Banks' Improved Security Defenses Disarm Cyber Attackers
A hacktivist group that calls itself the Izz ad-Din al-Qassam Cyber Fighters is threatening a new wave DDoS attacks on banks, but security experts believe their tactics to be more nuisance than menace.July 25
The latest cyberattacks launched by the Al Qassam Cyber Fighters the group that has taken credit for most of the devastating distributed-denial-of-service attacks on banks that began last fall have been for the most part deflected by banks this time around.
This fourth round of attacks, threatened by the Al Qassam hacktivist group on Pastebin July 23 ("Well, misters! The break's over and it's now time to pay off," the group wrote), are said to have targeted four banks, including Regions Bank and JPMorgan Chase.
In distributed denial of service attacks, attackers send streams of malicious traffic to a website in the hopes of disabling it, making it impossible for customers to access their online banking information and inflicting considerable reputational damage to the bank.
Only Regions has confirmed it was hit, and only for two hours.
For the most part, the latest phase of Al Qassam's Operation Ababil, which the group says it's perpetrating to pressure the U.S. to take down an anti-Muslim video on YouTube, has failed because banks have stepped up their defenses, observers say.
"The sector has done a really good job of responding," says William Nelson, president and CEO of the Financial Services Information Sharing and Analysis Center. "We updated our risk mitigation best practices for the fourth time a few weeks ago, and the industry is very well prepared." He would not share specifics of security measures FS-ISAC's bank members have put in place, so as not to give attackers the ability to adjust their attack. "Your publication is very well read and quoted by the cyberhacktivists," he notes.
One thing bankers have gotten better at is sharing information about threats. "They've banded together and done a really good job addressing this and giving it attention," Nelson says.
Financial institutions have learned much since the DDoS attacks began last September.
"Banks are better prepared because they learned key lessons from prior attacks, increased their investment in this area, and both the banks and their vendors have improved their capability," notes Tom Sanzone, executive vice president at Booz Allen Hamilton.
Fresh technology investment appears to be helping banks detect and mitigate DDoS attacks.
"Banks are getting more coordinated, they're using third party services, they've got application layer protection they didn't have months ago, so it's much easier for them to spot DDoS incidents," says Avivah Litan, vice president at Gartner Research. "But it did take a lot of work and coordination to get to that point."
Litan believes that now that they've gotten better at handling straight DDoS attacks aimed at simply taking down a website, banks need to worry about a different set of cybercriminals that are beginning to use DDoS attacks as a way to distract the attention of a bank's information security staff while they commit other types of cyber crime, such as wire transfer fraud. "I've heard about a few of those cases," she says. In one, criminals were able to take over a bank's payment switch and use it to wire money out, causing considerable damage at three banks. "I think that's more troublesome," she says.
"The moral of the story is DDoS has become a major weapon against banks, either just for annoyance purposes, for political purposes or to deflect attention while fraud is committed," she says. "They need to have their fraud systems talking to they're DDoS mitigation systems." Then they might, for instance, require stronger authentication before permitting wire transfers.
"Banks are going to make their systems smarter," Litan says. "They know they're under attack."