Banking Blog

Finance Blogs » Banking » Banks stage hacking ‘war game’

Banks stage hacking ‘war game’

By Claes Bell, CFA · Bankrate.com
Wednesday, August 7, 2013
Posted: 10 am ET

Maybe banks' latest round of war games didn't have Matthew Broderick, Ally Sheedy or a tic-tac-toe-playing computer, but it did represent a step toward protecting banks from hackers.

Last month, financial institutions and the IT firms that help run their websites conducted a wide-ranging series of "war games" designed to test their ability to resist attempts to steal customer information or disrupt their online banking tools.

Banks have made some progress on data breaches in recent years. According to a report from research firm KPMG released this year, incidents of data loss in 2012 were down 80 percent from five years earlier.

But they face continued attacks from Islamic "hacktivists" who plagued bank websites with delays and shutdowns last fall. After a brief lull, those distributed denial of service, or DDoS, attacks have begun again in earnest, costing banks lots of money and their checking account holders lots of time and frustration, says David Ostertag, global investigations manager for the risk team at Verizon Communications.

"That's the one thing that's on everybody's mind are those systemic DDoS attacks against financial institutions, with multiple institutions being attacked every day," Ostertag says.

In case you're wondering, a DDoS attack disrupts bank websites by using networks of computers hackers who have gained control using malware called botnets. Hacktivists order those botnets to harass bank websites with garbage traffic until they are overwhelmed and shut down.

"By its nature, a DDoS attack isn't necessarily a data breach. It's simply a tool to deny access to the banks to legitimate customers," Ostertag says. "If you overwhelm the web servers, legitimate customers can't get access."

The war games, which were organized by the Securities Industry and Financial Markets Association, or SIFMA, were designed to promote information sharing and cooperation between banks and government authorities to resist such attacks, Ostertag says.

"If I can learn of a potential attack or potential problem 72 hours in advance, rather than 24 hours in advance or once I've been attacked, that has great value to the institution," he says. "We've always talked about how we need to share information. Well, finally we're doing something about it."

Close communication can come in handy during a DDoS attack because if banks can anticipate an attack and trace where the hackers' traffic is coming from and block it quickly enough, they can avoid being overwhelmed.

According to SIFMA, the exercise went well, with 500 professionals and 50 firms and organizations working from their offices to repel a number of simulated attacks.

But, only time will tell whether banks can consistently withstand hacking attacks that are relentless and well-funded, perhaps by governments hostile to the U.S.

"There is a level of state-affiliated espionage involved here," Ostertag says. "I think that's pretty common knowledge from some of the statements made in Congress."

What do you think? Should banks be committing more resources to fighting hackers, or is the threat overblown? Do you worry about your bank getting hacked?

Follow me on Twitter: @ClaesBell.

Senior banking reporter Claes Bell is a co-author of "Future Millionaires' Guidebook," an e-book written by Bankrate editors and reporters. It's available at all the major e-book retailers

«
»
Bankrate wants to hear from you and encourages comments. We ask that you stay on topic, respect other people's opinions, and avoid profanity, offensive statements, and illegal content. Please keep in mind that we reserve the right to (but are not obligated to) edit or delete your comments. Please avoid posting private or confidential information, and also keep in mind that anything you post may be disclosed, published, transmitted or reused.

By submitting a post, you agree to be bound by Bankrate's terms of use. Please refer to Bankrate's privacy policy for more information regarding Bankrate's privacy practices.