What do cyberattacks mean for the banking industry?

What do cyberattacks mean for the banking industry?

Summary: Financial institutions are a constant target for cybercrime -- but how safe is your money?

TOPICS: Security

This month, some of America's largest banks became the targets of hackers -- but should we be concerned?

Since Sept 19, the websites for the Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank and PNC Bank have all been hit by denial of service (DoS) attacks. This common online attack directs vast amounts of traffic to a website, causing it to overload and deny normal users from accessing a website entirely -- or slowing it down to the point of being unusable. To bring down large websites, attackers may use botnets to flood a site with requests at the same time.

The wave of attacks resulted in banking customers being denied access to online services, including Internet banking. While DoS attacks are little more than a nuisance -- only denying service rights rather than stealing any information -- this is likely to upset customers, who not only have to deal with the inconvenience but may not understand the differences between different forms of attack.

Dmitri Alperovitch, co-founder of security firm CrowdStrike, told CNN:

"The volume of traffic sent to these sites is frankly unprecedented. It's 10 to 20 times the volume that we normally see, and twice the previous record for a denial of service attack."

This is the interesting part. It suggests that those behind the attacks must have thousands of sophisticated application servers to pull off the DoS stint that sent the banks down in such a public fashion. Careful planning and the creation of a botnet was necessary -- and home PCs would never be up to the challenge.

It was anger over film trailer "The Innocence of Muslims" -- hosted on YouTube but restricted for users in Egypt and Libya -- which depicts Prophet Mohammed as a philanderer who approves of child sexual abuse -- that apparent caused the wave of service denial.

A group calling themselves the Izz ad-Din al-Qassam Cyber Fighters -- a reference to a Muslim holy figure who fought against European forces in the 1920s and 1930s -- took responsibility for the attacks in what they call "Operation Ababil".


However, as CNN reports, it may be that the group is simply jumping on the attacks to promote their protest, as attacks seemed "less coordinated" in the past. Instead, Sen. Joe Lieberman placed the blame on Iran, citing "the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions" as the cause. This may make more sense, as the volume of traffic may have needed state-backing to pull off.

Politics or protesters, banks are attractive to cyberattackers, and usually have systems in place to defend against intrusion. DoS may be annoying but is not dangerous, and does not affect anything more than a website -- ATMs remain operational and no data is stolen. However, it no doubt costs banks financially when customers cannot complete transactions.

It seems that targeting institutions online, from banks to governments and universities, may be part of a growing trend. Simple attacks -- which need planning but no sophisticated skill -- are likely to be a major part of this change. Rather than simply taking to the streets to protest, after 2010's Arab Spring movement, it's no surprise that using social media to communicate has evolved into the use of simple attacks to raise global attention. 

Instead, 'hacktivist' groups often try to rally others to assist in an attack -- from Anonymous to the Izz ad-Din al-Qassam Cyber Fighters -- through spreading links and tools. The former uses Twitter to promote their achievements, whereas the latter invites others to join the cause through an online blog and timetable.

If a tool is easy to use, more campaigners may be tempted to get involved. The less knowledge and skill a system needs to be used, the more accessible it is. If hacking tools become as easy as a simple download or clicking a link, what does this mean when the general public are affected by issues on the global stage?

Technology evolves. It becomes more sophisticated, easier to use, and gains more refined features in every industry. Apply this to cyberwarfare, and perhaps common, simple attacks like DoS will eventually evolve into something far more dangerous to the general public -- but just as quick to implement. Of course, more sophisticated attacks -- including state-sponsored Flame -- exist, but take skill and knowledge to control.

It is the time that unskilled, large groups of attackers -- for a protest or simply the lulz -- gain powerful, simple-to-use tools which should be on the minds of those in the financial industry.

For now, your bank accounts are safe enough. However, if major institutions cannot block what is little more than the prank pizza delivery of the hacking world, it leaves space enough to wonder what part new, powerful and easily accessible infiltration tools will play in the future of cybersecurity.

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • What I find most interesting about this frenzy

    "which depicts Prophet Mohammed as a philanderer who approves of child sexual abuse"

    None of these people have actually tried to provide any evidence that Mohammed WASN'T like this. There is plenty of historical evidence that he actually did act this way. In his defense, this was very much acceptable in his time so I don't think we can hold it TOO much against him but still, I find it interesting that the anger is "you can't say that" instead of "but that isn't true".
    • Wonder how bible-toting Christians would take

      to Jesus of Nazareth if a movie were made emphasizing him as the inspiration and driving force behind the Inquisition and Crusades? [*Oh wait*]

      Or maybe one about his allegedly clandestine affair with that wayward woman cum prostitute we all endearingly know as Mary Magdalene? Or was Pope Gregory whistling in the dark?

      Imagine all the saucy details and suggestive images that could be conjured up by depicting the seven devils within her. Can't wait for atheistic and porn-loving Hollywood to get theirs heads wrapped around that celestial (ok, gyrating) concept!
      • You SERIOUSLY want to compare?

        "Wonder how bible-toting Christians would take
        to Jesus of Nazareth if a movie were made emphasizing him as the inspiration and driving force behind the Inquisition and Crusades? [*Oh wait*]"

        We don't even have to guess:

        # of deaths: 0

        The magnitude and viciousness of the response from those bible-toting Christians simply cannot be compared to the reaction from koran-toting Muslims.

        Christians by and large put up with a lot of "attacks" on their religion and don't generally go on murderous rampages in response to each and every slight.

        And no, I'm not religious and certainly not Christian. And yes, Christians have done horrible things in the past, just like Jews and Muslims and Sikhs and Hindus and probably even Buddhists. When talking TODAY however, there can be no comparison.
      • Not that you dont make a few fair minded points BUT...

        We've become so apathetic and indifferent (read: comfortably numb, to quote from a popular rock outfit) about everything thrust in our faces in the west at this point that this even matters? Are you implying our indifference and shallow "sophistication" (oh that's a caveman's laugh) should be held out to be commendable, or somehow meritorious? Ask how much piss can you stand?

        If you won't fight for your heroes or saviors, let alone your own wretched soul, who will you fight for?

        I'm not sure who's become more nuts and haywire, the religious zealots in the Middle East, or the impotent and deflated populations of the west who are methodically beaten down and poison injected like whores in drug-induced states. Even those who pride themselves on being their "own persons" are basically led around by their collars with hardly a yelp of protest, let alone an original thought.

        If not, they'd save their forlorn and utterly neglected country and souls -- not from the devil, but from Pied Pipers who continually sell their futures down the river for mere chump change, with seeming impunity. Will the day ever come when commoners once again rise up and lash back, like our colonial forbears did, when the increasing stranglehold and sell-out is called for exactly what it's worth?

        GOD KNOWS
  • DoS Attacks Can Cost Consumers Money

    While I agree that DoS banking attacks do not, in and of themselves, compromise the security of individual bank accounts, they have tremendous potential to cost consumers money. Credit card companies, other creditors and retailers have become a lot more draconian regarding how and when payments are credited to an account. Payments are automatically regarded as late if they are not considered "received" by a certain date (and in many cases a certain time) and many issuers do not credit payments made on weekends or holidays until the next business day (which could cause a payment to be regarded as late and subject to a late charge).

    What if a consumer needed to transfer money to fund a payment to a creditor that is due on a certain day that a DoS was taking place? The consumer wants to transfer money from savings to checking to finance the payment, but can't, because of the DoS. (Of course, the consumer probably has no idea that a DoS is occurring, the person only knows that a fund transfer can't be made when it needs to be made.)

    If the consumer doesn't make the credit payment on the due date, he or she will likely get hit with a late payment charge. If the consumer makes the payment on the due date without sufficient funds in the account, the person could get socked with an overdraft or returned payment charge. The consumer is also likely to get a notation on his or her record with the credit issuer that a payment authorization could not be processed because it had to be returned.

    One could argue that if the DoS blocked the consumer, it would also block any attempt by a credit issuer to submit a payment request to the bank. But it is also possible that the DoS that affected the consumer may not affect the creditor's request for payment - maybe the DoS abated when the creditor's payment request was made, or maybe the creditor used a different network system that was not included in the DoS attack, so, as far as the creditor was concerned, an authorization to withdraw funds from the consumer account was bounced back and the consumer is not only late with the payment, but now owes late charges.

    Some or all of this problematic scenario might be avoided if the consumer has good standing with the creditor and can successfully make a personal appeal to the creditor to accept the payment, although late, and to forgive the late charge. But time is money, too. In any case, DoS attacks on banks are not only bad news for banks, they are bad news for everyone in the financial food chain - right down to the consumer who only wants to get his/her payment to a creditor on time.
    • great money indeed=if banks also uses DoS wisely

      just imagine 100million credit cards in which 10million got late fee penalized due to their payment did not get through that day of DoS or they were not able to do the payment on that DoS day because bank is down ! easy one hundred million dollars money. and even banks get the profit, and could alibi and even support DoS attacks .

      we know that some companies or groups =gains when some company looses due to what ever attacks. think of competitor , ill just pay hackers to pull competitors down and im the lone OR few standing to give the service.

      without support, these attackers wont really thrive.

      lets rethink.
      • Payments...

        should not be made on the day they are due. Every bank has a payment feature that allows the payment to be setup and then paid on a specific date. If folks are late because they can't access their bank on a given day, they aren't using their head or the banking system as they should. The Fed was not down and the banks were able to conduct their business through the Fed even though their sites were greatly affected.

        So payments flowed if they were wisely setup by consumers.
  • Hey, let's go after Iran! - the newest twist on "WMD"

    From the article: "Instead, Sen. Joe Lieberman placed the blame on Iran, citing "the increasingly strong economic sanctions that the United States and our European allies have put on Iranian financial institutions" as the cause."

    Wonder what provocative statements Lieberman has to offer regarding the Stuxnet computer worm which the US GOV, and its master Israel, co-created and then lost control of, when it was targeted and unleashed against Iran, first with Dubya and then O'bam-bam's covert authorization. Was that not done with nation-state support Mr. Lieberman? To wit, our own?

    Or are intelligence operations, when led by the Israeli IDF arm or spearheaded by Unit 8200 (all supported and indeed enabled by ceaseless federal funding at US taxpayer expense), perfectly kosher?