Advertising Disclosure

About Ken Tumin

Ken Tumin founded the Bank Deals Blog in 2005 and has been passionately covering the best deposit deals ever since. He is frequently referenced by The New York Times, The Wall Street Journal, and other publications as a top expert, but he is first and foremost a fellow deal seeker and member of the wonderful community of savers that frequents DepositAccounts.

Popular Posts

Middle East Hackers Attack Websites of Wells Fargo, Chase and Other Large Banks


If you had problems accessing your bank's website this week, you're not alone. Several major banks were hit this week with denial-of-service attacks which can make websites inaccessible. The latest bank to be hit was PNC Bank. Yesterday evening PNC had a "repair in progress" message on its home page. When I tried to access this morning, I wasn't able to access anything.

I've been reporting on these issues in this forum thread when rumors first began about a cyberattack. As you might expect, banks kept quiet in reporting the cyberattack. But as the website outages grew, it became apparent that this was a sophisticated cyberattack, and yesterday evening, it was the top story of ABC World News. The news report called it "the most extensive attack on American banks ever - launched from the Middle East - happening right now." In addition to PNC, the banks that have been hit this week include Bank of America, Wells Fargo, Chase and US Bank.

It's important to understand that this cyberattack has no direct effect on your money. There have been no reports that hackers have gained access to customer accounts. The type of attack that we are seeing is what's called a denial-of-service attack. The hackers send a huge amount of traffic to a website which overloads the website and makes it inaccessible for others. One defense that websites use against this attack is to block IP addresses. Hackers can make this defense more difficult by sending traffic from many different IP addresses. This is often done by hijacking thousands of servers with viruses that can be instructed to send traffic to certain websites. This more sophisticated approach is called a distributed denial-of-service (DDoS) attack. New defenses have been developed to guard against DDoS attacks, but hackers keep working on ways to break those defenses. It appears that in this bank DDoS wave of attacks, the hackers took it to the next level. According to this article:

Banks get hit by cyberattackers all the time and typically have some of the best defenses against them. This time, they were outgunned.

"The volume of traffic sent to these sites is frankly unprecedented," said Dmitri Alperovitch, co-founder of CrowdStrike, a security firm that has been investigating the attacks. "It's 10 to 20 times the volume that we normally see, and twice the previous record for a denial of service attack."

Even though these cyberattacks don't affect our bank savings, it can make it more difficult for us to conduct our banking business. If you can't quickly access your bank accounts, you might lose money. For example, if it delays an online bill payment, you might be hit with a late fee. Also, if you are trying to close a CD that has matured, a delay could allow the CD to be automatically renewed at a very low rate. This is another reason to avoid waiting to the last day to take care of these transactions.

One thing that can help you deal with these issues is to bookmark your bank's login page. Often the account servers are different than the servers that run the main pages. These DDoS attacks may only affect the bank's main page without affecting the account servers. When an attack is in progress, a bank may put up a temporary front page with links to its login pages. This is what PNC did yesterday.

Related Posts

  |     |   Comment #1
It would appear they need to use better security defenses and be more proactive going forward.
  |     |   Comment #2
There is only so much they can do against a massive DDOS attack like this. The hackers are, frankly, one step ahead of everyone else, and that will probably always be the case.
  |     |   Comment #4
I’m IT professional and can tell you that it is much more dangerous then you suggested in your posting.
Denial of service when combined with direction of service can make your live miserable, since the attackers can get your real logging IDs and password without you ever knowing.

How they do it, simple, the denial of service is not obvious until after you type your user ID and you press enter or click on log in, what happens next is that that info can be harvested and you may be directed to a phony server that looks just like the original bank.

Without any suspicions you continue to type your password or other security questions.
And voila, your banking IDs have been stollen. You may never find out by yourself that you have been hacked until your bank account is emptied to an account in Moldova or Russia or China.

The thieves use POS or ACH or WIRE to empty what ever your balance is.  All they need to find out is your account number and the well known ABA number from the web pages of your bank.
  |     |   Comment #7
#4  I too am an IT professional for over 20 years.  There are many other proactive measures that can and should be implemented by all on-line banking institutions.  I've always found it strange that I have never seen anything done except the standard logon and password with a possible hint.  I only have one online banking account and keep it at a low balance.  My other banks keep bugging me to set-up my other accounts for on-line access, but I refuse.  I constantly tell them I know what can go wrong.  They just won't believe me.
  |     |   Comment #6
I use both BOA and Chase and have taken the precaution of changing my logon ID and passwords and making sure all appropriate alerts are active at both sites.  At BOA all this is done through the Customer Service tab, at Chase through the Customer Center tab.   

Chase is especially important to me because I use it as one of my hub accounts, so any compromise of the login id and psw might expose details of other institutions where I bank.  The "manage external accts" window displays the name of the linked institution, the routing number and the last 4 of the account.   

BOA additionally offers another level of security called Safepass (see "Security Features" at the Customer Service tab), which allows you to optionally use the added measure of security for selected transactions by requiring a 6-digit, one-time-use code to authorize your most sensitive transactions.  The SafePass code is a one-time use code sent from Online Banking to your mobile device as a text message (or alternatively you can purchase a device for $19.99 which is always with you and generates a code on the fly).  I have not used this feature before but there's no time like the present to start.

Hope the detail on changing logon ids and psws helps other readers make these changes quickly, if they are so inclined. 
  |     |   Comment #8
Ken, you wrote:
“When an attack is in progress, a bank may put up a temporary front page with links to its login pages. This is what PNC did yesterday.”

I would never go to any temporary page as you suggested, why, how would you know that the page is authentic and posted from the bank and not the hackers. And how would you know the look of the page should be, and how sure can you be that the page is not re-directing you to the hacker’s logging page.

If something like this happens, I always stay away from that bank until all clear is sounded and I recognize the previous look and feel of the logging pages.

Good post #4.
  |     |   Comment #9
If the banks defense is to block IP addresses, then for better customer service they should always except customers IP addresses.    If you can block 100, you should be able to except 1.
  |     |   Comment #10
I am not an IT professional, but common sense tells me that because the banking system is so computerized, even banking customers that refuse access to online banking can still possibly become a victim of a hacker. 
  |     |   Comment #11
#10  Obviously your not an IT person.  Have you ever heard of "internet vs intranet"?  Big difference,

  |     |   Comment #12
This is the non IT person again asking the IT person a question:

After reading a little about it, I now understand your point that the intranet system is more privatized than the internet system, but what assures me that it is 100% secure from intruders?
  |     |   Comment #13
I couldn't get into Wells Fargo all day today.  The "cover" web page was there, but I couldn't access my account.
  |     |   Comment #14
Accesed Chase website this evening and it has a whole new look.   Bad timing on their part.   I am wondering if I should check with them in the morning to make sure it is authentic -- with all the hacking etc going on.
  |     |   Comment #15
our issue is a little different. My husbands employer uses PNC Bank...employees direct deposits did not get deposited on Friday. The employer said they should go through on Monday...but that due to the hacking the bank wasn't able to disburse direct deposits. That being said...we have several bills that come out automatically on pay day, and our account is in the negative. Does anyone know who to contact to see about getting the NSF fees credited back to our account?
  |     |   Comment #16
#15  If you do business with a local PNC and have a director you know, I would call them and tell them about the predicament and the fees.  They can usually look into it for you and take care of things.  I would not do this over the 1-800 customer service line but get someone like a director at one of your local banks to help you.  This is why I make myself known to certain directors at all the banks we do business with so I can get quicker help with problems when they occur.
  |     |   Comment #17
Wells Fargo came back up on Oct. 1st and 2nd, but now the whole site is down.  Hope the ATM still works.

The financial institution, product, and APY (Annual Percentage Yield) data displayed on this website is gathered from various sources and may not reflect all of the offers available in your region. Although we strive to provide the most accurate data possible, we cannot guarantee its accuracy. The content displayed is for general information purposes only; always verify account details and availability with the financial institution before opening an account. Contact [email protected] to report inaccurate info or to request offers be included in this website. We are not affiliated with the financial institutions included in this website.