The headline on the memo from the Comptroller of the Currency succinctly delivers the chilling news: “Information Security: Distributed Denial of Service Attacks and Customer Account Fraud.”
Issued a few days before Christmas, the warning bluntly said: “Fraudsters...use DDoS attacks to distract bank personnel and technical resources while they gain unauthorized remote access to a customer’s account and commit fraud through Automated Clearing House (ACH) and wire transfers (account takeover). In this scenario, the DDoS can occur immediately before, during, or after the attack. DDoS attacks also have been used to deny bank customers the opportunity to report suspected fraud and to block the banks’ customer-alert communications.”
Meantime, the DDoS victims list grows. A December warning, posted on hacker hangout Pastebin, said more DDoS attacks would come and right after Christmas Citigroup suffered site interruptions attributable to DDoS.
“Many of our clients have been under continuing attack for the last three weeks,” said Scott Hammack, CEO of Prolexic, a provider of DDoS defenses to many top financial institutions. “This is war.”
“Whoever is doing this is not concerned about covering their tracks,” added Hammack. “This is a brute force attack.”
DDoS is an attack that revolves around literally flooding a target with more data than it can handle. Meaningless requests drown out legitimate traffic and cyber gridlock takes hold, Although many recent attacks have been claimed by Islamic activist groups, it is unclear who is in fact responsible.
Many large financial institutions – such as Wells Fargo, Bank of America, PNC and SunTrust – have been reported to be victims. Up until now, however, it had been widely believed that DDoS was essentially a nuisance, that it involved no theft of money.
The Comptroller of the Currency memo dealt a new, worrisome hand in the ongoing DDoS war games.
In a recent blog post, Rich Bolstridge, chief strategist for financial services at network traffic cop Akamai, wrote that banks at a recent Akamai-sponsored event in London were aflutter about what they indicated was use of DDoS to mask fraudulent money movement.
In an email to me, Bolstridge wrote: “Some of the banks have confirmed that they have experienced DDoS attacks used in conjunction with fraudulent money movement. “ He declined to name names, pointing out that conference participants were promised anonymity,
Experts are on record that credit unions – which so far may have dodged the DDoS bullet – may not be so lucky in 2013. There is growing conviction that every institution needs a strategy for dealing with a DDoS attack. This no longer can be presumed to be a problem only for the biggest financial institutions.
The 2013 strategy is: Be prepared for DDoS because it may be coming your way.