In the past holiday season, revenue of online retailers in the US soared to an unprecedented 55.2 billion dollars. This e-commence boom has tremendously benefited the online banking industry, as most transactions are completed via e-banks. However, criminals are increasingly intercepting transaction traffic in order to steal confidential information such as user account information or credit card numbers. In dire cases, customer bank accounts are directly compromised.
As a counter measure, most online retailers and banks adopt SSL solutions to encrypt traffic containing confidential information. The standard security technology for creating an encrypted connection between a web server and a browser, SSL ensures that all data connections remain private and secure. Implementation of SSL in a HTTPS website is usually indicated by the padlock icon or green address bar in web browsers.
SSL Susceptible to DDoS
SSL is extremely vulnerable to DDoS (distributed denial-of-service) attacks due to the inherent nature of its implementation: the way the system consumes resources is asymmetric. The encryption key exchange and handshake process of SSL consume more resources on the server-end, at least ten times the resources of a normal connection. An attacker could single handedly challenge high-performance servers through SSL handshake requests, commonly known as SSL renegotiation attacks.
Due to the widespread adoption of SSL, financial companies are the main victims of SSL attacks. Driven by greed, commercial competition or even hacktivism, attackers are causing astronomical financial and reputational losses to the banking industry.
- In 2012, a Hong Kong gold trading platform was taken down by malicious attackers, accursedly from China for blackmailing purpose, who exploited a flaw in the server’s SSL renegotiations.
- From 2012 to 2013, Izz ad-Din al-Qassam Cyber Fighters, a Muslim hacker group, launched several waves of DDoS attacks against US-based financial institutions in response to an anti-Islam video. Websites of several financial giants, including Bank of America, Wells Fargo and PNC, were knocked out.
- In 2013 banks and TV stations in South Korea were hit by debilitating DDoS attacks. Three financial institutions and two insurance firms were partially or completely crippled. North Korea was the culprit.
In recent years the adoption of Bitcoin as a virtual currency has led to huge increases to its market capitalization. The growth in its value has brought about waves of cyber crimes aimed at manipulating prices, camouflaging Bitcoin theft and blackmailing. Similar to the finance industry, virtual currency platforms also use SSL encryptions.
Though SSL has been an essential investment for countless businesses, recent attacks targeting SSL-protected sites have proved the security technique is not ironclad. The once impeccable SSL is a new favorite target for cybercriminals.
Mobile Banking Threatened By Fragile Web APIs
As we move towards a mobile-first world, banks are placing a great emphasis on mobile applications that enhance customer service and loyalty. These apps connect users with the bank’s online infrastructure and consume data via APIs. The next wave of DDoS attacks may very well target APIs in order to disable these mobile gateways.
Malicious attackers can makes excessive connections to APIs under the guise of legitimate users to block normal access. And unlike a web page that’s been taken offline, this kind of attack is rather hidden. Since the app can still be launched on mobile devices, users may simply blame their mobile network and assume they have lost coverage, instead of suspecting that the app has been compromised. Bank customers are increasingly using apps as their main channel for banking transactions, so API attacks may have drastic consequences in the future.
Security in the Year Ahead
Detecting and mitigating SSL and API-based DDoS attacks has long been a headache for security vendors, since there is no sudden traffic spike or obvious signatures. Attacker can easily forge small amounts of requests that trigger SSL handshakes or exploit web APIs to exhaust resources on the target server.
As cyber criminals continue to refine their attack methods and exploit security flaws, financial institutions must regularly audit their systems for weaknesses. It is also imperative they adopt solutions that are proactive in order to anticipate and successfully defend against next-generation attacks.
DDoS Problem Resolved Through Human Identification
- NexQloud’s answer to the DDoS problem lies within its proprietary human identification engine – Qlo. Qlo’s “identifying the human” philosophy is a simple 3-step process: deny non-humans, eject bad humans, and manage good humans.
- When SSL traffic is passing through, Qlo first identifies the source of SSL requests and allows only human requests to process. Qlo then further determines the intent of human requesters based on user reputation and behavior patterns; those flooding the server with excessive SSL requests will be flagged as troublemakers, and ejected from the system automatically.
- Qlo relieves servers of the heavy computational burden from negotiating handshakes of legitimate requests by offloading the decryption process to NexQloud, speeding up SSL handshakes by reusing existing SSL sessions.
- NexQloud’s virtual API throttling system intelligently implements policies to control access to APIs based on the traffic type and usage patterns; calls to APIs are also rate-limited to assure availability.
When a website protected by NexQloud is overloaded by too many visitors (i.e. holiday season or promotions), NexQloud starts a queuing mechanism automatically before a flash crowd forms and slows down the website.
NexQloud (http://www.nexqloud.com) is the world’s newest and most innovative cloud-based DDoS mitigation and uptime management platform. Powered by the world’s first Human Identification engine, NexQloud offers fully automated protection with no software or hardware changes required. Our unique human identification approach protects financial institutes against all types of DDoS attacks, including SSL and API-based attacks.