Banks Fight Cyber Attacks By Hiring Outside Help

This Jan. 12, 2012 photo taken with a fisheye lens, shows a PNC Bank ATM machine in downtown Pittsburgh. PNC Financial Servic
This Jan. 12, 2012 photo taken with a fisheye lens, shows a PNC Bank ATM machine in downtown Pittsburgh. PNC Financial Services Group Inc. said Wednesday, Jan. 18, 2012, that its fourth-quarter net income dropped 43 percent on higher expenses and a comparison to a year-ago stock sale gain, while revenue fell. (AP Photo/Gene J. Puskar)

For weeks, hackers have attacked many of the country's largest banks, disrupting their websites and frustrating customers who have been unable to access their online accounts.

Banks have responded by asking for help. Many have quietly hired companies that specialize in defending against so-called "denial of service attacks," in which hackers overwhelm Web servers with massive amounts of traffic to knock websites offline.

These cyber-attack defense companies, which are largely unknown to the general public, are essentially taking punches for the banks by absorbing and filtering a tidal wave of Web traffic from hackers that would otherwise cripple bank websites. Though some websites continue to suffer disruptions, the outages would last longer and occur more frequently if the banks tried to fend off the attacks themselves, said Bill Nelson, president of the Financial Services Information Sharing and Analysis Center, a financial industry association.

"The attacks are like Niagara Falls trying to fit into a narrow pipe," Nelson said. "No website can handle it. But these guys have the tools to handle it, so it really makes a lot of sense to outsource to them. I think it's been very effective."

One company defending the banks from attacks is Neustar, which offers what security experts call a "traffic scrubber." When hackers launch an attack, Neustar's technology diverts the onslaught of traffic to Neustar's servers, which have more bandwidth capacity. Then, the company filters out junk traffic to allow legitimate bank customers to access the websites.

Rodney Joffe, a senior technologist at Neustar, compared it to guiding an oncoming train onto a different track.

"It's like flipping a switch," Joffe said. "The bank customers may not see any real effect."

Scott Hammack, chief executive of Prolexic, said his company provides security for 15 of the top 30 banks in the world. Several of them have been bombarded by attacks in recent weeks, but have managed to avoid major disruptions.

"If banks come under attack, they route their traffic over to us," Hammack said. "We provide a buffer for them to mitigate the attacks. Lately, it's been very very busy."

Another company, Akamai, has been blocking cyber attacks from reaching data centers where bank websites are hosted. Michael Smith, director of Akamai's customer security response team, said his company has thwarted several attacks against banks or limited the duration of outages to minutes instead of hours.

"There have been many attacks against the banks that nobody knows about because they were successfully defended against," Smith said.

The banks have also been working with Internet service providers to identify computers around the world that are being used by the hackers and scrubbing those machines of malicious software that automate their attacks, Nelson said. And banks have been sharing data about the attacks with each other so they can block malicious IP addresses, he said.

But their defense measures aren't foolproof. This week, for example, Fifth Third Bank told its customers that it suffered two cyber attacks in a period of less than a week. Since last fall, some of the nation's larget banks have suffered disruptions to their websites, including Bank of America, Citigroup, Wells Fargo and HSBC.

While the attacks have prevented customers from performing online transactions, no money has been taken from customer accounts, according to the banks.

The group claiming responsibility for the attacks -- Izz ad-Din al-Quassam Cyber Fighters -- claims it is targeting American banks in response to a YouTube video released last year that was offensive to Muslims, and vows to continue its attacks until the film is removed.

But American officials say the hackers are really operatives of the Iranian government who are lashing out against American banks for U.S. sanctions against the country and a 2010 cyber attack that damaged Iran’s nuclear program. They offer no evidence to support those claims, however.

The attacks have been particularly difficult to defend against because they have increased in force. In recent weeks, the hackers have engineered networks of computers in data centers to supercharge their attacks against the banks, The New York Times reported Wednesday.

The financial service industry already spends $25 billion worldwide on security. Joffe estimated that banks are spending "millions of dollars a month" to outsource their defense against the recent wave of attacks.

And yet, he said, it is still still not enough to keep their websites running smoothly.

“The banks can spend as much money as they want,” Joffe said, “but the dirty little secret is there is no perfect way to defend against a denial of service attack.”

In a posting Tuesday on the file-sharing site Pastebin, the hackers echoed that point, boasting in an online posting Tuesday that their success “showed that despite the high cost of U.S. banks to deal with these attacks, the attacks cannot go under control and are unstoppable.”

Joffe said banks have started taking other precautions in case their websites crash, such as increasing the number of tellers at branches and over the phone. One bank, PNC, recently posted a note to its customers on its website, reminding them they can use the bank’s mobile banking app or contact the bank on Twitter if a cyber attack causes another outage to occur.

While the banks scramble to fend off the attacks, the consequences for customers are still relatively minor.

"The number one thing people need to realize is that it's not the end of the world if your bank's website goes down for an hour," Smith said. "Over time, these things will become fairly commonplace and the public won't be as alarmed."