Marc Wilczek, COO of Link11 examines recent cyberattacks against banks, and shows how they can mitigate the impact of these on their services and customers
Banks’ customers expect services to be always available, easy to use and secure. But catering to this demand is one of the biggest challenges that the banking sector faces, while they also navigate complex digital transformation projects.
There is little room for error – and recent mis-steps have shaken public faith in banks’ resiliency in the face of IT issues.
Banks’ resiliency in the face of IT issues has a profound influence on consumer confidence. When a Tier 1 UK bank recently mishandled the migration of 1.3bn customers’ online banking records to a new service, the effect was devastating. Millions of customers were locked out of accounts, and many became victims of fraud as a result. Not only did the company incur an estimated £150million in fines from regulators and compensation payouts, but MPs said the incident had “damaged trust in banking sector”.
Subsequently, when customers of a UK online bank were locked out of their banking services for four hours, panic and complaints followed. In June, when a major credit card network crashed due to a hardware failure, chaos ensued.
The £11 DDoS service
Meanwhile, financial institutions face the growing threat of sophisticated, targeted cyber-attacks, particularly national banks, insurance firms and asset management firms. Indeed, seven of the UK’s biggest banks were forced to reduce operations or shut down entire systems following a cyber-attack in November 2017, costing them hundreds of thousands of pounds according the UK National Crime Agency.
The attacks were committed using Webstresser.org, the world’s largest provider of DDoS-on-demand services. The site, shut down by police in April this year, offered attack services for as little as £11. It costs a criminal almost nothing, while requiring little to no technical expertise, to mount an attack, but it costs a bank dearly to fix the damage they cause.
Meanwhile, in early 2018 online services from several Dutch banks and numerous other financial and government services in the Netherlands were brought to a standstill. Customers were left without access to their bank accounts for days, and the scale of the attack, which reached 100Gb/s showed how quickly the scale of DDoS attacks is growing.
DDoS attacks are dangerous for banks and financial service providers because of consumer’s heavy dependence on the availability of IT. 99% availability is no longer enough. They want to have services running 24/7, around the clock and around the globe, and customers expect seamless interaction in real time, leaving no room for performance issues.
While it’s always been painful to be victim to a DDoS attack, there’s now a severe risk of repetition – when sites are down or slow to respond the public reaction is rapid, and customer reactions on social media can go viral.
At any moment, any organisation could be targeted by a large-scale DDoS attack. Between January and March 2018, Link11’s Security Operation Centre discovered 14,736 attacks launched. This is an average of 160 attacks per day – an increase of 10% on the previous quarter. The scale of attacks was as surprising as their frequency. The LSOC discovered 12 attacks with an attack volume of more than 100 Gbps, and the peak attack bandwidth amounted to 212 Gbps.
Against this backdrop, it’s essential that banks implement ‘always on’ solutions that protect their customers’ access to services. So what should banks focus on, and how can they cater to their customer’s increasing demands, while facing down the ever-present threat of outages?
While protection against DDoS attacks has been available for some time, many can no longer stand up to the current generation of attacks. As we’ve seen, attacks in excess of 100 Gbps are commonplace, and traditional DDoS protections can no longer keep up. This was discovered recently when a secure email service was hit with a 500 Gbps attack – one of the largest DDoS attacks on record.
Although the service was down for just 10 minutes, the attack had to impact the company’s services before it could be mitigated – the equivalent of letting an attacker in the street hit you first, before you start fighting back.
Because IT landscapes are getting more complicated, putting hardware in place to protect some of the IT infrastructure onsite is no longer sufficient. Today, organisations tend to operate a complex structure that stretches far beyond their premises – in fact, there’s usually no digital work without the cloud. This means that only a cloud-based service can protect the entire IT infrastructure that an organisation relies upon.
The most effective type of DDoS mitigation is known as a ‘clean pipe’ service. This reroutes traffic via an external, cloud-based protection service that uses AI to filter out malicious traffic, including the largest-scale DDoS attacks. This ensures that the website only receives clean, legitimate IP traffic.
Meanwhile, DDoS attacks are identified and filtered in the cloud without affecting end users’ websites or online services – in other words, nullifying the attack before it can impact on services. By using this kind of system, banks can take care of growing their digital business while the service provider takes care of safeguarding their IT infrastructure.
A 360° View
It is increasingly clear that banks need to take further precautions to safeguard their clients and their data. Since IT landscapes are much more complex than they once were, there are numerous components that must be monitored.
It’s very important to take a full view of each element that makes up the IT estate. This starts from infrastructure and extends through the bank’s network and physical security, all the way up to databases, middleware and applications. By taking a 360° view, banks can take effective steps to protect their IT estate in the light of errors, misconfigurations, DDoS attempts and other cyber-attacks.
In conclusion, DDoS continues to grow in popularity as an attack tool, simply because it’s relatively easy and cheap to do, and it’s very effective. But by understanding how DDoS attacks are perpetrated, and putting the right processes and protections in place, banks will be well placed to mitigate their impact – and to keep their customers happy.
About the author
Marc Wilczek is Chief Operating Officer at Link11. In this role, he is responsible for business development, sales, marketing, growth initiatives, and strategic alliances. He was previously Vice President Portfolio, Innovation & Architecture at Deutsche Telekom, where he headed all product-related activities, including pre-sales and consulting.