Denial-of-Service Attacks: Harassment or Fraud?
Distributed denial-of-services (DDoS) attacks against banks grab headlines, but so far, most of the estimated $110 billion annual cost from cyber crime seems to come from other schemes. Still, fraud management professionals in financial services are sensibly wary of attackers sophisticated enough and well financed enough to chain together thousands of virtual servers and jam bank Websites with 100,000 times an average person’s internet data use every second.
Most experts agree that in a DDoS attack, a network of computers saturates a Website with traffic until its servers are overloaded, leaving the site unavailable to legitimate users. But a recent American Banker article noted that “one unknown is whether they also entail fraud.” During five weeks in September and October, the attacks targeted HSBC Holdings plc; BB&T Corp.; Capital One Financial Corp.; Bank of America Corp.; JPMorgan Chase & Co.; Wells Fargo & Co.; PNC Financial Services Group, Inc.; U.S. Bancorp; SunTrust Banks, Inc.; and Regions Financial Corp.
The hacktivist group Izz ad-Din al-Qassam has taken responsibility on the public online forum Pastebin. The group has said it will continue to target U.S. financial institutions until a YouTube video they believe to be anti-Islamic is removed from the World Wide Web, although recently evidence emerged to suggest that the attacks might be revenge for cyber efforts to disrupt Iranian nuclear fuel processing. In any case, the group wrote online: “There is no stealing or handling of money in our agenda. So if others have done such actions, we don’t assume any responsibility for it.”
“Banks don’t know whether there’s a connection between DDoS and fraud,” a senior manager at a southeastern Top 15 bank told me. “Nothing we’re finding demonstrates that these attacks are converting to fraud.” The Financial Services Roundtable Fast Facts List states: “The attacks are not designed to be – and have not resulted in – a data breach, hacking or unauthorized access to consumer information.” On the other hand, the hacker collective Anonymous, which claimed responsibility for the attack on HSBC, tweeted on October 19 that it had “managed to log 20,000 debit card details.”
Mike Smith, a DDoS specialist at web security provider Akamai, describes how that can happen. The attackers link thousands of virtual servers (rather than a network of less powerful PCs), gaining the ability to strike a target more frequently; the more they hammer a target, the more they may learn about its network. Smith believes one major bank was struck a second time because attackers found something of interest such as a high percentage of employees with access to desirable customer files and accounts. He says other big banks are likely to be hit again, too.
One theory has been that DDoS attacks are designed to “distract” financial institutions (FIs) while fraud takes place. Smith says a DDoS attack took place last year during which fraudulent transactions were scheduled in the background. But Smith says DDoS attacks typically are not seeking to strike directly with malware such as Zeus. In what he calls “denial-of-staff” attacks, the attackers attempt to wear down FIs’ fraud and DDoS mitigation teams and then attempt fraudulent transactions in channels where FIs are too overwhelmed to detect or prevent fraud.
Gartner analyst Avivah Litan says she has heard that when corporations can’t reach the bank to move money, they flood the call center with inquiries. During the emergency, hard-pressed call center representatives may be more vulnerable to social engineering scams involving authentication of wire transfers. Litan, who has blogged about denial-of-service attacks, estimates that the network of servers may have flooded a bank’s sites with 100 gigabytes of data per second, compared to an average online user’s one megabyte per internet node per second. A gigabyte is more than a thousand megabytes.
Does the ability to mount a sophisticated mass assault on a bank’s Website mean the perpetrators could successfully assail FIs’ ACH or debit systems or gain access to accounts of corporate customers? “We all know that these people know how to take over accounts and get into banking systems,” Litan told an American Banker reporter. “I’m sure if they wanted to, they could take money, too.”
Part of the uncertainty around the motives for DDoS stems from articles that use “cyber crime” indiscriminately to refer both to denial-of-service attacks and to hacking and malware exploits that lead directly to theft of money or theft of data that later is traced to theft of money. Gregory Nowack of the Information Security Forum points to reporting that discusses “hackers” and “hacktivists” and “cyber attacks” and concludes there’s a threat to consumer personal and financial data that could be used to commit fraud.
John Carlson, executive vice president of the Financial Services Roundtable’s BITS affiliate, says “The evidence thus far is that we have not seen increased levels of fraud as a result of these attacks. That said, institutions are on much higher alert to discuss the possibility of fraud.” That tracks with the view of Jay Jacobs, principal at Verizon Business and an expert on Verizon’s data breach study released on October 24. Asked to look for connections between the study’s statistics on data breaches and fraud, Jacobs told me that he found “very few breaches that have those two events together – some kind of attack on availability through denial-of-service and some type of hacking or malware type activity or fraudulent activity.”
Jacobs says he found a few cases where both existed, but analysts were unable to make a concrete link between the two. “That just means they’re unable to make the link,” Jacobs says. “It doesn’t mean that link doesn’t exist.
“From an almost speculative perspective, we can say there does appear to be some type of correlation there. On the other hand, because we have so few cases, some type of denial-of-service should serve as a trigger mechanism to enhance an organization’s response alert. If they see a denial-of-service, I would go on high alert for other types of activity. But it doesn’t work the other way. If they see some type of a breach in progress, I would not go on high alert for denial-of-service.”
Mr. Swift is director, content development, at BAI. He can be reached at [email protected].