We are often asked by consumers after a major DDoS attack how it may impact them. As inconvenient as it may appear to them at the time, we explain that it is incredibly important to understand that Distributed Denial of Service attacks (DDoS) are not direct attacks on the accounts at financial institutions but an attack on the public image and consumer good will towards that institution and at times, a political statement.
Online banking is incredibly safe for individual consumers, and brings with it a level of convenience and direct visibility that has long been absent from traditional banking channels. At one time, you may not have known about improper access or transactions on a financial account until the bill or statement came at the end of the month. Now, consumers have access to their accounts 24/7 and on multiple devices. DDoS attacks are not attacks meant to steal from consumers, but to interrupt that instant access between consumer and bank. It’s important to note that bank accounts still remain available via other channels, even during a crushing DDoS attack. Consumers can visit a bank branch, place a phone call to their bank, or use their normal payment cards, during such an attack. Their accounts are safe, intact, untouched. Only one method of accessing them is interrupted, it just happens to be the most accessed one, and DDoS attackers know that.
These DDoS attacks are meant to harass, intimidate and embarrass a targeted institution, but rarely result in any lasting tangible impact on account holders – besides the impact to brand and reputation.
Online banking is incredible safe, and with the deployment on modern and emerging security features are becoming even safer. Banks want nothing more than to provide the most innovative solutions while still providing the safest avenues. Consumer privacy and security are of their utmost concern. But it is true that as we make access to financial institutions even more convenient to consumers, we also make attacking them that much easier for a malicious individual or group. While the later is unwanted, it’s a cost of creating an open and accessible financial system that allows for the growth and prosperity we’ve witnessed over the last 20 years.
Sadly, there are few effective systems to fully protect institutions from the effects of a DDoS attack, an unfortunate byproduct of how the Internet itself was designed decades ago. The reality of the situation is that the tools available to commit such an attack are available to a marginally sophisticated attacker, for a few hundred dollars, and a few hours of their time.
There are a few additional issues to be worried about beyond the initial impact to the image of an institution during a DDoS attack. In recent years, we’ve seen DDoS attacks against banks used as a smoke screen to draw away the attention of information security teams from the real intent of the attacks, such as large value money transfers or the bulk theft and removal of consumer account data.
While we can’t completely stop DDoS attacks (yet), it is important that we shore up safety strategies and security solutions in places where we can help. Protecting accounts and account holders, the best way to do that is to move away from traditional methods of authentication, ones that rely on usernames/password combos bolstered by knowledge-based questions and both of which are trivial to acquire. Why privilege that information when it no longer has value? There are better ways to secure and protect customer access and information: non-identifying behavioral biometrics. The technology is here, now, and the results are indisputable.