Some of the favorite targets of DDoS (Distributed Denial of Service) attackers are banks and financial institutions. Months-long attacks against banks like Bank of America, Wells Fargo, Fidelity Bank, U.S. Bancorp and JPMorgan Chase made headlines in 2014 and 2015, crashing their computer systems with sophisticated DDoS forays against web servers and DNS services that reportedly cost the victim institutions as much as $100,000 per hour.
An Islamic group claimed responsibility (although their claims were never substantiated) and at the time, the U.S. government said the continued strikes foreshadowed a “Cyber Pearl Harbor.” When public focus on those attacks died down, though, discussion of the vulnerability of major financial institution died down as well.
Sadly, the DDoS attacks did not. They were simply carried out at lower levels – until early 2016, when the world’s fifth largest bank, London-based HSBC Bank, was targeted.
The HSBC Attack
The attack came on January 29, which was a Friday – the busiest day of the week for banks, of course, but as the last Friday in January it was also the busiest day of the month, and also the day that freelancers in Britain file their annual tax returns. The DDoS was conducted against HSBC’s UK online banking system, putting both its websites and the HSBC app offline for millions of customers.
The bank says that it made relatively quick work of the brute force attack against its systems, that functions were restored later in the day, and that in-bank transactions weren’t affected. That couldn’t have made HSBC clients who needed computer or wireless access to their accounts feel a whole lot better, particularly since earlier in January the entire HSBC Internet banking system was down for two days due to technical issues not related to a DDoS attack. And just five months earlier, a different IT issue at HSBC caused nearly 300,000 business account payments to be lost.
No specifics on the HSBC DDoS issue have been released, so it’s not known how large the attack was or whether anyone claimed responsibility for the action. The bank, meanwhile, pointed out that the attack was blunted in hours, claiming that it was able to fight off the assault quickly.
A Growing Issue
The DDoSing of HSBC was one more reminder of how fragile any financial or banking institution’s online infrastructure can be in the face of a coordinated brute force attack. This attack was shorter and apparently much smaller than the widespread, continuing blasts against multiple big banks in 2014-15, so there’s no guarantee that HSBC’s DDoS mitigation and prevention systems could have withstood a larger assault. And larger attacks are the trend.
The U.S.-based systems security firm Arbor Networks recently reported that the average DDoS attack in 2015 was large enough to be able to take nearly any business offline, and that the largest 2015 attack was 500 Gbps, 60 times more powerful than the biggest DDoS reported eleven years ago. Currently, only Psychz Networks is able to protect against 500 Gbps DDoS attack. The typical DDoS problems that businesses face aren’t that focused and large, but are still able to disrupt operations and can cost small companies thousands of dollars per hour (substantially more for larger firms, of course) in lost business and IT costs.
Around half of all companies say they’ve been targeted by attacks, making DDoS prevention a continuing and growing concern for every business.