HSBC’s online banking website is down, leaving thousands of customers unable to access its services after a cyber attack. A spokesperson said HSBC had been hit by a distributed denial of service (DDos) attack but did not say if the source was known. “HSBC internet banking came under a denial of service attack this morning, which affected personal banking websites in the UK,” she added. “HSBC has successfully defended against the attack, and customer transactions were not affected. We are working hard to restore services, and normal service is now being resumed.” Security experts from MIRACL, ESET, Splunk, AlienVault, Comparitech, Lieberman Software and Tripwire have the following comments on it.
[su_note note_color=”#ffffcc” text_color=”#00000″]Monzy Merza, Chief Security Evangelist, Splunk:
“In today’s cybersecurity landscape, all companies should expect to be targeted by attackers. While it’s essential to consider prevention strategies, it’s equally important to consider recovery and to be positioned to bounce back quickly and maintain continuity.
Organizations need to have a deep understanding of their infrastructure and environment, meaning that full visibility is the key. A successful recovery plan includes visibility, analysis and automated and human-mediated response capabilities. The HSBC breach shows us that attacks are bound to happen and a well-instrumented organization can recover from even the most sophisticated attacks.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Brian Spector, CEO of MIRACL:
“Not even the largest financial institutions on earth are immune from cyberattacks that disrupt business operations. HSBC is using antiquated authentication technology, what else is not up to speed such that one of the world’s largest banks has been taken offline?
HSBC are claiming to have “successfully defended” the attack but if your main business is taken offline, and your website is unreachable, you have not successfully defended yourself.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Mark James, Security Specialist at IT Security Firm ESET:
How safe is online banking?
“Banks have malware attacks every single day, almost all of them are thwarted immediately, some get stopped before they do any damage and some may well get through without notice. But let’s put this into perspective, because of this knowledge the systems put in place to protect our finances are far superior to what you will find on your desktop machine or even your average company server. Firewalls, host intrusion detection systems (IDS), network and data flow monitoring will be in place to check for anything out of the ordinary.
A well-placed and maintained chain of command with the right expertise in each field will be on hand to back up the hardware and software systems in place in an attempt to keep not just our finances safe but the finances of the very companies that form the backbone of our country, these procedures will be checked, monitored and adapted if needed to meet any new threats that emerge from the bad guys.
Of course no system is 100% safe but some are safer than others, we have many advances in technology available to us to help combat the ever evolving world of cyber warfare but as they adapt so will we, it will always be a cat and mouse game and we have to win more than we lose.”
“DDOS attacks, regardless of motive, are never good for any organisation, whether they are driven purely as a means to cause downtime, force the owner to pay extortion fees or as a cover for malware activity it quite often mostly affects us the users the most. HSBC have stated that “HSBC UK internet banking was attacked this morning. We successfully defended our systems.”
But what’s the real damage caused? Just stopping people accessing their systems seems pointless unless it’s driven from a competitor (extremely unlikely), making a vocal statement about what they do or don’t do from a moral standpoint (not this case) so maybe it’s a cover to test, damage or control their online systems. At this stage its only hearsay or rumour and I am sure we will find out sooner or later, either way the bank will take a PR hit from this. In this day of technology, convenience speed is of the essence, when we want to do something nowadays we expect it to happen now, not later or tomorrow. If you’re inconvenienced by not being able to access your bank accounts (more than once for HSBC) then its users may vote with their feet rather than be understanding and stay with them.
As in all situations like this please be mindful of the after effects, nothing may happen but just be a little bit more cautious when opening emails or taking calls from people claiming to be associated with your financial organisations. Remember NO bank will take offence if you want to double check things by calling back or verifying who they actually are, it’s a few minutes of your time that may save you hundreds or even thousands of pounds and definitely make sure you have good regularly updating internet security software installed on your computer or mobile device.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Richard Kirk, SVP Telecom and Service Provider at AlienVault:
Insight into the attack?
“HSBC has suffered another high profile website outage that has left its customers in a very awkward position, especially given today is when most people in the UK get paid and have to settle bills. This raises many questions about liability and compensation as people are not able to access their bank accounts online.
HSBC suggests that its customers call instead, however it is quite likely that the call centres will not be able to cope with the spike in calls. HSBC claims that the attack was successfully defended and this is most likely true, to the extent that if it is a distributed denial of service (DDOS) attack, then the online systems can be quickly taken offline to prevent any potential damage. However this does not help its customers. Questions that need to be asked are; is a DDOS attack a network or security concern? This is an important consideration, since it will dictate what response is triggered. But more importantly, surely it is time for cyber security risk to become a regular board level discussion. I wonder if the HSBC board, or any bank for that matter, regular discusses how it should approach preparing and responding to cyber attacks and the growing risk to the business.”
Is online banking safe?
“Online banking is in use every second of the day by hundreds of millions of people across the world. Although no one has yet calculated the global losses attributed to banking cybercrime, people should feel assured that not only is online banking generally safe, there are some actions that they can take personally to make themselves safer. This includes following best practices on passwords and not sharing online details with anyone else. Nevertheless, banks have a duty and responsibility towards their customers, and there is still work to be done.
Bank accounts have probably not been safer than they are today however this is no reason for complacency. Cybercriminals often rely on the usual human instincts to perpetrate their crimes, and some of these cannot be mitigated by the banks themselves. This includes never giving out personal banking details over the phone to strangers and avoiding using public computers to access online bank accounts. Banks try hard to educate their customers, and perhaps they could do more, however people should not assume that all the responsibility lies with the banks.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Jonathan Sander, VP of Product Strategy at Lieberman Software:
“Often DDOS attacks like this are a distraction technique; bad guys hit you hard on the left so you’re too busy to see them sneak in on the right. DDOS attacks where bad guys flood your website with so much work they fold under the pressure aren’t even strictly a security issue on their own. Unless the DDOS is part of a recipe to steal stuff, it’s a nuisance that is more about someone flexing their muscles than doing damage.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Lee Munson, Security Researcher for Comparitech:
“The distributed denial of service attack experienced today by HSBC may be bad news for its monthly paid customers and anyone scrambling to pay their self-assessment tax bills at the last minute, but we shouldn’t blow things out of proportion.
The bank’s systems have not been breached. No bank accounts have been raided and no personal information has been stolen.
The UK financial sector remains resilient to cyberattack thanks to operations such as Wire Shark and Resilient Shield which have encouraged sharing of threat intelligence and greater communication between both British and US banks.
Whether that satisfies the minds of HSBC customers – who also experienced technical issues with their online banking accounts earlier this month – remains to be seen though.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Craig Young, Security Researcher at Tripwire:
“Distributed denial of service attacks are a huge problem for organizations in all industries and of all sizes. Traditional denial of service attacks involving a flood of traffic from one particular source to overwhelm a targeted network can be thwarted by identifying and blocking packets from the attacker upstream of the victim. A distributed denial of service however utilizes a flood of requests coming from many sources such that it can be virtually impossible to identify and filter out the malicious requests. A real world version of this attack might be a couple hundred random people lining up for service at the bank to the point that the tellers are no longer know who is a customer needing service and who is just there to disrupt service.
This is a common type of attack used by so called hacktivists looking to make a political statement as well as extortionists requesting a ransom in exchange for stopping the attack. Often times the flood of requests are coming from computers and routers which have been hacked and unwillingly enlisted for attack. These hacked computers are referred to as zombies and in aggregate they form a botnet. Criminal organizations will actually rent out access to these systems with a DDoS as a service business model.”[/su_note]
[su_note note_color=”#ffffcc” text_color=”#00000″]Tim Erlin, Director of Security and Risk at Tripwire:
“Financial institutions, including banks, are often at the forefront of data security practices and technologies. They have to be because they are the most targeted organizations. Information security is an arms race, where both sides have to evolve to survive. It’s important to understand that these types of attacks are run by organized crime. There are sophisticated groups behind them, with skills, resources and the objective of profit.”[/su_note]