-
Wells Fargo (WFC) on Thursday endured the second cyberattack the company has acknowledged in as many weeks.
April 4 -
A group that has claimed responsibility for a flood of cyberattacks on the nation's biggest banks says it was behind an assault last week on the website of American Express (AXP) that left customers of the credit card giant unable to log in to their accounts.
April 2 -
Though JPMorgan Chase and BB&T are the only big banks to confirm a denial of service attack on Tuesday, roughly a half dozen institutions endured digital assaults at around the same time, according to the security firm Radware.
March 13
Thursday's
In all, at least 13 of the nation's biggest banks have watched their websites bog down since September under similar barrages, with several institutions being assailed repeatedly.
Hacktivists who call themselves the al-Qassam Cyber Fighters have claimed responsibility for the incursions, which the group
Why can't the targeted institutions, some of which have extremely sophisticated technology, defend themselves against the onslaught?
The main answer, as we've noted in many previous articles, lies in the
"Twelve months ago, the maximum protection for a major financial institution was 10 gigabytes per second," says Dave Ostertag, a global investigation manager with Verizon. "Now we're averaging 40 to 50 gigabytes per second. The entire industry has changed."
Thanks to software that can detect cyber threats and turn away incoming traffic that bears the marks of someone who seems bent on doing harm, banks are generally able to prevent the volleys directed at them from engulfing their websites completely, according to Ostertag. When attackers do manage to overcome banks' cyber defenses, the interruptions that ensue endure for a brief time compared with the duration and intensity of the assault.
"From reports we get every day and how many attacks occur and how long they last, and compared with the time customers can't get through to their banks, the world is doing a great job," Ostertag adds.
Other times, however, the fury of the assault overpowers a bank's cyber defenses. "The attackers obviously have someone who's put a lot of money into infrastructure and these guys have the capability to launch attacks like the world has never seen before," says Ostertag.
Building fortifications that can rebuff attacks and eliminate outages completely will demand defenses that can account for the evolving nature of the threat. "If you morph and change the attack enough it will be difficult to keep up," Ostertag added.
Attackers who earlier sprayed banks' networks with massive amounts of data now target specific web pages, such as a help page or log in page, which they might hit 20 million times a minute, according to Avivah Litan, an analyst with Gartner Research.
One challenge lies in being able to develop software that can distinguish more precisely between friendly and hostile traffic. Security systems in use currently tend to assume that companies will identify the threat and then control for it. "It's not a behavior-based system, it's signature based," said Litan, who adds that systems themselves need to get smarter. "The [denial of service] systems are not as sophisticated as the models banks use for underwriting or fraud detection, but you can't build those models overnight."
Ostertag says that Verizon and other network operators have been able to attenuate attacks by redirecting traffic the operators identify as pernicious. "We have a lot of insight into what's going on, on your network," said Ostertag, who declined to discuss where the denial of service traffic that passes through Verizon's network originates because he said the information is classified.
Litan says the group behind the attacks is believed to consist of roughly 25 people, although she cautions that nobody knows with certainty the number of attackers or who sponsors them. According to Litan, some investigators have matched computer code used in the denial of service attacks to code used in a January 2012 cyberattack on Israel's Tel Aviv stock exchange and El Al, although she adds the attackers may be different people. In November, the al-Qassam Cyber Fighters
In the meantime, banks will continue to catch up. "It's not hopeless, but it doesn't look good for the next few months," Litan said. "There's a lot of programming that needs to be done."
