DDoS Update: Credit Unions in the Crosshairs
One year ago, credit unions personally felt the sting of a well-coordinated DDoS attack as both the $4 billion Patelco Credit Union in Pleasanton, Calif., and the $1.6 billion University Federal Credit Union in Austin, Texas, were knocked offline for hours in January and again in February.
And then there was quiet. Reports of DDoS attacks against credit unions grew scarce.
Among credit union executives, there is a growing sense that credit unions won't be targeted even if DDoS returns as a prominent attack format, said many experts.
“I hope that people aren't letting down their guard. The enemy is complacency,” said Rich Bolstridge, a financial services sector expert with DDoS mitigation firm Akamai. "DDoS remains a devastating attack and it continues to morph, to try to stay ahead of the defenses that especially large companies are putting in place."
In recent weeks, Bitcoin virtual currency exchanges have been slammed with multiple DDoS attacks. In late January, the European Cyber Army took credit for bringing down Bank of America and JPMorgan Chase in DDoS attacks.
Experts also said that, increasingly, DDoS appears to be linked with efforts to steal from financial institutions. In those instances, the DDoS appears to serve as a smokescreen to distract IT staff and enable bogus wire transfers to get processed.
Add it up and, insisted the experts, DDoS remains a potent threat. They also said – although they declined to name names – that in the past year there have been DDoS attacks, some of significant magnitude, against credit unions. However, the attacks were never publicly revealed.
How prepared are credit unions to fight off DDoS?
Kirk Drake, CEO of Ongoing Operations, a Hagerstown, Md., CUSO that sells DDoS mitigation to a number of credit unions, said that his best guess is that perhaps 5% to 10% percent of credit unions have in place adequate defenses were they subjected to a full-on a DDoS attack,
The rest would simply go down if DDoS were aimed at them. And, they would stay down until the attacker called a halt to the attack.
Even worse, said Drake, he is seeing attacks that persist for many days, sometimes weeks.
Akamai's Bolstridge agreed.
“We are continuing to see DDoS attack against our financial services customers. DDoS attacks are not what they were a year ago - they now are more isolated - but they are still happening," he said.
Bolstridge added that, in his view, DDoS attackers “are looking for softer targets. They know the big banks are well defended. Credit unions are largely undefended.”
As for why many credit unions are defenseless, experts said many believe they had safeguards, but often they are wrong. The credit unions believe they already are defended, between their firewalls and also via defenses provided by their Internet Service Providers; but, said experts, those defenses are not adequate to ward off concerted, sophisticated attacks.
Back up a step: Exactly what is DDoS? It means Distributed Denial of Service and, in its early days, it involved flooding a website – say online banking – with vastly more traffic than the site could handle. Responses got sluggish, then they often stopped altogether.
In a next phase of DDoS, the attackers used an organization's own computers against itself, by flooding the site with low bandwidth requests for high bandwidth responses; say, requesting password resets for non-existent accounts, or perhaps requests for large PDF files. Either way, the servers exhausted themselves dealing with nonsense.
Read more: DDoS attackers can include disgruntled employees and members ...
As for who the DDoS players are, experts said that generally they divide into three groups: Hacktivists (people pursuing causes, usually political); disgruntled ex-employees and perhaps also some current employees; and, unhappy members (perhaps turned down for a car loan, or hit with an NSF they dispute).
Credit unions, especially smaller ones, may also face special threats from criminals, said Oscar Wai, a senior product manager at networking and security company Barracuda Networks.
"Larger financial institutions may be targeted by hacktivists or global players, while smaller financial institutions and credit unions will be targeted more by criminal gangs, more often than not being victims of opportunity rather than specifically targeted. Criminals follow the money and focus on loosely defended targets, which make smaller financial institutions and credit unions likely targets for the foreseeable future," Wai said.
Added Paul Scanlon, a DDoS expert at Juniper Networks, “With larger banks putting adequate DDoS protection measures in place, smaller financial institutions may be viewed as the low-hanging fruit by cyber criminals, putting them at greater risk of being attacked. Smaller (financial institutions) when attacked are also hit much harder due to the smaller staff on hand, and with little or no protection any defense at the time of the attack comes ‘too little, too late.’”
The worse news: Increasingly, DDoS can be bought as a service, on a for-hire basis, with fees often as low as $50 per day. Because it is made available as a service, essentially no technical skills are required to deploy it. Pay in advance, point the DDoS attack at a chosen target, and the service does the rest.
That easy availability of DDoS is why many experts insist that credit unions need to find a way to have mitigation tools available.
At what cost? Drake said that through Ongoing Operations fees range from $500 per month to $4,000, depending upon the exact package selected by a credit union.
But credit unions are not necessarily signing up for protections.
Said Drake, “We saw a big rush (of new customers) last year, then it cooled off. A lot of credit unions are still researching solutions and don't really understand A) the problem, and B) solution options.”
Bolstridge sighed, “Yes, the attacks have subsided. But the risks are out there. We are constantly finding criminals probing websites for weaknesses. We are seeing searches that are massive in scope. This is not over. And the criminals know that.”