The headline on the memo from the Comptroller of the Currency succinctly deliversthe chilling news: “Information Security: Distributed Denial ofService Attacks and Customer Account Fraud.”
|Issued a few days before Christmas, the warning bluntly said:“Fraudsters…use DDoS attacks to distract bank personnel andtechnical resources while they gain unauthorized remote access to acustomer's account and commit fraud through Automated ClearingHouse (ACH) and wire transfers (account takeover). In thisscenario, the DDoS can occur immediately before, during, or afterthe attack. DDoS attacks also have been used to deny bank customersthe opportunity to report suspected fraud and to block the banks'customer-alert communications.”
|Meantime, the DDoS victims list grows. A December warning,posted on hacker hangout Pastebin, said more DDoS attackswould come and right after Christmas Citigroup suffered site interruptions attributable to DDoS.
|“Many of our clients have been under continuing attack for thelast three weeks,” said Scott Hammack, CEO of Prolexic, a providerof DDoS defenses to many top financial institutions. “This iswar.”
|“Whoever is doing this is not concerned about covering theirtracks,” added Hammack. “This is a brute force attack.”
|DDoS is an attack that revolves around literally flooding atarget with more data than it can handle. Meaningless requestsdrown out legitimate traffic and cyber gridlock takes hold,Although many recent attacks have been claimed by Islamic activistgroups, it is unclear who is in fact responsible.
|Many large financial institutions – such as Wells Fargo, Bank ofAmerica, PNC and SunTrust – have been reported to be victims. Up until now, however, it had been widely believedthat DDoS was essentially a nuisance, that it involved no theft ofmoney.
|The Comptroller of the Currency memo dealt a new, worrisome handin the ongoing DDoS war games.
|In a recent blog post, Rich Bolstridge, chief strategist for financial servicesat network traffic cop Akamai, wrote that banks at a recentAkamai-sponsored event in London were aflutter about what theyindicated was use of DDoS to mask fraudulent money movement.
|In an email to me, Bolstridge wrote: “Some of the banks haveconfirmed that they have experienced DDoS attacks used inconjunction with fraudulent money movement. “ He declined to namenames, pointing out that conference participants were promisedanonymity,
|Experts are on record that credit unions – which so far may have dodged theDDoS bullet – may not be so lucky in 2013. There is growingconviction that every institution needs a strategy for dealing with a DDoS attack. This no longer can bepresumed to be a problem only for the biggest financialinstitutions.
|The 2013 strategy is: Be prepared for DDoS because it may becoming your way.
Complete your profile to continue reading and get FREE access to CUTimes.com, part of your ALM digital membership.
Your access to unlimited CUTimes.com content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Critical CUTimes.com information including comprehensive product and service provider listings via the Marketplace Directory, CU Careers, resources from industry leaders, webcasts, and breaking news, analysis and more with our informative Newsletters.
- Exclusive discounts on ALM and CU Times events.
- Access to other award-winning ALM websites including Law.com and GlobeSt.com.
Already have an account? Sign In
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
