It’s been a dramatic few weeks in bank security as a series of cyberattacks on the web presences of major U.S. banks has received prominent and lasting media attention. One industry analyst went so far as to describe the ongoing Distributed Denial of Service (DDoS) attacks as “the financial Armageddon we’re all waiting for.”
Bank Innovation spoke to Mike Smith, security evangelist at Cambridge, Mass.-based Akamai, to get his take: Armageddon or fuhgeddaboudit?
“It was a fairly significant campaign,” Smith said, but basically, the answer is no, this was not the Armageddon we are waiting for. DDoS attacks, it should be noted, are among the simplest of all cyberattacks. DDos is simply a way of blocking traffic to a site, rather than penetrating the site in any way or compromising security.
The operators of the recent spate of attacks that affected many of the nation’s largest banks — Bank of America, Citibank, JP Morgan Chase, PNC Bank, and U. S. Bank — have been referred to the by the media as “hacktivists,” political activists operating online.
But hacktivists, according to Smith, conform to certain patterns in their traffic and behavior. Computers operating in hacktivist campaigns tend to exhibit heterogeneous profiles, meaning a wide variety of devices, and security experts typically see recruiting efforts in chat rooms, message boards, and social media as the campaign builds up.
The recent attacks on U.S. banks did not show either of these characteristics. Instead, attackers showed a homogeneous profile, using just a handful of tools and platforms.
Akamai, based in Cambridge, Mass., is not in the business of attribution, or identifying the ultimate source of attacks, but the company is in a position to put forward some general observations about the attacks.
- The attacks showed good command and control
- The attackers have a strong deployed footprint in many devices
- The attackers understand the power of DDoS, which lies in the number of attacking nodes and the bandwidth of each node
In a nutshell, the attackers made efficient and well-coordinated use of their resources. This attack may not have been financial Armageddon, but it was a big attack. As to the attackers’ identity, guesses are rampant, with Iran a popular choice.
Akamai sees an average of two “significant attacks” a week that carry traffic amounting to 10 gigabits a second. This past week, the attacks on banks reached as much as 65 gigabits per second, which is the amount of bandwidth provided by a small Internet Service Provider.
In a DDoS attack, the volume of attacks exceeds the bandwidth available in the recipient of the attack. This means that “good traffic,” such as request from a bank customer, is blocked from accessing the site. Best practice is for websites to operate with a small data footprint and excess bandwidth to accommodate unexpected traffic. In a DDoS attack, websites require infrastructure that expands to accommodate the excess traffic in order to divert and contain that traffic and continue operating for legitimate visitors.
The two key metrics Akamai uses in measuring the severity of attacks are: 1) Do users notice performance degradation, and 2) Is the attack impacting server availability in the data center?
While both those boxes were ticked for these recent attacks, it’s more a customer service issue and brand damage than a genuine threat to banks’ operations. Smith said, “Generally speaking, banks can still operate without a functioning website.”
Customers using web browsers to access bank sites were blocked at times these last few weeks, while mobile users did not report similar service outages. Banking via mobile apps is often described as more secure than web browsers for connecting with one’s bank. We asked Smith, Is this true?
He answer again is no.
Smith said that mobile devices are only safer because they have not been targeted as much as browsers. “When more people are using mobile devices for banking, you’ll see more attacks on mobile devices. It’s a numbers game.” There are two basic types of banks apps out there, the “glorified browsers” take users to a mobile website, and the narrow streams of data that don’t waste bandwidth serving up whole pages but rather pull small bits of data on demand.
The narrow stream apps, Smith says, are not exactly safer than the browser-based solutions, but attacks against them “would require a different attack footprint.”
The latest attacks were sobering to many bankers and bank customers, but Smith offered a shrug. “Nothing is completely secure. It’s a question of cost/benefit analysis, risk analysis.” Read Mike Smith’s new blogpost about the recent attacks.