The Bank Cyberattacks: Is Your Money Safe?
The 'Ex-Presidents,' bank robbers from the 1991 movie 'Point Break.'
CREDIT: Twentieth Century-Fox/Warner Bros.
For the past two weeks, an unknown attacker or group of attackers has disrupted access to the websites of five major American banks: Bank of America, JPMorgan Chase, Wells Fargo, U.S. Bank and PNC Bank.
Many customers have had trouble reaching the sites to check their account balances or move money around, thanks to what appears to be a series of coordinated attacks.
It's not clear exactly who's behind the disruptions, despite the claims of a previously unknown Islamist group, or even what sort of methods they're using, but here's what we do know.
What's really happening?
Someone's flooding the Web servers of the banks' websites with tons of useless requests for information that can't be fulfilled, overwhelming the servers. Experts call this a distributed denial-of-service (DDoS) attack.
As a tactic, it's crude but temporarily effective; it doesn't crash the servers, get into databases or cause lasting damage, but it does make the sites hard to reach by clogging the pipes.
Graham Cluley, senior technology consultant at the British anti-virus company Sophos, once likened a DDoS attack to "15 fat men trying to get through a revolving door at the same time."
Hacktivist groups such as Anonymous often use DDoS as a form of protest, effectively blockading the sites of organizations without damaging them. Yet well-defended sites, such as the banks presumably have, would normally be able to blunt a DDoS attack.
Are there any risks to customer accounts or personal information?
There shouldn't be any, if these are indeed just DDoS attacks.
"There's absolutely no risk to customer information," said Dmitri Alperovitch, chief technology officer of the security firm CrowdStrike. "They're just not able to get to the site for a few hours."
"I think the only impact of the DDoS attacks on customers is that they may not be able to access their bank's website," Cluley said. "It shouldn't pose any risk to their accounts other than problems accessing them online."
Steve Santorelli, a researcher at Lake Mary, Fla.-based nonprofit security firm Team Cymru, isn't so sanguine about the bank attacks.
"There are three concepts to security: availability, confidentiality and integrity," Santorelli said. "Any event that compromises even just one of them can have complex repercussions and also, of course, takes monitoring and response resources away from any synchronized unauthorized logins to accounts."
Sure it's not just a series of server failures?
One bank's site going down could be just a technical issue, but five major banks having similar problems is beyond coincidence.
Futhermore, online postings by the group claiming responsibility have told the world ahead of time which bank's going to be hit on which day, and they've mostly been accurate.
CrowdStrike's Alperovitch said there's no question that these are deliberate assaults.
"We're tracking this one," he said. "It's definitely a denial-of-service attack."
Could cybercriminals out for financial gain be behind the attacks?
It might just be possible that the service disruptions are a smokescreen to cover for raids on customer accounts, though experts disagree on how likely that is.
In the same way that the bank robbers in the 1969 crime caper "The Italian Job" created a traffic jam (by hacking into a computer that controlled traffic lights) to paralyze the police response, the DDoS attacks could be meant to divert digital-security personnel's attention away from protecting information.
The FBI released an advisory in November 2011 warning of such scenarios, and even cited a form of banking Trojan that was designed for such attacks.
"Nowadays it's commonplace to have criminals combine banking Trojan attacks with DDoS attacks," said Mikko Hypponen, chief security officer of Helsinki, Finland anti-virus firm F-Secure. "When they score a big transfer from a company's or an individual's accounts, they launch a DDoS against the online bank.
"This accomplishes two things: 1) the victim can't log in to the bank and see that he's been robbed 2) the bank staff is busy fighting the DDoS and might miss the illegal transfers (although in most cases it would be different people in the bank's organization in charge of those things)."
Robert Graham, chief executive officer of Errata Security in Atlanta, admitted that was a possibility, "but then pretty much any speculation is possible."
"There is a question of the sort of DDoS attacks [taking place]," Graham said. "Are they simply website requests, taking down the websites? Or are they specific queries, trying to flood backend transaction servers in an attempt to hide some other activity? We need more information to figure that out."
Chet Wisniewski of Sophos' Vancouver, B.C., office, had doubts that regular cybercriminals were involved, doubts that Alperovitch echoed.
"Honestly, I am not sure it would make sense for this sort of crime," Wisniewski said. "If you were to use a DDoS as a diversion, it would be used for you to get a foothold for a targeted attack, not traditional banking fraud/Trojans."
"Banking Trojans work so well that they don't need a cover," Alperovitch said.
Why aren't the banks saying more?
Despite all of the publicity, none of the banks have said much beyond apologize for the inconvenience to customers.
"What's the advantage of admitting you were hit by a DDoS attack?" Graham said. "Banks are shy of litigation — they don't admit anything."
"There is still a stigma, a perception, that customers do not like their accounts being handled by a bank that is not 'safe,'" Santorelli said. "Banks, like every other industry that has embraced the internet, do not like bad publicity. ... It's not a data breach, so it is not covered by the 'new data breach notification' legislation in the U.S."
Wisniewski pointed out that the banks might be legally barred from releasing details.
"There is likely an ongoing investigation by the FBI prohibiting them from discussing any details publicly," Wisniewski said. "I don't think there is any shame in [admitting being under attack], but who knows — maybe they have something to hide."
Who's behind this?
Even with criminals ruled out, it's still tough at this stage to know who's really behind the disruptions.
A previously unknown Islamist group calling itself the "Qassam Cyberbrigades" or "Cyber Fighters of Izz al-din al-Qassam" has posted messages in English and Arabic on online forums claiming responsibility for the attacks, and accurately predicted which banks were going to be hit.
The "Cyberbrigades," whose name refers to the military wing of the Palestinian Islamist party Hamas, claim the attacks are retaliation for the offensive YouTube clip "Innocence of Muslims." They vow to continue the attacks until the video is entirely removed from YouTube.
But anonymous national-security experts told NBC News last week that it's unlikely that amateur hackers could have mounted such massive DDoS attacks against well-protected websites of American banks. Instead, they said, there's a more likely culprit: the government of Iran.
Sen. Joe Lieberman, I-Conn., repeated that theory last week, telling a C-SPAN interviewer that Iran was probably behind the attacks.
Alperovitch said either theory was possible, though he doubted it was a response to "Innocence of Muslims."
"We believe it's either a hacktivist group, or what Senator Lieberman has declared," he said. "It would take months of planning to organize this."
Cluley, on the other hand, thought it best to gather evidence first.
"Any joker can post messages on the Internet claiming to be responsible — but that's very different from finding a smoking gun," Cluley said. "We should all be careful about jumping to conclusions or pointing fingers in particular directions until convincing evidence is presented."
Wisniewski didn't think the scale of attacks necessarily pointed at a nation-state.
"I have not seen nor heard of any serious evidence that Iran is behind these attacks," he said. "Any criminal with a wish to cause mischief certainly could. DDoS may not trivial at this scale, but it is relatively cheap to rent very large numbers of bots."
The Jester, a well-known "patriotic hacker," put up a blog posting earlier this week detailing an Internet Relay Chat conversation he had with a botnet renter. The Jester pretended to be an Islamist friend of the Qassam Cyberbrigades, and was given a price of $200 for a 1,000-hour DDoS attack.
Independent security expert Dancho Danchev does think the attack may have come from Iran — but not from the Iranian government.
On his blog Friday, Danchev showed what he said was evidence that a young Iranian woman began a grassroots hacktivist campaign by posting a link from her Facebook page to a download. The download links have since spread to websites and forums frequented by Islamists.
The download contains a simple "htm" file, which displays page housed on the user's own computer in a Web browser. The page contains a message in Arabic and English, a list of targets and a simple button. Pushing the button launches an attack from the user's computer against the bank websites.
How are they doing it?
Danchev said the tool being used was a version of a free server-load-testing application called the Low Orbit Ion Cannon, which the hacktivist group Anonymous has used in the past.
But knocking a major bank's website offline would take many times the firepower that any hacktivist group would normally possess.
"The level of sophistication is moderate to low," Alperovitch said. "What's interesting is the volume."
Threatpost, the consumer-oriented blog of Russian security firm Kaspersky Lab, said some of the traffic hitting the banks' servers reached 100 gigabits per second, as opposed to the regular DDoS attack volume of 5 to 10 gigabits per second. It did not cite its source.
"Someone clearly had motivation to put this together," Alperovitch told SecurityNewsDaily. "It's unlikely that a kid would make that much effort. The only thing we know at this point is that it's organized and whoever's behind it has spent a lot of effort."
Graham wasn't so certain.
"Any joker even without the right tools can disrupt a heavily protected site," he said.
How can you protect yourself?
Again, if this is really just a DDoS attack, the banks' customers are not in much danger of losing money or personal information.
But there are still basic precautions that any online banking user should take, regardless of the present danger.
"If you don't need Java and Adobe software, uninstall it, although many banks require Java," he added. "Of course, use an up-to-date browser."
All those tips will protect your personal information and screen out malware, but there's still the chance a smart banking Trojan could get in.
"If you are really worried," Santorelli said, "use a dedicated clean machine to access your accounts and never use it for anything else. ... if customers prevent anyone stealing their banking credentials in the first place, they have little to fear other than the inconvenience of not being able to get to their online accounts."