occurred. Until the host contacted Clearpath FCU, Lee was unaware of the attack. He learned the attackers, yet to be identified, were using Clearpath's URL to attack other websites.
A temporary website, which reads "website under construction," is providing links to various services members. These include online banking or bill pay, loan applications, ATM locator and shared branch locator. After clicking through, members are directed to a secured log-in page.
"We have about 3,500 online banking members and roughly 700 bill pay users," said Lee of the 11,000-member credit union. "They are still able to do all their banking as usual; the website just looks different as we look to rebuild."
Lee said he doesn't know yet why his credit union was attacked, but it has discovered what made it vulnerable. "We hadn't upgraded the encryption software to the latest version. Updating won't prevent all attacks but it will certainly limit the ability to get attacked."
Dodging DDoS Bullets
Mike Saylor, vice president of Information Technology for the Texas Credit Union League, said when it comes to DDoS attacks, no organization is 100% safe. "There are no silver bullets here just like no one can prevent breaches unless you effectively unplug and go offline. Dealing with the risk is typically done by investing in multiple technologies and staff, as well as formalizing a plan of action beforehand" (see related story, page 1).
Saylor explained that a DDoS platform is typically left out of incident response plans because many DDoS attacks do not involve actual network breaches. "Your organization may not be the target but it may be used as a proxy for DDoS attacks on other organizations. Having proper network awareness and monitoring tools are also very useful when detecting these attacks."
Lee noted that there is a silver lining to the otherwise unfortunate event.
"We were planning on upgrading our website at some point; now we are forced to, which is a good thing."
The new website that will launch in three to four months will be secure and encrypted to prevent future attacks. "It's their job," Lee said of the DDoS attack community. "They are obviously very professional at what they do."
Saylor encourages credit unions to create an incident response plan, including steps to deal with a DDoS attack scenario. "If an attack is being performed and you are currently down, third party on-demand DDoS handling services are available and can quickly respond, at a cost," he said. "You may also get help from your ISP and have special filtering or re-routing done at the upstream connections."
