There has been much talk at the banks and in the press around DDoS attacks allegedly sponsored by Iran and praised by Hamas, and an upcoming “Project Blitzkrieg” threatening costly online theft at 30 U.S. banks.
While many in the industry ‘poo poo’ these threats, I have heard now from a few senior credible sources that the DDoS attacks against major U.S. banks in recent months were definitely linked to online fraud.
Apparently, if you put all the information together, there are three classes of DDoS attackers and attacks:
a) Political hactivists conducting DDoS attacks with no ability to commit fraud (e.g. wire money out of a customer’s account to a mule account and then their own) and no fraud committed.
b) Political hactivists conducting DDoS attacks with no ability to commit fraud but fraud is committed by a different gang taking advantage of distracted bank security staff.
c) One financially motivated gang conducting the DDoS attacks and committing fraud at the same time.
It’s important to note that the megabanks being attacked have many online properties, so a DDoS attack against one specific domain can still leave other domains up and running with the security staff who manage all of the domains very much distracted. The result: online fraud can and has occurred during the DDoS attacks.
So while there are conflicting opinions and accounts over what’s happened, this is how I sum up what I have heard from well-placed professionals.
Solution: layers of fraud prevention, authentication and authorization controls. We’ve got a lot of research in this area, including a research note coming out “Innovation drives Seven Dimensions of Context Aware Security.”
The note also discusses the importance of organizational focus and alignment. For sure the technical solutions are out there – and using them effectively can likely stop 80-90% of the damage. The key barrier to success is lining up the right resources in the right way to stop these bad guys – whoever they are and however real their threats are — head on.
Comments or opinions expressed on this blog are those of the individual contributors only, and do not necessarily represent the views of Gartner, Inc. or its management. Readers may copy and redistribute blog postings on other blogs, or otherwise for private, non-commercial or journalistic purposes, with attribution to Gartner. This content may not be used for any other purposes in any other formats or media. The content on this blog is provided on an "as-is" basis. Gartner shall not be liable for any damages whatsoever arising out of the content or use of this blog.