It was reported at the end of January that it had been Dutch intelligence responsible for tipping off the FBI and NSA over Russian cyberattacks during the 2016 US presidential election and on the Democratic National Committee, prompting the now infamous Russian investigation. After this was reported, the Netherlands braced for impact, and oh, impact came.
The first DDoS attack smashed the major Dutch bank ABN Amro, keeping customers from being able to access their accounts or use the mobile app. Then banks Rabobank and ING were hit, followed by the Dutch tax authority and then the login system for governmental services. Waves of attacks continued for nearly a week, crippling major aspects of the Dutch financial sector. Speculation was easy, and fingers began to point east of the Netherlands to, of course, Russia. These were the kinds of powerful DDoS attacks Russia had certainly launched before, and the last few years have seen a huge number of state-sponsored attacks taking aim. However, when the dust settled and the investigation was over, a Dutch teenager was arrested.
This is the world banks and other financial institutions live in.
According to the Q3 2017 DDoS Global Threat Landscape Report from DDoS protection providers Incapsula, in the third quarter of 2017 financial services was the fourth most targeted industry when it comes to distributed denial of service or DDoS attacks. This is generally where financial services lands every quarter, typically ranking behind online gaming, online gambling, and internet services.
Banks make an attractive target for a huge cross-section of the kind of people and organizations who launch DDoS attacks. Nation states looking to cause chaos in another country’s economy, vengeful former employees who feel they’ve been wronged, competitors willing to stoop to illegal levels, criminals using DDoS attacks to distract from hacking or intrusion attempts and, yes, bored teenagers.
Bad for business
DDoS attacks are designed to keep a website or online service’s users from, well, using it. When many people think about cyberattacks on banks they think of theft or data breaches meant to syphon funds or steal payment card information, but DDoS attacks meant to disrupt can be just as costly.
Some of the consequences of the downtime caused by distributed denial of service attacks are immediate and obvious: if customers can’t access a financial institution’s website or app, they can’t access their accounts, which means they can’t pay bills, send or receive transfers, or complete other necessary transactions. This is understandably angering for customers, especially with many DDoS attacks timed to take advantage of high-traffic times like the end of the month when many people are trying to pay rent or check their balances following a pay period.
It’s now easier than ever to open an account at a financial institution, and this kind of frustration can be enough to push bank customers into moving their money elsewhere, especially when it’s coupled with the distrust that can be bred by a successful DDoS attack. When something as common as a DDoS attack is able to take down a bank’s sites and services, customers can’t be blamed for wondering just how secure those sites and services really are. With so many DDoS attacks used as smokescreens for data theft attempts, it’s an important line of questioning.
When the alleged perpetrator behind the rash of attacks on Dutch banks and other institutions was asked why he did it, the attacker known as Jelle S. indicated that he’d done it because he found it funny, especially when everyone started blaming the Russians. However, he also said he had done it to prove a point: that a teenager can cause banks to crash with a simple attack.
His point has hopefully been resoundingly taken by banks across the Netherlands and around the rest of the globe. Banks and financial institutions are simply too big of targets with too much at stake to have anything other than the best professional DDoS mitigation – a time to mitigation under 10 seconds, cloud-based for infinite scalability, and a scrubbing server with a 500+ Gbps capacity. Anything less and banks are basically inviting mayhem from attackers ranging from nation states to annoying teenagers.