Walt Bettinger also declares mea culpa surrounding long wait times for telephone service late on Tuesday

April 25, 2013 — 3:08 AM UTC by Brooke Southall

2 Comments

Brooke’s Note: The bombs at the finish line of the Boston Marathon were a terrorist attack. We should and do grieve. The attack on Schwab’s website is certainly a form of terrorism — even if it doesn’t make mainstream headlines. Virtually everyone we interviewed over the past few days explicitly or implicitly expressed sympathy for Schwab’s plight. This attack is certainly not Schwab’s fault per se. the company was victimized. But it is the nature of this kind of attack that the ones who get hurt are the ones that are expected to help fix the damage. The first step is an apology. This article presents the company’s first one of those. Then will come efforts to be sure that the contingency plan of having plenty of phone support is shored up in case the next attack occurs. And there will have to be help for customers who were genuinely hurt by the downtime. There are also other lingering questions — perhaps not fair to ask yet — about whether Schwab had done all it could to prepare for this attack. And if it did, what does that say about the possibility of further attacks? An expert source in our original article expertly addressed this issue for which there are no black and white answers. See: Schwab’s website went down twice after two 'denial of service’ attacks — so what was up?. Some of those thoughts are appended to the bottom of this article. What Schwab does next, not what has happened, will determine whether it gets black marks for this incident. It could well, too, come away as a white knight — as most RIAs attest that it has thus far — by performing well under the worst circumstances.

Here is the apology issued by Walter Bettinger, CEO of The Schwab Corp.

Dear Valued Clients,

Yesterday, Schwab was one of the most recent targets of a “denial of service” attack perpetrated by a third party. A denial of service attack is an attempt to disrupt normal access to a website. As a result, access to our client websites was blocked, for nearly two hours. A similar attack today has intermittently slowed access to our websites._

These attacks did not involve unauthorized access to client accounts or client data. We sincerely apologize to each and every one of our valued clients and recognize how frustrating this situation is. We know that uninterrupted access to our web sites is a fundamental expectation.

Denial-of-service attacks are, unfortunately, an increasing fact of life in an interconnected world. Despite managing multiple redundancies, data centers, links and Internet carriers, on relatively rare occasions these attacks have recently succeeded at blocking access to web-based services throughout our industry.

Although phone services were available during these incidents, there was a period late yesterday in which wait times were excessive as clients unable to access the web, called our phone service teams. If you believe your trades were affected, please call us at 800-435-4000 to discuss your personal situation with one of our professionals.

Based on the history of denial of service attacks on other companies, we anticipate these attacks may continue against our industry — and us — for some time. We will continue to work with the industry and law enforcement to ensure our web sites are available without interruption. If at any time you cannot access our websites, please contact us at 800-435-4000 or visit us at one of our branches for assistance accessing your account.

Sincerely,

Walt Bettinger
President & CEO

John Stuart, chief information officer for Beverley Hills Wealth Management in Los Angeles, says Bettinger’s apology is on target.

“Schwab’s response to their recent DoS is accurate. These attacks will continue to happen, especially in the financial services industry. 1000’s of attacks daily go unnoticed because of the great security professionals working behind the scenes to keep our businesses and clients safe. IT groups have always been an organization targeted for downsizing during recessionary times. Hopefully the custodians of our money prioritize their budgets with network and application security in mind.”

John Stuart: IT groups have always been an organization targeted for downsizing during recessionary times.  Hopefully the custodians of our money prioritize their budgets with network and application security in mind.
John Stuart: IT groups have always
been an organization targeted for downsizing
during recessionary times. Hopefully the
custodians of our money prioritize their
budgets with network and application security
in mind.

Jason Lahita, a principal of PR firm FiComm Partners had this to say about the comment:

“From a messaging standpoint, I do find it sincere as far as the tone of apology goes, yet there is also a tone of acceptance that clients and the company may be in store for more of this. They tell us that this is a “fact of life”. That is not very reassuring, and while the message of “we were attacked” — they use the word 'attack’ in some form at least 8 times — comes through loud and clear, in my opinion there needs to be a bit more outrage conveyed in the messaging, and perhaps a somewhat stronger note of “defense”.

An IT expert who asked to remain unnamed agreed that denial of service attacks are pervasive and said: “There’s a hacktivist group called Izz ad-Din al-Qassam Cyber Fighters that’s been making a lot of noise recently and have launched major DDoS attacks against a lot of financial services companies, including Citigroup, BofA, Wells Fargo, and others. Their beef is an offensive [to Islam] video that’s on YouTube. They want it taken down. Could be related to that, as they’ve basically said that 'no financial company is safe.’”

Raising defenses against this kind of attack is difficult, he adds.

“DDoS attacks are very difficult to protect against. Basically what’s going on is that a whole army of zombie computers (which could numbered in the tens of thousands) are programmed to basically 'attack’ Schwab by requesting a lot of data from their web servers at the same time. Called 'botnets,’ these computers overwhelm the web host by sending multiple requests for information.

Jason Lahita: They use the word 'attack' in some form at least 8 times
Jason Lahita: They use the word
'attack’ in some form at least
8 times

Silversky reports Institutions with less than 1 billion AUM experienced an average 8 security incidents in 2012. And 72% of these 2nd half threats in 2012 came from groups located in the US, Russia, Ukraine, and China.

“There are some strategies to deal with DDoS, a host of them require you to reroute malicious requests into what’s called a 'black hole IP’ and get them away from your primary infrastructure. The problem is that, at first, it’s really difficult to identify what’s real versus what’s malicious. Usually your colo (co-location) facility handles this. There are also commercial firms such as Cloudflare that claim to be able to help you respond and defend against DDoS attacks quickly. Not sure if Schwab uses something like this or not. At the end of the day, though, these are really hard to defend against and require rapid triage and action. I can guarantee you that Schwab is working with their colo to update their policies and procedures to be able to respond and mitigate these attacks much more quickly in the future.”

He added: “Schwab will continue to take steps to mitigate this, and as the attacks continue it will be less and less 'at the mercy’ of whoever is behind the DDoS. I noticed earlier that even while the schwab.com site was down and/or slow, Schwab Advisor Center was purring along just fine. So Schwab has clearly been working with its colo to route the malicious traffic away from its infrastructure and is having some success. As I said, though, these events are incredibly difficult to defend against and respond to quickly. Sadly, a DDoS takes a bit of time to respond to. With each attack, though, Schwab becomes less and less vulnerable as more data are collected, allowing it to accurately reroute the malicious traffic away from schwab.com to the 'black hole.’”

When “black holes” become part of the conversation, it opens other lines of thinking for RIAs.

“RIAs often market their open architecture and fiduciary services to clients but limit their partners to one custodian,” Stuart says. “Product, Price, and Service are often fiduciary requirements for acting in the best interest of the client but what about technology and security in the client’s best interest? Client data and digital security need to be as important to advisors as business development and marketing. Advisors need to extend their fiduciary promise beyond the profit centers of the business to include cost centers like business continuity and security as well. RIA technology and client protection are often trumped by popular trends like succession planning and acquisitions. One or two major security incidents and there may not be a business to acquire.”


Mentioned in this article:

FiComm Partners, LLC
Consulting Firm
Top Executive: Jason Lahita



Share your thoughts and opinions with the author or other readers.

Gravatar

Peter Giza said:

April 30, 2013 — 9:18 PM UTC

Brooke,

I think Walt’s use of the term “attack” was quite appropriate because that is exactly what it is. In this case, a DDOS (distributed denial of service) attack has been going on for some time and are an effective method to get some point across be it political or otherwise.

The “black hole” in this case is a friendly term. It is a drain hole to redirect the DDOS traffic into. As I brought out at the FPA Business Tools meeting in Chicago this year, hacks and exploits are run by major crime organizations and political factions, not some 15 year old kid down the block. These groups hire very talented engineers and spend millions of dollars on technology. Political groups use hoards of compromised “ ombie” computers known as botnets (mentioned above) to do their dirty deeds.

With regard to this being “a fact of life” there is no getting away from that. DDOS is nothing new and as long as the Internet is an open platform it will continue to be an issue. While DDOS attacks represent a serious inconvenience they do not represent a security risk in of themselves.

A greater risk to RIAs exists in their browsers, browsing habits and access to client data outside of the confines of their offices or trusted environs. We live in a highly connected world that enables exploitation from faraway places and by groups we may never have heard of or paid attention to. Education and keeping your head is the best protection.

Pete

PS. For more information on the FPA series I referenced please see: http://bit.ly/ZUwGLX and http://bit.ly/14QCHh2

Gravatar

Brooke Southall said:

April 30, 2013 — 9:30 PM UTC

Good perspective, as usual, Pete.

thank you,

Brooke


Submit your comments: