RBS and NatWest bank attacks should have been mitigated

The attack which disabled the RBS and Natwest Bank online services on Friday morning appears to be part of a renewed trend of DDoS attacks against the banking industry.

Customers were unable to access online services
Customers were unable to access online services

According to law enforcement sources in America and Europe, distributed denial of service (DDoS) attacks against banks and other financial institutions are increasingly accompanied by ransom demands.

Given the critical importance of the banking sector to customers and the economy, some security experts have told SCMagazineUK.com that the banks should have been prepared to mitigate the attack.

According to a statement from NatWest bank, part of the Royal Bank of Scotland Group, “The issues that some customers experienced accessing online banking this morning was due to a surge in internet traffic deliberately directed at the website. At no time was there any risk to customers.”

However, customers took to Twitter to complain about the outage, with some expressing concerns that it might affect salary payments and other critical banking transactions as happened in another DDoS attack in 2013.

RBS has suffered from a series of IT issues and internet attacks which led CEO Ross McEwan to say to the FT.com in a 2013 interview that systems failure was unacceptable: “[Monday] was a busy shopping day and far too many of our customers were let down, unable to make purchases and withdraw cash.”

In 2014, RBS was hit by £56 million in fines for the failures in 2012 that disabled 6.5 million customer accounts. Critics said that the acquisition of so many disparate banks has led to a hodge-podge of IT systems, leaving the system vulnerable to outages and attacks.

In June 2015, RBS pledged to invest £150 million a year on cyber-security on top of hundreds of millions it had already spent for security and resiliency projects.

Security experts were not surprised by Friday's DDoS attack. It follows warnings from both the FBI in America and the Swiss Governmental Computer Emergency Response Team that DDoS extortion rackets against banks are on the rise.

The Swiss CERT said it had been made aware of a group called DD4BC which had started DDoS extortion schemes in 2014 which are increasingly focussing on European banks. “MELANI / GovCERT.ch is aware of several high profile targets in Switzerland that have recently received a blackmail from DD4BC and have consequently suffered from DDoS attacks, obviously conducted by DD4BC,” it said.

“The DDoS attacks usually start with NTP (port 123 UDP) and SSDP (port 1900 UDP) amplification attacks targeting the victims public website, taking advantage of millions of insecure or misconfigured devices around the world. Later on, we have seen the attackers moving to TCP SYN flooding and layer 7 attacks to bypass mitigation measures taken by the ISP. Taking advantage of amplification attacks by abusing the NTP, SSDP or DNS protocol, the attackers are in theory able to launch DDoS attacks consuming a bandwidth of up to 500 Gbit/s,” he said.

Page 1 of 2