For some credit unionexecutives, Distributed Denial of Service is their worst nightmare.When the right attack is thrown at an institution, it can knock outeverything that is on the Internet, on phones, websites, homebanking and more.

The paradox is that few credit unions are well protected againstDDoS, according to multiple sources. Kirk Drake, founder and CEO ofOngoing Operations, a disaster recovery services CUSO inHagerstown, Md., told CU Times that in his estimation,perhaps five to 10% of credit unions have credible mitigation toolsand plans in place.

Fewer than that have the capability to deflect full-scale, highpowered attacks such as the politically motivated attacks in early2013 that took down the $4.1 billion PatelcoCredit Union in Pleasanton, Calif., and the $1.7 billion University Federal Credit Union in Austin, Texas.

“Credit unions are kidding themselves about how disruptive aDDoS attack can be,” Drake said. “The right attack can put a credit union down for aweek and in that period, they could do little or no work becausethere'd be no Internet.”

At the Financial Services Information Sharing and AnalysisCenter, which launched in 1999 as the global financial industry'sgo-to resource for cyber and physical threat intelligence analysis,EVP Eric Guerrino, said that from his perspective, “financialinstitutions are better defended now than they were a few yearsago.”

However, he warned, “There's a disparity between the larger FIsand the smaller community institutions. There are gaps in how thesmaller ones are defended to handle DDoS. Some take this seriously,especially ones that have been victims. Do all take it seriously?Probably not.”

He issued this reminder: “Any FI can be a target of DDoS.Everybody needs to take this seriously.”

Indeed, ask credit unions why they have little or no defense andthe common answer is likely to be they don't consider themselves tobe targets. One CEO at a small credit union who spoke to CUTimes on the condition of anonymity said, “Shut us down and noone will notice. The bigger banks are more the target.”

Rodney Joffe, vice president and senior technologist with theSterling, Va.-based IT firm Neustar, disputed that, noting that his company has seen a risein what might be called retaliatory DDoS unleashed by disgruntledemployees and ex-employees as well as members. Cancel a member'scredit card, or repossess his car, and he may lash out with a DDoS,Joffe said. Ditto for a fired employee.

No technical skills are needed, just some Bitcoin or a PayPal account, he added. That's because there'sbeen a profusion of DDoS for hire sites where fees are as low as $8for an hour of DDoS that strikes with enough force to knock offline all except well-protected institutions.

How many reported instances of DDoS attacks on credit unionshave there been?

Read more: Weekly DDoS attacks …

“We are seeing attacks on financialinstitutions on a weekly basis,” Rich Bolstridge, chief strategist, financial services, at theCambridge, Mass.-based network traffic firm Akamai, said. Joffesaid Neustar is also seeing more DDoS attacks occurring on aregular basis.

At FS-ISAC, Guerrino said, “we still hear about DDoS attacks.”The center has held well-attended forums where organizations thathave suffered attacks shared their experiences with peers.

The NCUA, for its part, declined to share the number of DDoSincidents that have been reported to it and the number would likelynot be complete. In a February 2013 Risk Alert, the regulatorwrote, “Credit unions significantly affected by DDoS or othercyber-terror attacks should notify their NCUA Regional Office orState Supervisory Authority.”

No definition of “significant” was provided.

The NCUA said it also requires notification in attacks wheremember data is compromised but in classic DDoS, which seeks todisrupt access rather than seize data, that would rarely occur.

However, theft associated with DDoS does occur from time totime. There have been cases, notably reported by Gartner analystAvivah Litan, where DDoS was used to distract the securitystaff at multiple financial institutions and ease the way forfraudulent wire transfers.

Joffe said he knows of cases where DDoS was used precisely todisrupt an institution's ability to communicate so a member wouldnot get a text alert about a large transfer, for instance, becausethe denial of service attack wiped out those capabilities. WhileDDoS is typically used to knock an institution offline, there havebeen cases where it is used in association with felony theft.

One troubling fact about DDoS is the nature of the attack oftenshifts. The goal is to exhaust a target's servers so that the site,in effect, shuts down. How that collapse occurs can vary.

Bolstridge recalled a three-day attack on a financialinstitution, which he declined to name, where the hackerscontinually shifted their tactics. As the defenders got control ofone attack, a new technique was deployed, he said. In someinstances, the method was to overwhelm a target with a flood ofdata. In other cases, the attackers cleverly initiated a requestthrough a password re-set for instance, and the servers exhaustedthemselves as they were hit with a very high volume of resetrequests.