A U.S. banking regulator told financial institutions to report cyber attacks to law enforcement and alert customers to their impact as new assaults targeted PNC Financial Services Group Inc. (PNC:US) and other banks.
So-called denial-of-service attacks on websites may be used to distract bank personnel while intruders gain access to customers’ accounts, the U.S. Office of the Comptroller of the Currency warned in an alert distributed to bankers today. The attackers may also block customers from reporting frauds or prevent banks from telling them about it, the agency said. It didn’t identify the banks targeted.
Attacks starting last week have hit PNC, Bank of America Corp. (BAC:US), JPMorgan Chase & Co. (JPM:US), U.S. Bancorp, Wells Fargo & Co. (WFC:US) and SunTrust Banks Inc. (STI:US), according to two executives at companies providing security to some of the targeted banks. They asked not to be named because they weren’t authorized to discuss clients and didn’t want their companies to become targets of computer assaults.
A group calling itself Izz ad-Din al-Qassam Cyber Fighters announced plans to attack banks in a Dec. 10 statement posted on the website pastebin.com. The same group claimed responsibility for a series of attacks against financial institutions in September and October, saying they were in response to a video uploaded to Google Inc. (GOOG:US)’s YouTube ridiculing the Prophet Muhammad and offending some Muslims.
Today’s alert from the comptroller’s office warned about a wave of so-called distributed denial-of-service attacks. Such actions harness networks of infected computers to pump large volumes of Internet traffic at websites, often causing slowdowns or disruptions.
“These types of alerts are not issued frivolously,” Wayne Rushton, a former deputy comptroller and national bank examiner at the OCC, said in an interview. “You can take it for granted that the cautions they mention in the alert will be part of the regular examination process going forward.”
“If this is something the OCC is concerned may increase in the coming months, and they want banks to be well prepared, they will probably not only issue an alert but follow it up with specific examination and enforcement activities,” said Rushton, now a managing director at Promontory Financial Group, a Washington-based consulting firm.
The OCC alert is a “wake-up call” for the industry, particularly for technology providers serving community banks, Bert Ely, an Alexandria, Virginia-based bank consultant, said in an interview.
“They as much as anyone else have to have the protections in place because the banks have outsourced key aspects of their online-banking services to these outfits,” Ely said. “They are very important behind-the-scenes players.”
While the website disruptions from denial-of-service attacks are an “irritant,” the real concern should be the potential for fraud and theft of funds, Ely said.
“I suspect you are seeing a lot of re-reviewing of fraud controls and controls over interbank transfers,” he said. “The fraud in many ways is what can really hit the banks’ bottom line.”
The current attacks use similar methods as in the earlier assault, including using commercial servers to generate traffic and targeting firewalls or intrusion-detection systems, said Carl Herberger, a vice president at Radware Ltd. (RDWR:US), a Tel Aviv- based network security provider working with some of the banks.
Because the attackers can shift tactics and targets, banks should share information with each other and give “timely and accurate” advisories to customers on website problems and precautions they can take, the comptroller’s office said.
PNC, based in Pittsburgh, said in a statement posted on its website that it’s aware of a “potential” cyber threat that could make it difficult for customers to log into their accounts.
“Please be assured that PNC’s website is protected by sophisticated encryption strategies that shield customer information and accounts,” the statement reads. “We have no information regarding timing, duration or intensity of this potential threat.”
Wells Fargo, based in San Francisco, said in a statement Dec. 19 that its website was experiencing an “unusually high volume of traffic” and said the vast majority of its customers weren’t affected. The bank encouraged customers that experience problems to access accounts through its stores and automated teller machines, or by phone.
“There’s a real risk when you get an attack like this that they’re just trying to distract you from something else,” Jeff Thomas, national head of information protection and business resilience at KPMG in Canada, said in an interview.
The OCC is drawing attention to “an example of a very focused attack that is being repeated across a range of organizations,” he said.
To contact the reporters on this story: Eric Engleman in Washington at email@example.com; Dakin Campbell in San Francisco at firstname.lastname@example.org
To contact the editor responsible for this story: Bernard Kohn at email@example.com