How will banks ensure the safety of our money? Ddos attacks on NL banks

This week bank costumers of The Netherlands were shocked when they realised that online banking may not be as safe as they thought. Perhaps some were surprised to hear that what they think is money, is nothing but digits, something that does not exist. Their money only exist because we all act as if it exists and accept transactions between each other aided by software run by banks, if they haven’t outsourced that function. The good people found out the hard way that by, in this case involuntarily, changing a few digits, their money just disappeared (and some became millionaires without being able to access this money).

The next day new malfunction of banks’ websites were reported. For the first time it was openly admitted that all our banks’ and payment intermediary iDeal’s website were down, due to an attack in the form of a ddos attack, making the website of the respective banks unreachable for regular traffic. The assailants tried to log in also.

This resulted in headlines, Tweets, blogs and opening news items, the one at the 8 o’clock news on the public channel ending with: “in the USA this happens nearly every day”. In the following I’d like to take a look at a few related comments, a tweet by a politician, before coming to some questions. The main one reflects the title most: “Who’s responsible for cyber security?”

Public outcry
If anything the chaos or perceived chaos in banking transitions led to angry or confused people, famous short fuses and loads of attention from the media. The cyber security world is waiting for years for a major cyber incident.One causing great damages, in the hope governments and companies start moving in the right direction. Some experts are even totally resigned to this way of thinking. This is not that incident. Sure, it shocked end users, led to some reactions from politicians, but in the end nobody seems to have lost money and there are so many other issues calling out for attention.

The news
Tax evasion
In the past week high level tax evasion by multi nationals, top-executives, politicians, etc., let’s say the top of societies, was prominent in the news. A conclusion in a column in NRC Handelsblad stated, to this problem decisions at world level are needed. (If I’m cynical, look at the list at the start of this section and ask yourself the following question: Who decides on worldwide solutions?) What struck me, also, is that this is the exact same conclusion that is derived at when talking about Internet governance, international cooperation against cyber crime, spam and malware enforcement, etc., etc. In short, what I recently heard someone call “the glass ceiling of Internet governance”. Most discussions stop here. Another variant to this discussion is: “we need to break own silos!”. Okay, but who is “we”? Is someone made responsible for this breaking down, silos or ceilings? What are the right questions to ask here? Questions that lead to answers that could take the discussion forward and actually change the outcome? A topic for the upcoming IGF in Bali I’d say.

The near future
The comment in the 8 o’clock news cited above, caught my attention most. “This happens nearly every day in the US”. I read somewhere that 267 out 365 days there were problems accessing major banks’ websites. In other words this is something we are to expect also? Are there contingency plans? Do governments allow that payments can’t be made (parts of) 267 days in the year? The economic impact is gigantic. Does it matter then whether the attacks stem from criminals, free speech advocates, “fun hackers” or state-to-state activities? I’d say not.

How can banks ever guaranty the safety of our money?…
…is the question Dutch parliamentarian Kees Verhoeven (D66) asked on Twitter. (This is the Tweet: “Heftig. De storing blijkt nu een #DDoS aanval! De vraag is hoe banken de veiligheid van ons geld kunnen blijven garanderen. #cybersecurity”). I responded to him that this was totally the wrong question to ask. There is nothing banks can do against ddos attacks, beyond preventive measures. The attackers, the tools they use, the infected pcs and other devices used, the command and control servers hosted anywhere in the world, are all far beyond the control of banks. As long as banks run state of the art security measures (even if they don’t), they are victims and not attackers. Perhaps the banks need support from other entities on and around the Internet to solve this problem.

The tools used are infected pcs of end users, companies, governments, industry, etc. and other devices like smart phones, smart tvs, up to a hacked chip in your cat’s collar (and this is no joke). There are a million reasons why these devices are infected. From irresponsible use by end users, flawed software, a lack of security by design in anything with “i” in front if it, negative incentives to deal with botnet mitigation or notice and take down requests, a lack of understanding in general, right up to a lack of government regulation, enforcement or incentives. All measures or better a lack of measures, banks have no influence over at all. They have an influence over the quality products they buy themselves in the future, over internal policy and security measures and perhaps they can reach out more to discuss Internet governance actively, which I advice them to do, but it stops there.

So, taking this all in, can banks guarantee the safety of our money? Answer this question yourself and continue to ask yourself the question who is responsible for cyber security? A virtual plethora of parties involved and where to start? What I have to conclude is that almost every single decision is to be made in the private sphere. In a competitive world. Where does that leave governments? Where does this leave decisions consciously made with the common good in mind?

So, who’s responsible?
I’m not going to answer this question here. Those who follow me here, on CircleID or in Virus Bulletin know my points of view. What I’d like to ask you is to think about this question for one minute and share your thoughts with me here on within an(y) other context. It may just get a discussion going.

Wout de Natris, De Natris Consult

Haarlem, 7 april 2013

About Wout de Natris

As a consultant I specialise in establishing new and different relationships between industry, governments and law enforcement where internet safety and the fight against cyber crime are concerned. This makes me a bridge builder. Hence the blogs name. In this blog I intend to stress the need for interaction, cooperation and exchange of information in order to change the mentioned relationships. On offer: a comprehensive training on all non-technical aspects of spam enforcement and a cyber awareness presentation for companies and institutions
This entry was posted in Botnets, Cyber awareness, Cyber crime, Cyber education, Cyber espionage, Cyber security, Cyber warfare, Hacking, International cooperation: cross border aspects, International cooperation: IP resources, Internet governance, Self regulation, spam and tagged , , , , , , , , , , , , . Bookmark the permalink.

2 Responses to How will banks ensure the safety of our money? Ddos attacks on NL banks

  1. Michiel Steltman says:

    The biggest risk with calls for action based on a major incident is (indeed) that Governments will really start to act. Typically by designing something that misses the point, does not help, cannot be executed – etc. but looks nice to the general audience.
    The only possible road (to my opinion) is to call upon all involved Internet parties to design and apply preventive measures, and to put more effort in & strengthen high tech police teams.
    – Wout pointed me at a project on his on linkedin : ISP’ ,
    – preventive measures by DNS hosters and ISP’s, see (in dutch)
    – Proper funding of police cyber teams (such as NL KLPD THTC)
    – Better international cooperation by such specialized teams
    – Ideas ?

    The bottom line: a cat and mouse play, but with measures above we can keep it under control.

    • Michiel,

      Thanks for your comments. What are your thoughts in trying to organise a meeting on the ACDC initiative for relevant and interested stakeholders in The Netherlands. The results could be a step up in the cat and mouse game.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s