US Banks Hit By Denial-Of-Service Attacks

Robert Lemos covers cyber security for TechWeekEurope and eWeek

Wells Fargo, Citibank and Bank of America have been hit by attacks that make it difficult for customers to access their accounts online, according to a US federal security alert

A number of major US banks have endured massive distributed denial-of-service attacks for much of December, with customers from Wells Fargo, Citibank and Bank of America reportedly complaining that they were unable to access the banks’ websites toward the end of the month.

Despite defenders adapting to new attack techniques, the denial-of-service attacks that started earlier in December have had some success in keeping customers from accessing their accounts online.

Services slowed

On 21 December, the US Treasury Department warned that a number of groups were using denial-of-service attacks to slow financial institutions’ responses to account fraud.

Bank finance © Paul Fleet Shutterstock 2012“Recently, various sophisticated groups launched distributed denial-of-service [DDoS] attacks directed at national banks and federal savings associations,” the Office of the Comptroller of the Currency, part of the US Treasury Department, said in the alert. “Each of the groups had different objectives for conducting these attacks, ranging from garnering public attention to diverting bank resources while simultaneous online attacks were under way and intended to enable fraud or steal proprietary information.”

On 25 December, a pro-Muslim hacker group using the name Izz ad-Din al-Qassam Cyber Fighters stated in a post on Pastebin that they would continue their attacks against a variety of banks last week, calling for the US government to take down a video that insulted the prophet Muhammad.

“By understanding the caused problems for ordinary customers, we frequently do apologise for the disruptions in their financial transactions,” the group stated. “We suggest that US government and the banks should seek a logical and easy solution instead of spending big to deal with these attacks.”

Customer complaints, a website for registering outage complaints, lists Bank of America, Citibank and Wells Fargo as having 470, 467 and 50 complaints, respectively, registered in the past week.

The service does not investigate the complaints itself, which could lead to fraudulent reports. However, eWEEK confirmed that Citibank had repeated issues with accessibility since the beginning of this week.

While the bank’s site was accessible, repeated errors would appear following customer log-in.

Citibank did not immediately return requests for comment.

Wells Fargo’s customers could not access their online accounts for much of last week, according to a 24 December Reuters report.

A spokesperson for the bank did not confirm the issues, but provided a statement via email.

“We have significant efforts in place to ensure our online and mobile channels remain available and operational so we can service our customers’ financial needs,” the spokesperson stated. “We constantly monitor the environment, assess potential threats and take action as warranted.”

Federal alert

Bank of America, PNC Bank and SunTrust reportedly had accessibility issues earlier this month, following the Izz ad-Din al-Qassam Cyber Fighters’ original pledge to attack the banks.

The US Treasury and security experts have warned that many denial-of-service attacks are a way to hinder banks’ response to online account theft, and that banks should not assume that such attacks are politically motivated.

“Fraudsters also use DDoS attacks to distract bank personnel and technical resources while they gain unauthorised remote access to a customer’s account and commit fraud through Automated Clearing House (ACH) and wire transfers,” the agency stated.

Are you a security pro? Try our quiz!

Originally published on eWeek.