The cyberattacks against Bank of America (BAC), JPMorgan Chase (JPM), Wells Fargo (WFS), PNC (PNC) and U.S. Bancorp (USB) in the past week and a half may not have been sophisticated, but they are wreaking havoc among their victims.
"I hate to sound like sensationalist, but it sounds like the financial Armageddon we're all waiting for," says Avivah Litan, vice president and distinguished analyst at Gartner Research. The cyberhacktivists "have overwhelmed the pipe bandwidth, so there's nothing anyone can do unless they can find the end points that are launching the attacks." Litan's sources say the denial-of-service attacks are being flung from about 3,000 computer end points and are averaging to be 100-gigabyte attacks."
"They're flooding bank sites and bank networks," Litan says. "Usually denial-of-service attacks max out at 60-70 megabits. There's nothing banks can do; it's a bandwidth issue for [network providers like] Verizon and AT&T. Even if Verizon increased their bandwidth to 500 gigabits, attackers would up it" and overwhelm the provider's capacity.
Another interesting fact Litan learned this morning is that the attackers write to each other in English. "My sources in the network business don't think it's an Iranian group or a foreign group. No one knows who it is." The group that has taken credit for the recent spate of attacks, "Cyberfighters of Izz ad-din Al qassam" has said in its messages on a website called PasteBin that it was protesting the YouTube movie "Innocence of Muslims," and insisting that it would continue its attacks until the video was "erased."
However, except for PNC, the attacks on banks appear to have stopped.
Another unknown is whether or not fraud has occurred during the denial-of-service attacks. "If the fraud prevention people don't have a separate pipe into the system, they can't access them, either," Litan points out.
The attacks are also causing damage to consumer perception among customers who expect their bank to be always on and always available.
In a denial-of-service attack, a number of people, a botnet or a group of botnets click on a website repeatedly so quickly and on such a scale that no one else can get through. It's a lot like a traffic jam on a throughway — the sheer volume of cars on the road prevents each car from going at a normal speed. Another, perhaps more apt analogy is that it's like having a group of protesters in a bank's lobby preventing customers from coming in.
On the spectrum of security threats and how scary and destructive they can be, denial-of-service attacks are usually relatively mild. No one is breaking into anything, no one is stealing account information or money, nothing is being improperly accessed. The computers that do the real work of processing payments, loans and balance transfers are not affected. But the scale of the recent attacks could lead to serious problems.
"These people may not know how to take over a bank account, but they certainly could figure it out quickly," Litan says. "It's a classic technique that's been used against banks, to distract their attention and then take money out of accounts. That's been going on for at least a year and a half."
Stopping a denial-of-service attack is difficult, Litan says. It's hard to pinpoint the source; intrusion detection systems typically produce a lot of false positives. "If you get 100 alerts and only three are meaningful, how do you know which three are meaningful?" she says. "You need a more intelligent system that doesn't have such a high false positive rate, that's automated and blocks bad transactions with confidence. You don't want to stop people from going to your website."
The technology that truly can help prevent denial-of-service attacks, in Litan's view, is network forensic tools. "Banks need a smarter and deeper intrusion prevention system, so they can see all the layers in the stack and they can see where the attack is coming from. They need deeper visibility into the traffic."
Another technology that could help soften the impact of such attacks is content distribution networks, according to Jon Ramsey, chief technology officer of Dell SecureWorks. Such systems, which are often cloud-based, maintain website content over many distributed servers and direct the content to users based on proximity.
Banks should also be more aware and better prepared, Ramsey notes. "One of the things about the way cyberhacktivists work today is they will advertise they're going to do denial-of-service attacks," he says. "If you know where to look, you can get some indication and warning. In some cases you can even get the attack pool they're going to use so that you can be prepared and muster the troops. You need to have a game plan around, how do I best mitigate it? Do I use content distribution networks, do I use an anti-DDOS cleaning service, do I degrade the capability of my website, do I not make it as image rich so it doesn't do much damage if it's a DOS attack? There are a lot of things you can do to prepare."