The bland name hides the lethal intent of DDoS when aimed at financial institutions, an event that has become increasingly common as dozens of large banks have recently found their online operations crippled, sometimes for days by highly skilled cyber-attackers.
DDoS, distributed denial of service, works by overwhelming a designated Web target with traffic, in many cases 100 times the normal traffic, possibly 1,000 times more throughput. The site responds by shutting down, meaning that legitimate users, members who want to log in to check balances or pay a bill, cannot do so. Usually what they see is a “This site is unavailable” notice, and the site may be down for a few hours, possibly a couple of days.
DDoS has been much in the news lately, as Bank of America, Capital One, PNC, Regions Bank, Key Bank, Zions Bank, and many more have been knocked down by an extremely powerful DDoS claimed by a group known as Izz ad-Din al-Qassam Cyber Fighters. The group is said by some experts to be working under the direction of the Iranian government.
The Iranian involvement is unproven. What is known is that the current attacks are more sophisticated technically than DDoS has historically been, and many cyber experts believe the support of a nation state would be required to reach this level.
Especially worrisome to credit unions is that in the most recent rounds at least two credit unions have been victims. University Federal Credit Union, a $1.5 billion institution in Austin, Texas, acknowledged to Credit Union Times that it was knocked offline for two and a half hours on Jan. 24, and the $3.8 billion Patelco, in Pleasanton, Calif., was also attacked that same day. Its outage lasted around five hours, said Patelco CEO Ken Burns.
Up until the UFCU and Patelco takedowns, most experts had believed that the vast majority of credit unions would not be targeted by the Cyber Fighters who had a history of targeting money center banks that, when brought down, would trigger headlines in national newspapers.
But the attacks on the two credit unions changed everything. “They are seeking softer targets,” said Rich Bolstridge, a DDoS expert in banking at Cambridge, Mass.-based Internet traffic company Akamai.
The theory is that the big banks had hardened their defenses, buying sophisticated services from companies like Akamai, and the Cyber Fighters’ attacks had been fizzling out. So they branched out into smaller financial institutions, and one consequence was a takedown of a couple credit unions.
One large worry is that many credit unions have minimal or no defenses against DDoS.
That was underlined in a recently released study of DDoS and banks sponsored by DDoS mitigation firm Corero in Hudson, Mass., that found that only 17% of banks believe they are effective in responding to DDoS, said Corero CEO Marty Meyer. He acknowledged that the survey of some 650 IT managers did not included credit unions, but there is no reason to believe credit unions are more sophisticated at this than their banking counterparts.
DDoS mitigation is not cheap. A multilayer approach is the standard recommendation, involving purchase of a mitigation appliance that sorts through incoming traffic, analyzing for hallmarks of DDoS. As it finds them, it junks that traffic before it reaches the server and causes disruption. It also links up with Internet access providers who can help the targeted institution expand its broadband access pipe to accommodate sharply increased traffic. With both in place, most financial institutions can weather any DDoS attack, but that would involve a six-figure investment at a minimum.
“We have absolutely no DDoS protections,” the IT manager at a $750 million credit union on the Eastern seaboard admitted to Credit Union Times on condition of anonymity.
A person at a $350 million credit union in the Southwest said, “We have a firewall,” but, stressed security experts, firewalls were never designed to keep DDoS at bay and they will not succeed.
A spokesman for a multibillion dollar credit union in the Southwest said, “We have not seen a DDoS attack” and, although the institution has signed contracts with bandwidth providers to handle overloads of traffic, it is not clear the institution could cope with the kinds of intense attacks that are now occurring.
The NCUA indicated that it has no statistics on DDoS outages at credit unions. Unless member data were compromised, which rarely would be a feature of a DDoS attack, reporting is not required. Nor does the NCUA presently have DDoS mitigation guidelines in place, although the regulator indicated such guidelines were in the process of formulation.
Does this mean more credit unions can expect to be brought down by DDoS in the coming weeks? Not so fast. The Cyber Fighters, in a surprise late January, posting to a site frequently used by them to communicate with the world, announced an indefinite “suspension” of their DDoS attacks.
Experts debate the reason behind this move. One theory is that they are re-engineering their attacks and will bring it back against the big banks, said Ken Baylor, a vice president at security analysis firm NSS Labs. His belief is that the diminished results in attacks on major targets prompted a re-think and that the attackers will be back in a few months with newer and better weapons.
Will credit unions again find themselves in the cross hairs? Nobody knows, just as nobody knows if the well publicized Cyber Fighter attacks will spawn a wave of copycat attacks that could involve credit unions.
The advice from many experts is to start preparing to defend against DDoS now because if it hasn’t hit your institution yet, it may. There just no longer is a guaranteed immunity anymore. The attacks on UFCU and Patelco, said the experts, underlined that.