Since September, a widespread series of hacker attacks have been leveled against American financial institutions. Bank of America, JP Morgan Chase, and Wells Fargo were among the big banks whose websites were disrupted by DDoS (distributed denial of service) attacks, which render websites useless and leave frustrated customers unable to log in. Because activist groups looking to make political statements often initiate DDos attacks, a common misconception is that credit unions — typically regarded as defenders of the cooperative ethos — are safe from ideology-driven strikes.
But that logic doesn’t explain why in January 2013, University Federal Credit Union ($1.6B, Austin, TX) also had its website taken down for two and a half hours. The outage reportedly resulted from a DDoS attack engineered by the same Iranian extremist group that previously had struck out at big bank sites. Shortly after, the website for Patelco Credit Union ($3.9B, Pleasanton, CA) succumbed to a similar attack, rendering it useless for five hours.
“Throughout the past 18 months, we’ve seen the size, sophistication, and frequency of DDoS attacks climb exponentially,” says Michael Donner, senior vice president of Prolexic, a security firm specializing in DDoS attacks. His company protects several credit unions and other financial institutions, including 15 of the world’s largest banks. Donner estimates that nearly 300 DDoS attacks occur every hour — the equivalent of about 7,200 per day.
The majority of these attacks go unreported and unnoticed. Aside from creating a nuisance, DDoS attacks also may be used as a cover to distract from other crimes.
“There’s a separate class of DDoS attacks that criminals use, usually right after they steal a large amount of money,” says Brett Stone-Gross, senior security researcher at Dell SecureWorks, an information security firm whose client list includes 600 credit unions. “This serves two purposes: It diverts attention of security and staff from the fraudulent transfer and, at the same time, prevents the victim from logging in to his account to see and report those stolen funds.”
But financial insitutions aren’t the only organizations affected by DDoS attacks. In December, a “hactivist” group calling itself Team Ghost Shell finagled its way into the servers of NASA, the Federal Reserve, Interpol, and 27 other organizations. The hackers then reposted stolen data on several websites.
The Credit Union National Association’s website was also a victim of the December attack, and although CUNA states that no sensitive information was accessed, the organization did advise all CUNA.org users to change their passwords as a precaution.
Whether an attack comes in the form of DDoS, spear phishing, or malware, one thing is clear: The threat financial institutions face from online criminal activity is real, and the cyber security landscape is changing as a result.
Think Like A Hacker
From cyber security consultants to IT technicians, the experts agree: Don’t wait for others to hit you first. When planning a defense strategy, credit unions should start by thinking like a hacker. Adopting the predatory perspective of a cyber criminal makes potential security vulnerabilities easier to spot. Once weaknesses are identified, the technology staff should test how a computer network might be infiltrated and then proactively fortify those areas before the institution is targeted for real.
At Lake Trust Credit Union ($1.6B, Lansing, MI), information security analyst Richard Reinders functions as a one-man security department. Like many credit unions, Lake Trust routinely faces general attacks, but hackers haven’t targeted it specifically — at least, not yet.
“We don’t have a lot of high-intensity attacks where people are expending considerable energy just on us. But we know it’s going to happen more and more,” Reinders says.
That’s why he began formulating a creative approach for pre-emptive testing at the credit union, a strategy that has since garnered media headlines. For example, to assess employee susceptibility to spear phishing — which is a targeted phishing email complete with personalized information relevant to the individual or the instituion — Reinders set up a fake Lake Trust-affiliated website that peddled a new product. He sent emails to employees directing them to the fraudulent site, which asked them to type in their username and password.
The experiment yielded both positive and negative results.
“We found that the response time was actually a lot shorter than expected. One of the employees called us within 15 minutes,” he says. “But someone else put in their account info very quickly, within two minutes. There’s nothing that can respond or update itself quickly enough to deal with that.”
For employees, the test served as a lasting reminder of the identifying traits of an online attack.
Reinders typically runs similar tests two or three times a year to expose a range of potential vulnerabilities. Surprisingly, setting up the tests requires less time and effort than a credit union might think.
“Once you get in the habit, it’s actually very little effort,” Reinders says. “You get a pretty big bang for your buck, even if it’s just a matter of decreasing computer infections. That alone saves you the cost of taking a computer out of rotation, cleaning it up, and setting it up again.”
Test Your Defenses From Outside
Another option growing in popularity is to hire outside parties to test the credit union’s security system. This tactic can be especially effective when the outside party is different from the security vendor the credit union normally uses.
Colleen Jakes is the Internet security director at Topline Federal Credit Union ($329M, Maple Grove, MN), which uses Dell SecureWorks to defend the institution against cyber attacks.
“Every year, we hire a different third-party security company unaffiliated with SecureWorks, just to test our security,” she says. “I recommend every financial institution do this annually.”
Although testing is an important component of a defense plan, another step is to instigate a policy of clear, open communication with employees across the institution. For example, Reinders combines his tests with an annual employee meeting where he discusses the latest traps to watch out for and reminds employees to speak up if they see something strange.
“The bigger message I’ve been trying to get across is for employees to be forthcoming,” Reinders says. “Even if employees make a mistake, like accidentally clicking on something they shouldn’t have, they should know they’re not going to get in trouble for that.”
From big banks to small credit unions, financial institutions are often the first targets for the latest strains of malware, DDoS, and spear phishing attacks, so investments in online security need to match those threats.
“Things are different than they used to be, so you need security specialists 24/7,” Jakes says. “Back in 2001, there weren’t the types of cyber attackers there are today.”
Whether these attacks originate from Eastern Europe, the Middle East, or from the residential neighborhood next door, credit unions need to adapt quickly.
“The sophistication level of attackers is going to get higher and higher,” Reinders says. “Credit unions need to be able to rise with the tide and stay on top of those threats.”