Since last fall, there has been a series of denial of service and distributed denial of service attacks on U.S. financial institutions’ websites. Essentially, DoS and DDoS attacks are a way for hackers to overwhelm a server to the point that it cannot function. The main difference between a DoS attack and a DDoS attack is that a server will be overloaded by many attackers in a DDoS attack as opposed to just one attacker in the case of a DoS attack.
“A comparable example to a denial of service attack would be getting 4 to 5 million emails per second in your email inbox,” according to James Barnett in an American Banker article. Barnett is the former chief of the Public Safety and Homeland Security Bureau for the Federal Communications Commission.
Different groups have different motives for conducting these attacks. Some groups want attention for a cause. These people are commonly known as “hacktivists.” Other groups are trying to divert attention in order to steal proprietary information. Other groups are trying to undermine consumers’ trust in the U.S. financial system in an act of terrorism.
At this point, the attacks have been focused on large institutions; only a few banks with less than $5 billion in total assets have been the target of DDoS attacks. But the fear is that these groups will eventually target smaller institutions, which are less likely to be equipped to handle this type of attack or the potential damage to their reputations — after all, community bankers pride themselves on customer service.
In a bulletin the Illinois Department of Financial and Professional Regulation sent to the banks it regulates, the department stated, “The potential impact of DDoS attacks depends on the importance of online banking services for your bank’s customers. As the importance of online banking increases for your bank, the more attention it will need in the risk management process.”
The Office of the Comptroller of the Currency in December 2012 distributed an alert providing risk-mitigation information and sources of related risk-management guidance. It also reiterated the OCC’s expectations that banks have risk-management programs “to identify and appropriately consider new and evolving threats to online accounts and to adjust their customer authentication, layered security and other controls as appropriate in response to changing levels of risk.”
To learn more about denial of service attacks and what to do if it happens to your bank, click on the links below.
Kari English is senior editor of BankNews.
Copyright (c) June 2013 by BankNews Media