eLearningClasses.com
Editorial & Advertiser Disclosure Global Banking And Finance Review is an independent publisher which offers News, information, Analysis, Opinion, Press Releases, Reviews, Research reports covering various economies, industries, products, services and companies. The content available on globalbankingandfinance.com is sourced by a mixture of different methods which is not limited to content produced and supplied by various staff writers, journalists, freelancers, individuals, organizations, companies, PR agencies Sponsored Posts etc. The information available on this website is purely for educational and informational purposes only. We cannot guarantee the accuracy or applicability of any of the information provided at globalbankingandfinance.com with respect to your individual or personal circumstances. Please seek professional advice from a qualified professional before making any financial decisions. Globalbankingandfinance.com also links to various third party websites and we cannot guarantee the accuracy or applicability of the information provided by third party websites. Links from various articles on our site to third party websites are a mixture of non-sponsored links and sponsored links. Only a very small fraction of the links which point to external websites are affiliate links. Some of the links which you may click on our website may link to various products and services from our partners who may compensate us if you buy a service or product or fill a form or install an app. This will not incur additional cost to you. A very few articles on our website are sponsored posts or paid advertorials. These are marked as sponsored posts at the bottom of each post. For avoidance of any doubts and to make it easier for you to differentiate sponsored or non-sponsored articles or links, you may consider all articles on our site or all links to external websites as sponsored . Please note that some of the services or products which we talk about carry a high level of risk and may not be suitable for everyone. These may be complex services or products and we request the readers to consider this purely from an educational standpoint. The information provided on this website is general in nature. Global Banking & Finance Review expressly disclaims any liability without any limitation which may arise directly or indirectly from the use of such information.

CYBER THREATS TO EXPECT IN 2014: SSL AND MOBILE API-BASED DDOS ATTACKS

In the past holiday season, revenue of online retailers in the US soared to an unprecedented 55.2 billion dollars. This e-commence boom has tremendously benefited the online banking industry, as most transactions are completed via e-banks. However, criminals are increasingly intercepting transaction traffic in order to steal confidential information such as user account information or credit card numbers. In dire cases, customer bank accounts are directly compromised.

ssl and mobile api-based ddos attacks
ssl and mobile api-based ddos attacks

As a counter measure, most online retailers and banks adopt SSL solutions to encrypt traffic containing confidential information. The standard security technology for creating an encrypted connection between a web server and a browser, SSL ensures that all data connections remain private and secure. Implementation of SSL in a HTTPS website is usually indicated by the padlock icon or green address bar in web browsers.

SSL Susceptible to DDoS

SSL is extremely vulnerable to DDoS (distributed denial-of-service) attacks due to the inherent nature of its implementation: the way the system consumes resources is asymmetric.  The encryption key exchange and handshake process of SSL consume more resources on the server-end, at least ten times the resources of a normal connection. An attacker could single handedly challenge high-performance servers through SSL handshake requests, commonly known as SSL renegotiation attacks.

Due to the widespread adoption of SSL, financial companies are the main victims of SSL attacks. Driven by greed, commercial competition or even hacktivism, attackers are causing astronomical financial and reputational losses to the banking industry.

  • In 2012, a Hong Kong gold trading platform was taken down by malicious attackers, accursedly from China for blackmailing purpose, who exploited a flaw in the server’s SSL renegotiations.
  • From 2012 to 2013, Izz ad-Din al-Qassam Cyber Fighters, a Muslim hacker group, launched several waves of DDoS attacks against US-based financial institutions in response to an anti-Islam video. Websites of several financial giants, including Bank of America, Wells Fargo and PNC, were knocked out.
  • In 2013 banks and TV stations in South Korea were hit by debilitating DDoS attacks. Three financial institutions and two insurance firms were partially or completely crippled. North Korea was the culprit.

In recent years the adoption of Bitcoin as a virtual currency has led to huge increases to its market capitalization. The growth in its value has brought about waves of cyber crimes aimed at manipulating prices, camouflaging Bitcoin theft and blackmailing. Similar to the finance industry, virtual currency platforms also use SSL encryptions.

Though SSL has been an essential investment for countless businesses, recent attacks targeting SSL-protected sites have proved the security technique is not ironclad. The once impeccable SSL is a new favorite target for cybercriminals.

Mobile Banking Threatened By Fragile Web APIs

As we move towards a mobile-first world, banks are placing a great emphasis on mobile applications that enhance customer service and loyalty. These apps connect users with the bank’s online infrastructure and consume data via APIs. The next wave of DDoS attacks may very well target APIs in order to disable these mobile gateways.

Malicious attackers can makes excessive connections to APIs under the guise of legitimate users to block normal access. And unlike a web page that’s been taken offline, this kind of attack is rather hidden. Since the app can still be launched on mobile devices, users may simply blame their mobile network and assume they have lost coverage, instead of suspecting that the app has been compromised. Bank customers are increasingly using apps as their main channel for banking transactions, so API attacks may have drastic consequences in the future.

Security in the Year Ahead

Detecting and mitigating SSL and API-based DDoS attacks has long been a headache for security vendors, since there is no sudden traffic spike or obvious signatures. Attacker can easily forge small amounts of requests that trigger SSL handshakes or exploit web APIs to exhaust resources on the target server.

As cyber criminals continue to refine their attack methods and exploit security flaws, financial institutions must regularly audit their systems for weaknesses. It is also imperative they adopt solutions that are proactive in order to anticipate and successfully defend against next-generation attacks.

DDoS Problem Resolved Through Human Identification

  • NexQloud’s answer to the DDoS problem lies within its proprietary human identification engine – Qlo. Qlo’s “identifying the human” philosophy is a simple 3-step process: deny non-humans, eject bad humans, and manage good humans.
  • When SSL traffic is passing through, Qlo first identifies the source of SSL requests and allows only human requests to process. Qlo then further determines the intent of human requesters based on user reputation and behavior patterns; those flooding the server with excessive SSL requests will be flagged as troublemakers, and ejected from the system automatically.
  • Qlo relieves servers of the heavy computational burden from negotiating handshakes of legitimate requests by offloading the decryption process to NexQloud, speeding up SSL handshakes by reusing existing SSL sessions.
  • NexQloud’s virtual API throttling system intelligently implements policies to control access to APIs based on the traffic type and usage patterns; calls to APIs are also rate-limited to assure availability.

When a website protected by NexQloud is overloaded by too many visitors (i.e. holiday season or promotions), NexQloud starts a queuing mechanism automatically before a flash crowd forms and slows down the website.

About NexQloud

NexQloud (http://www.nexqloud.com) is the world’s newest and most innovative cloud-based DDoS mitigation and uptime management platform. Powered by the world’s first Human Identification engine, NexQloud offers fully automated protection with no software or hardware changes required. Our unique human identification approach protects financial institutes against all types of DDoS attacks, including SSL and API-based attacks.