This month, some of America's largest banks became the targets of hackers -- but should we be concerned?
Since Sept 19, the websites for the Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank and PNC Bank have all been hit by denial of service (DoS) attacks. This common online attack directs vast amounts of traffic to a website, causing it to overload and deny normal users from accessing a website entirely -- or slowing it down to the point of being unusable. To bring down large websites, attackers may use botnets to flood a site with requests at the same time.
The wave of attacks resulted in banking customers being denied access to online services, including Internet banking. While DoS attacks are little more than a nuisance -- only denying service rights rather than stealing any information -- this is likely to upset customers, who not only have to deal with the inconvenience but may not understand the differences between different forms of attack.
Dmitri Alperovitch, co-founder of security firm CrowdStrike, told CNN:
"The volume of traffic sent to these sites is frankly unprecedented. It's 10 to 20 times the volume that we normally see, and twice the previous record for a denial of service attack."
This is the interesting part. It suggests that those behind the attacks must have thousands of sophisticated application servers to pull off the DoS stint that sent the banks down in such a public fashion. Careful planning and the creation of a botnet was necessary -- and home PCs would never be up to the challenge.
It was anger over film trailer "The Innocence of Muslims" -- hosted on YouTube but restricted for users in Egypt and Libya -- which depicts Prophet Mohammed as a philanderer who approves of child sexual abuse -- that apparent caused the wave of service denial.
A group calling themselves the Izz ad-Din al-Qassam Cyber Fighters -- a reference to a Muslim holy figure who fought against European forces in the 1920s and 1930s -- took responsibility for the attacks in what they call "Operation Ababil".
However, as CNN reports, it may be that the group is simply jumping on the attacks to promote their protest, as attacks seemed "less coordinated" in the past. Instead, Sen. Joe Lieberman placed the blame on Iran, citing "the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions" as the cause. This may make more sense, as the volume of traffic may have needed state-backing to pull off.
Politics or protesters, banks are attractive to cyberattackers, and usually have systems in place to defend against intrusion. DoS may be annoying but is not dangerous, and does not affect anything more than a website -- ATMs remain operational and no data is stolen. However, it no doubt costs banks financially when customers cannot complete transactions.
It seems that targeting institutions online, from banks to governments and universities, may be part of a growing trend. Simple attacks -- which need planning but no sophisticated skill -- are likely to be a major part of this change. Rather than simply taking to the streets to protest, after 2010's Arab Spring movement, it's no surprise that using social media to communicate has evolved into the use of simple attacks to raise global attention.
Instead, 'hacktivist' groups often try to rally others to assist in an attack -- from Anonymous to the Izz ad-Din al-Qassam Cyber Fighters -- through spreading links and tools. The former uses Twitter to promote their achievements, whereas the latter invites others to join the cause through an online blog and timetable.
If a tool is easy to use, more campaigners may be tempted to get involved. The less knowledge and skill a system needs to be used, the more accessible it is. If hacking tools become as easy as a simple download or clicking a link, what does this mean when the general public are affected by issues on the global stage?
Technology evolves. It becomes more sophisticated, easier to use, and gains more refined features in every industry. Apply this to cyberwarfare, and perhaps common, simple attacks like DoS will eventually evolve into something far more dangerous to the general public -- but just as quick to implement. Of course, more sophisticated attacks -- including state-sponsored Flame -- exist, but take skill and knowledge to control.
It is the time that unskilled, large groups of attackers -- for a protest or simply the lulz -- gain powerful, simple-to-use tools which should be on the minds of those in the financial industry.
For now, your bank accounts are safe enough. However, if major institutions cannot block what is little more than the prank pizza delivery of the hacking world, it leaves space enough to wonder what part new, powerful and easily accessible infiltration tools will play in the future of cybersecurity.