Where's the Security? Why Banks Owe Us Better Protection
In addition to being the nation’s largest financial institutions, what do Bank of America, JPMorgan Chase, Citigroup, U.S. Bank, Wells Fargo, and PNC all have in common? Each of them was hampered by cyberattacks in the same week by the same “shadowy organization.”
Unlike an attack reported earlier this year where tens of millions of dollars were stolen from banks around the world, this past week’s breach aimed to simply cause headaches for customers by taking down, or even just slowing, banking websites.
So how did the Izz ad-Din al-Qassam Cyber Fighters take down these massive banks? Bill Pennington at WhiteHat Security believes the breach could be the result of “simple” denial-of-service attacks. Pennington told InformationWeek:
"They're pretty easy," he stated. "You can rent computing resources from various botnets for almost pennies on the dollar…it’s really hard to build an infrastructure that won’t be overwhelmed by a massive attack."
While banks struggled to get websites back online, Wells Fargo rushed to social media channels to reassure their customers that their money was safe, and that customers could still conduct business via their phones or in person at physical locations.
Even though denial-of-service attacks are easy to execute and tough to defend against, there are security models in place, like BSIMM4, that emphasize the importance of building security into software—not simply applying security after a software build is complete.
Gary McGraw, the author of BSIMM4, recently told the Wall Street Journal that this past week’s banking breaches only give this argument more weight. If a single organization were able to bring down this many banks— especially when in some cases the hackers stated online the precise times the attacks would occur—more must be done to protect businesses and customers alike.
With claims of responsibility by hacking groups often disputed and ultimately proven false, some believe that Izz ad-Din al-Qassam may not be responsible for this wave of attacks. Senator Joseph Lieberman recently told C-SPAN that he and other US officials believe that Iran was directly responsible for the denial-of-service attacks as a response to economic sanctions placed against their country by the US.
Agreeing with McGraw, Lieberman goes on to explain that, with the lack of actual monetary loss in this recent wave, these attacks should be a “wake up call” to organizations regarding the need for better security to eliminate current vulnerabilities.