DDoS Takes Aim at Vulnerable Credit Unions
For some credit union executives, Distributed Denial of Service is their worst nightmare. When the right attack is thrown at an institution, it can knock out everything that is on the Internet, on phones, websites, home banking and more.
The paradox is that few credit unions are well protected against DDoS, according to multiple sources. Kirk Drake, founder and CEO of Ongoing Operations, a disaster recovery services CUSO in Hagerstown, Md., told CU Times that in his estimation, perhaps five to 10% of credit unions have credible mitigation tools and plans in place.
Fewer than that have the capability to deflect full-scale, high powered attacks such as the politically motivated attacks in early 2013 that took down the $4.1 billion Patelco Credit Union in Pleasanton, Calif., and the $1.7 billion University Federal Credit Union in Austin, Texas.
“Credit unions are kidding themselves about how disruptive a DDoS attack can be,” Drake said. “The right attack can put a credit union down for a week and in that period, they could do little or no work because there’d be no Internet.”
At the Financial Services Information Sharing and Analysis Center, which launched in 1999 as the global financial industry's go-to resource for cyber and physical threat intelligence analysis, EVP Eric Guerrino, said that from his perspective, “financial institutions are better defended now than they were a few years ago.”
However, he warned, “There's a disparity between the larger FIs and the smaller community institutions. There are gaps in how the smaller ones are defended to handle DDoS. Some take this seriously, especially ones that have been victims. Do all take it seriously? Probably not.”
He issued this reminder: “Any FI can be a target of DDoS. Everybody needs to take this seriously.”
Indeed, ask credit unions why they have little or no defense and the common answer is likely to be they don't consider themselves to be targets. One CEO at a small credit union who spoke to CU Times on the condition of anonymity said, “Shut us down and no one will notice. The bigger banks are more the target.”
Rodney Joffe, vice president and senior technologist with the Sterling, Va.-based IT firm Neustar, disputed that, noting that his company has seen a rise in what might be called retaliatory DDoS unleashed by disgruntled employees and ex-employees as well as members. Cancel a member's credit card, or repossess his car, and he may lash out with a DDoS, Joffe said. Ditto for a fired employee.
No technical skills are needed, just some Bitcoin or a PayPal account, he added. That's because there's been a profusion of DDoS for hire sites where fees are as low as $8 for an hour of DDoS that strikes with enough force to knock off line all except well-protected institutions.
How many reported instances of DDoS attacks on credit unions have there been?
Read more: Weekly DDoS attacks ...
“We are seeing attacks on financial institutions on a weekly basis,” Rich Bolstridge, chief strategist, financial services, at the Cambridge, Mass.-based network traffic firm Akamai, said. Joffe said Neustar is also seeing more DDoS attacks occurring on a regular basis.
At FS-ISAC, Guerrino said, “we still hear about DDoS attacks.” The center has held well-attended forums where organizations that have suffered attacks shared their experiences with peers.
The NCUA, for its part, declined to share the number of DDoS incidents that have been reported to it and the number would likely not be complete. In a February 2013 Risk Alert, the regulator wrote, “Credit unions significantly affected by DDoS or other cyber-terror attacks should notify their NCUA Regional Office or State Supervisory Authority.”
No definition of “significant” was provided.
The NCUA said it also requires notification in attacks where member data is compromised but in classic DDoS, which seeks to disrupt access rather than seize data, that would rarely occur.
However, theft associated with DDoS does occur from time to time. There have been cases, notably reported by Gartner analyst Avivah Litan, where DDoS was used to distract the security staff at multiple financial institutions and ease the way for fraudulent wire transfers.
Joffe said he knows of cases where DDoS was used precisely to disrupt an institution's ability to communicate so a member would not get a text alert about a large transfer, for instance, because the denial of service attack wiped out those capabilities. While DDoS is typically used to knock an institution offline, there have been cases where it is used in association with felony theft.
One troubling fact about DDoS is the nature of the attack often shifts. The goal is to exhaust a target's servers so that the site, in effect, shuts down. How that collapse occurs can vary.
Bolstridge recalled a three-day attack on a financial institution, which he declined to name, where the hackers continually shifted their tactics. As the defenders got control of one attack, a new technique was deployed, he said. In some instances, the method was to overwhelm a target with a flood of data. In other cases, the attackers cleverly initiated a request through a password re-set for instance, and the servers exhausted themselves as they were hit with a very high volume of reset requests.