The DDoS threat keeps growing. Third-party expertsand credit union executives—primarily speaking anonymously on thesubject—said most credit unions have done nothing to protectthemselves against the takedown threat, which has been increasinglylinked with theft of funds at financial institutions.

“They are remarkably naive,” said an expert, who asked to remainanonymous, of credit unions.

Added a senior engineer at a Northeast credit union with morethan $500 million in assets, who also requested anonymity, “Wehaven't had any outages and we haven't installed any newdefenses.”

Two things have happened in the past year that may change howcredit union executives view DDoS.

The first is that the money center banks have improved theirability to fend off DDoS attacks, contracting with third-partymitigation vendors that make their sites difficult to take offline.That means DDoS attackers may shift their focus to easier targets,experts said.

The other fact: two researchers, Gartner analyst Avivah Litan and security blogger BrianKrebs, have reported on cases where DDoS has been used as adistraction to help criminals loot bank accounts while financialinstitution security staff are mired in fighting offDDoS.

Those thefts may be game changers.

Initially, many credit union executives shrugged off DDoS as anannoyance, not entirely different from boisterous midsummerthunderstorms that might knock out power for an hour ortwo.

“DDoS had simply been an inconvenience. The scary trend is thatDDoS is used in association with other attacks, as IT scrambles todefend against DDoS,” said Tim Clouse, vice president ofinformation technology at Advantis, a $1 billion credit union in Milwaukie, Ore.

Some of the largest credit unions have signed on with so-calledDDoS mitigation providers used by large banks.

An information technology vice president at one of the nation'slargest credit unions said, “We still haven't seen anything like aDDoS. We've got a contract with a large mitigationprovider.”

The executive, who also requested anonymity, said he feels hisinstitution is well protected, at least against the DDoS attacksthat are known to have occurred.

However, that's the exception. Mitigation contracts can cost$100,000 or more annually, said sources, and for many credit unionsthat is a budget stretch.

So, credit unions are looking at alternatives. One option isasking vendors to build DDoS mitigation into the services theyprovide, particularly online banking and Internet access.

A chief information officer at a midsized Western credit unionsaid his institution looks to vendors for DDoS defenses, but thosevendors have themselves suffered outages.

“We haven't had any DDoS attacks. Our service providers foronline banking (both consumer and business) have been attacked, butthe interruptions were fairly short in both instances,” said theexecutive, who also requested anonymity.

A vice president at a large Northwestern credit union said hisinstitution relies on its online banking provider to handle DDoSmitigation. The results, so far, have been acceptable.

The executive elaborated: “They have DDoS mitigation processesin place. They have done this for us for two years. It's beensuccessful. We have occasionally seen performance loss—we have hada few attacks—but overall, our site has remained accessible.”

Hugh Smallwood, chief technology officer at the Hagerstown, Md.,CUSO Ongoing Operations, predicted that within 12 to 18 months, thelargest carriers and service providers—think companies likeAT&T and TimeWarner—will routinely build DDoS mitigation intotheir services.

Relying on vendors to secure critical systems may not be acure-all, however.

The director of IT at a large Northeast credit union, whorequested anonymity because he isn't authorized to discuss hiscredit union's defenses, said he didn't like his Internet bankingprovider's answer when he asked about their DDoSdefenses.

“Their response basically poo-pooed my concerns, and their tonewas fairly dismissive,” he said. “Then they were attacked.”

Just about every credit union that has online banking and a webpresence now needs DDoS defenses, experts say.

“We will see more DDoS and we will see more from al Qassam,”Smallwood said. “It may be in two months, it may be in 12. But knowit will come again and credit unions need to be prepared.”