By Robert McGarvey
Just about every credit union now has an online banking presence, and that also means just about every credit union is vulnerable to a DDoS (Distributed Denial of Service) attack. And lots of credit unions are falling victim. Small ones too.
The objective: to knock your online banking offline. Definitely to make it unusable by members.
But here’s a secret: just maybe the smart move is to ignore DDoS? More on that later.
For now, what you need to know about DDoS is that the attack formats continually morph. As defenses are put in place, DDoS perpetrators take a different route. A static defense—and certainly any bought a year or three ago—is probably unreliable today.
Defenses aren’t impossible—by now the money center banks are well defended—but they don’t come inexpensively.
A credit union has to know it is in the attack crosshairs. Researchers at VeriSign, in its most recent DDoS report, said: “The financial sector continues to be a constant target for DDoS attacks. In Q1 2017, Verisign’s financial sector customers experienced the second highest number of DDoS attacks (28 percent) of any industry sector within Verisign’s customer base.”
Only IT has more DDoS attacks than financial services, said VeriSign.
A sliver of good news is that VeriSign said DDoS attacks were down in Q1. But the attacks that came in were more ferocious: “the average peak attack size increased 26 percent compared to the previous quarter,” said VeriSign.
VeriSign also noted that victims often become repeat victims. “Verisign observed that almost 50 percent of customers who experienced DDoS attacks in Q1 2017 were targeted multiple times during the quarter.”
DDoS mitigation firm Neustar said likewise in its recent report: “the number of times that organizations were hit multiple times has continued to increase as forecasted. In 2017, 849 of 1,010 (84%) of those organizations researched had experienced at least one DDoS attack in the previous 12 months, up from 73% in 2016. Worse, 86% of those attacked had to contend with more than one DDoS attack over the previous 12-month period, an increase from 82% reported in the previous year.”
At least some experts believe that credit unions—small ones in particular—may begin experiencing more attacks, precisely because many are essentially unprotected.
The purpose of a DDoS attack varies. Some are just malicious—maybe launched by a disgruntled former employee, perhaps a person who was turned down for a job or a loan.
Terrorist groups—some with nation state ties—have inflicted a lot of DDos on financial institutions as a political statement. Credit unions have been among the victims. As cyber warfare becomes a chief form of warfare, experts believe we will see more DDoS aimed at disrupting financial systems, which help to define nations. Disrupt the money, and the country is disrupted.
Also worrisome are the attacks launched by criminals who themselves want money—that is, they use DDoS to extort payments for turning it off.
Even worse, services proliferate that allow a criminal with no technical expertise to purchase DDoS as a service. Typically these sites bill themselves as “stress testers” so a business can test its own website’s DDoS defenses. But no attempt is made to verify that the purchaser has any relationship with the target site, and the services are happy to take payment in Bitcoin, so there’s significant anonymity involved.
Where do attackers get the computing power they use to launch DDoS attacks? The traditional source has been botnets of zombie computers—usually their owners are ignorant that their malware-infected computer has become a slave to criminals.
Researchers now say that they are seeing new kinds of botnets pieced together from devices in the Internet of Things—everything from smart coffee makers to lighting. Often these devices have significant computing power with very little onboard security, and criminals have gotten clever about harnessing this resource.
The ease and ubiquity of such attacks is why many experts insist that all credit unions with an online banking presence need to have in place DDoS mitigation protections.
Trade group NAFCU, for instance, has said it expects that credit unions will be under more regulatory pressures to have cybersecurity protections in place, including for DDoS.
Kirk Drake, CEO of Ongoing Operations, a firm that specializes in helping credit unions with IT issues, added that every credit union needs a plan for how it will deal with DDos and other security incidents.
Even so, some institutions tell us they plan to tough it out, that their current strategy regarding DDoS defense is to hope for the best.
It’s hard to endorse that indifference.
But when budgets are strapped, it might not be as dumb as it seems. Researchers at Coreo have reported—based upon a survey of DDoS attacks in the United Kingdom—that of the DDoS attacks it has examined, “95% lasted less than 30 minutes, and 71% of them lasted less than 5 minutes.”
When a lot of DDoS revolves around for hire DDoS as a service providers who demand cash on the barrelhead, maybe the pockets of attackers aren’t that deep.
How angry will members be if they can’t access their accounts for a half-hour, and how many members will be impacted?
Those are the key questions.
There’s no easy answer.
It’s up to each credit union to assess the risks, tune into what regulators are insisting upon, and, ultimately, listen to their members.