Kiwibank won’t say whether or not a cyber attack is to blame for outages on Sunday.
Kiwibank customers reported being unable to access internet and mobile banking for much of Sunday as problems affecting New Zealand banks dragged on for a fifth day.
Spokesman Mike Jaspers declined to comment on whether the issues were related to a denial-of-service (DDoS) attack that was understood to be behind major outages at ANZ from Wednesday, and which are also believed to have previously impacted Kiwibank, NZ Post and others.
The bank warned in a tweet at 3.30pm that its internet banking service and mobile app might “continue to be intermittent today”.
It is relatively unusual for major organisations such as banks to fail to quickly get on top of DDoS attacks, which has sparked speculation that issues with the use of one or more vendor products may have contributed to the problems.
Jaspers declined to comment on whether that was the case.
* ANZ online banking services down for a third day
* NZ Post plans outage and ANZ faces ongoing disruption amid cyber attacks
* Government still gauging impact of Wednesday’s denial-of-service attacks
NZ Post took down its website for unspecified work on Thursday night.
On September 3, the country’s third-largest internet provider Vocus NZ experienced outages, which chief executive Mark Callander attributed to a DDoS attack on one of its customers and issues with its use of a product supplied by United States firm Arbor Networks, which is designed to defend attacks.
Kiwibank advised that it would update customers on social media.
The number of reports of customers having issues with Kiwibank made to outage-reporting site Down Detector peaked at 185 in a 15-minute spell around 10.30am, before dropping off sharply by 11am, only for complaints to pick up again from noon.
Down Detector also registered a large number of reports of ASB’s online banking and mobile app being offline early on Sunday morning, though complaints had dropped off by 9am.
But it is understood that was not related to a DDoS attack.
Complaints about ASB’ services peaked at about 140 in a 15-minute period around 8am.
What are DDoS attacks?
Often simply described as denial-of-service attacks, DDoS attacks are carried out by cyber-criminals who hire or hijack large numbers of malware-infected computers (the extra ‘D’ in the acronym stands for ‘distributed’).
They use these to bombard an organisation’s online services with huge amounts of traffic, such as requests to connect, overloading them so they can’t deal with genuine requests and they appear to be offline.
As victims are not hacked, there should be no danger of them losing personal information or, if banks are attacked, people losing money.
Large organisations generally defend against DDoS attacks by using technology tools to identify and shut off the sources of the spurious traffic bombarding their services, which can originate from networks of malware-infected computers that could be anywhere in the world.
Attackers often route their rogue traffic through poorly configured web servers owned by legitimate organisations, to disguise the true source of their attacks.
Sometimes attacks stop, only to be rerouted or restarted from a different source, which can make the task of shutting down denial-of-service attacks a game of ‘’cat and mouse’’.
Commonly, attackers demand ransoms to stop their attacks, though it is believed these are rarely paid.
Past DDoS attacks
DDoS attacks have been around for decades.
Both attackers and defenders have become better at their games.
But the growing availability of fibre-to-the-home means the compromised computers that are usually used to conduct attacks can pack more of a punch because they can send out more rogue traffic.
September 2021: A customer of New Zealand’s third largest internet provider, Vocus, experienced a denial-of-service attack. Vocus’ attempts to help it defend the attack went wrong, resulting in outages for its internet brands, Slingshot, Orcon and Stuff Fibre and wholesale customer Sky Broadband.
September 2020: The NZX experienced a series of large-scale DDoS attacks that took its website offline. Because the NZX’s website is used to distribute price-sensitive market announcements, the NZX took the decision to also suspend share trading during the initial attacks, before a policy change.
2012: Activists associated with hacking group Anonymous vented their outrage at Kim Dotcom’s arrest in New Zealand by temporarily blocking access to the websites of the United States FBI and Justice Department, and recording label Universal Music Group.
Many DDoS attacks in the past used to be associated with such civil disobedience, though now the motive is usually blackmail and profit.
2007: The entire country of Estonia was largely knocked offline during a period of high tension with neighbouring Russia.