The announcement of the Project Blitzkrieg attacks has left me wondering how organizations should prepare for DDoS attacks that are linked to fraud operations. What specific precautions can organizations take in such a situation?
Ask the Expert
Have questions about enterprise information security threats for expert Nick Lewis? Send them via email today! (All questions are anonymous.)
Project Blitzkrieg is the name given to a reported series of financial fraud attacks against large U.S. banks. The attacks were allegedly being committed by a group of criminals in an attempt to steal millions of dollars.
Unlike more common distributed denial-of-service (DDoS) attacks aimed at websites to overwhelm them with Internet traffic from botnets, Project Blitzkrieg DDoS attacks are largely dependent on malicious users who send traffic to banks in order to commit financial fraud and overwhelm the system In this attack scenario, the customers of these banks are still able to use the banks' website. As Cormac Herley described in a research paper, the losses to individuals will most likely be covered by the banks for attacks like this and the bottleneck is the people stealing the money, not the technology or security controls. Thus the impacted consumers may not take sufficient steps to protect themselves from this type of fraud, but this could be an issue for the financial institutions.
Financial institutions can protect against these Project Blitzkrieg-style DDoS attacks by requiring out-of-band confirmation of financial transactions, delaying suspect transactions by several days or denying transactions involving certain other banks. Unfortunately, all of these security controls can be fairly easily bypassed, but these delay tactics could give banks more time to use their fraud-detection systems to spot the fraudulent transactions. More elaborate security mechanisms can be developed requiring transaction authentication, smartcards, biometrics or two-factor authentication. The attacks would likely continue, though, even with these methods implemented; ATM fraud and robberies still happen even when two-factor authentication is in place. These new controls could reduce the losses from crime, but the costs need to be evaluated to determine if they reduce the overall cost of financial fraud.
This was first published in May 2013