Interest in distributed denial of service (DDoS) has spiked in the week since hacktivist group Anonymous made public its intention to hit bank and government websites en masse with such attacks on May 7. And despite early indications the May 7 OpUSA event is meant more to inflict inconvenience, it’s a good reminder of the many risks that banks and credit unions face as they increasingly rely on technology to deliver top-notch financial services to their customers.
The unfortunate reality is that cybercriminals aren’t typically audacious enough to broadcast their intentions to the world well in advance of an attack. Instead banks are left to discover an event such as a DDoS attack while it’s in progress, as customers or employees begin to notice a lag in network services or complain about an online banking outage. At that point, as a number of European banks learned last year, it might be too late to prevent a digital bank robbery, reports Bloomberg Businessweek:
Damaging as the bandwidth-choking attacks were, they were merely smokescreens. Once employees dropped their guard to fight one attack, hackers struck again, exploiting the openings to steal account information and create counterfeit debit cards.
One attack was so fast that, within two hours, $9 million was withdrawn from automated teller machines in 46 cities, according to Francis deSouza, president of products and services for Symantec Corp (SYMC)., the Mountain View, California-based information security company that investigated the incidents.
Larger institutions have borne much of the brunt of these types of attacks in the past few years. And many customers of those big banks have had to deal with prolonged outages or inconsistent service as a result.
Anonymous has published the list of banks and government websites targeted in the May 7 attack. Fair warning. While those institutions brace themselves for a potential event, they should also understand the other potential risks they face, says Tom Hinkel, Safe Systems’ director of compliance. Namely, reputational risk.
“The biggest reputation risk is due to a basic misunderstanding by the public that there is something proactive FIs can do to prevent this,” Hinkel says. “The fact is that there is very little if anything FIs can do to prevent a DDoS attack. Therefore if they are affected, customers may perceive the institution’s controls as being weak because they couldn’t/didn’t prevent it. The only thing they can do — proactively and reactively — is to educate the customer and let them know that, even if they are attacked and the customers are affected, the worst case scenario is website slowness and there is no increased risk to customer information or funds (assuming a multi-vector scenario doesn’t apply).”
Hinkel has recently written in-depth about the cyberattack threats small- to mid-sized institutions face on his blog, The Compliance Guru.
While headlines and, seemingly, the biggest attacks focus on the bigger financial institutions, it doesn’t mean the small banks and credit unions are always going to fly under the radar. Case in point, writes Credit Union Times, a dozen CUs are targeted in the May 7 OpUSA attack. Those 12 institutions have been notified, and the National Credit Union Association is reportedly aware of the threat. Meanwhile, Bank Technology News highlights the ongoing debate about the significance — or lack lack thereof — that these events pose for smaller banks.
RELATED: Best Practices for Malware Removal and Prevention for Your Financial Institution