Before superstorm Sandy left many without access to physical branches and ATMs, a bombardment of cyberattacks left many without virtual access — and unlike the storm, these cyberattacks are not going away.
ThreatMetrix Inc., a San Jose, Calif.-based cybercrime prevention vendor, is advising financial institutions that a cyberwar featuring “denial of service” attacks, which shut down access to websites by overwhelming them with more traffic than they were designed to handle, is coming from Iran and other countries through virtual private networks and is increasing in intensity.
Indeed, a group calling itself the Izz ad-Din al Qassam Cyber Fighters Group has already claimed responsibility for a string of attacks against U.S. banks in protest against an anti-Muslim film and has vowed that more will come.
The fear, of course, is an increase in cyberattacks at more sophisticated levels puts individual and corporate payment and personal data in jeopardy. In addition, fraud experts say that when online banking sites are shut down, customers turn to call-in centers — which quickly become overwhelmed, making call-center staff easier prey for criminals.
“The issue is that it’s become an isometric war in which Iran and others are threats by essentially using people’s identities against themselves,” Faulkner says. “Whether it is individuals at a bank or in a government department, the hackers are getting into their computers and the institutions can’t update or keep enough security measures in place.”
The hackers infect the computers through advanced technology that can bypass many layers of security and then use the computers for their own means, Faulkner says.
“For some time it was a case in which the criminal would use the computer for extortion, saying, ‘pay us and we won’t take your bank offline,’” Faulkner adds. “But more recently it has been for political reasons.”
The biggest challenge for banks and corporations is determining “attribution,” or discovering where the hackers’ computers are located, Faulkner says. Too many banks are using dated technology that screens the Internet protocol reputation or geo-location of a device but cannot specify the true source of the attacks, he adds.
“Under that setup, sometimes what appear to be legitimate computers end up draining accounts or wiping out websites,” Faulkner notes.
For banks without proper defense measures, it is akin to “shadow boxing in the dark” in trying to fight back, he says.
ThreatMetrix increased its security for payment data at banks and retailers in January after purchasing Australia-based TrustDefender Inc. and offering a package of advanced fraud protection for its clients. Faulkner says TrustDefender can help fight the virtual private network operations that make it look like computers are in one country but really operating out of another.
Essentially, the enemy is operating behind our lines, Faulkner says. “The scale and concentration of attacks has increased and it’s a whole lot different if you have an entire country behind it,” he adds.
E-commerce companies are more advanced than banks in fighting cybercrooks because they have been dealing with them since the inception of online marketplaces, Faulkner says. However, many banks are behind the times, he warns.
Julie Conroy McNelley, a senior analyst and fraud expert with Boston-based Aite Group, agrees banks face a daunting new menace.
Many in the banking industry are saying the most recent methods being deployed in cybercrooks’ attacks have “upped the ante considerably,” calling for more advanced defense mechanisms to stop them, McNelley says.
“The criminals are using heavy-duty servers and sending virtually hundreds of thousands of inquiry messages into websites to overload and take down those sites,” McNelley says.
After a bank website chokes up, the customer inquiries are likely to go to call centers, McNelley adds.
The banking industry could then expect to see a wave of fraud at call centers that get overwhelmed with inquiries, she adds. “When there are that many calls coming in, it is easier to slip in a fraudulent request.”