Westpac is considering additional security measures for its online banking system after a spate of security and availability dramas, including denial of service (DoS) attacks.
Just days after human error caused the bank's ATM, EFTPOS and online banking networks to fail, the bank has confirmed that its online banking system was crippled by a DoS attack.
The attack, on Thursday 7 June, caused the bank's online service to be shut down for three hours between 8pm and 11pm.
According to Westpac insiders, the problem was initially passed off as a hardware failure.
Three hours later it was discovered to be a Denial of Service attack -- caused by flooding of one of the open ports on an incoming router that carries Internet traffic.
Westpac spokesman David Lording has confirmed that the attack took place, but said that "Westpac firewalls were not breached and no fraud was committed".
"Rather it caused short term inconvenience to customers who could not access Internet banking," he said.
The National Australia Bank (NAB) experienced a similar attack in October 2006.
A ZDNet Australia source who works within Westpac's IT team, and who asked not to be named, said he suspects the attack was a probe to see how vulnerable the bank's security (firewall etc.) is.
"We are waiting for a possible larger attack," he said. "I can't see why [the culprit] would want to attack us with something we can easily shutdown. All they need to do is change the attack to a port that we must have open, such as HTTP or HTTPS."
The source said typically 1000 users are online during the hours of 8pm and 11pm -- the time of the DoS attack.
"Our Information Security Group (ISG) were completely unprepared for this and didn't know the procedures that should be followed," he added.
The bank is now evaluating several new security options to bolster its defences against online attacks.
While "no decisions have yet been finalised", Lording says the bank is considering the use of SMS authentication as an additional security measure to the current password-based system.
"We are looking at [SMS authentication] in conjunction with tokens," he said. "We already have 100,000 tokens in use by business banking and high-transaction customers."
Westpac security woes
Westpac has had its share of security and availability issues in recent months. Earlier in June, its 16,500 Automatic Teller Machines, EFTPOS network, online banking and several bank branches were crippled by a power outage.
The power outage was caused by human error -- staff from IBM Global Services mistakenly cut power within the bank's Ryde datacentre while providing maintenance work on a UPS (Uninterruptible Power System) device.
And last month, Westpac had to block 900 customer cards after a skimming device was located in the ATM machine of a Melbourne branch. The scam took a total of AU$100,000 from 75 Westpac customer accounts.
Last October, Westpac suffered several high-profile outages. At the time, the bank claimed the outages were due to "hardware failures". Westpac denied DOS attacks were the cause of the outages.
The official line from Westpac is that the level of Internet fraud in the banking sector remains "relatively low".
The bank's introduction of a floating keypad on its online banking login screen to protect users from keystroke logging Trojans has been "very affective in reducing fraud", Lording said.
But ZDNet Australia's source suggests the bank might be putting a brave face to a growing problem.
"The fraud losses have been growing over the past six months," he said.
ZDNet Australia's Brendon Chase contributed to this story.
