One year ago, credit unionspersonally felt the sting of a well-coordinated DDoS attackas both the$4 billion Patelco Credit Union in Pleasanton, Calif., and the $1.6billion University Federal Credit Union in Austin, Texas, wereknocked offline forhours in January and again in February.

And then there was quiet. Reports of DDoS attacks against creditunions grew scarce.

Among credit union executives, there is a growing sense thatcredit unions won't be targeted even if DDoS returns as a prominentattack format, said many experts.

“I hope that people aren't letting down their guard. The enemyis complacency,” said Rich Bolstridge, a financial services sectorexpert with DDoS mitigation firm Akamai. “DDoS remains adevastating attack and it continues to morph, to try to stay aheadof the defenses that especially large companies are putting inplace.”

In recent weeks, Bitcoin virtual currency exchanges have beenslammed with multiple DDoS attacks. In late January, the EuropeanCyber Army took credit for bringing down Bank of America andJPMorgan Chase in DDoS attacks.

Experts also said that, increasingly, DDoS appears to be linkedwith efforts to steal from financial institutions. In thoseinstances, the DDoS appears to serve as a smokescreen to distractIT staff and enable bogus wire transfers to get processed.

Add it up and, insisted the experts, DDoS remains a potentthreat. They also said – although they declined to name names –that in the past year there have been DDoS attacks, some ofsignificant magnitude, against credit unions. However, the attackswere never publicly revealed.

How prepared are credit unions to fight off DDoS?

Kirk Drake, CEO of Ongoing Operations, a Hagerstown, Md., CUSOthat sells DDoS mitigation to a number of credit unions, said thathis best guess is that perhaps 5% to 10% percent of credit unionshave in place adequate defenses were they subjected to a full-on aDDoS attack,

The rest would simply go down if DDoS were aimed at them. And,they would stay down until the attacker called a halt to theattack.

Even worse, said Drake, he is seeing attacks that persist formany days, sometimes weeks.

Akamai's Bolstridge agreed.

“We are continuing to see DDoS attack against our financialservices customers. DDoS attacks are not what they were a year ago– they now are more isolated – but they are still happening,” hesaid.

Bolstridge added that, in his view, DDoS attackers “are lookingfor softer targets. They know the big banks are well defended.Credit unions are largely undefended.”

As for why many credit unions are defenseless, experts said manybelieve they had safeguards, but often they are wrong. The creditunions believe they already are defended, between their firewallsand also via defenses provided by their Internet Service Providers;but, said experts, those defenses are not adequate to ward offconcerted, sophisticated attacks.

Back up a step: Exactly what is DDoS? It means DistributedDenial of Service and, in its early days, it involved flooding awebsite – say online banking – with vastly more traffic than thesite could handle. Responses got sluggish, then they often stoppedaltogether.

In a next phase of DDoS, the attackers used an organization'sown computers against itself, by flooding the site with lowbandwidth requests for high bandwidth responses; say, requestingpassword resets for non-existent accounts, or perhaps requests forlarge PDF files. Either way, the servers exhausted themselvesdealing with nonsense.

Read more: DDoS attackers can include disgruntledemployees and members …

As for who the DDoS players are, experts said that generallythey divide into three groups: Hacktivists (people pursuing causes,usually political); disgruntled ex-employees and perhaps also somecurrent employees; and, unhappy members (perhaps turned down for acar loan, or hit with an NSF they dispute).

Credit unions, especially smaller ones, may also face specialthreats from criminals, said Oscar Wai, a senior product manager atnetworking and security company Barracuda Networks.

“Larger financial institutions may be targeted by hacktivists orglobal players, while smaller financial institutions and creditunions will be targeted more by criminal gangs, more often than notbeing victims of opportunity rather than specifically targeted.Criminals follow the money and focus on loosely defended targets,which make smaller financial institutions and credit unions likelytargets for the foreseeable future,” Wai said.

Added Paul Scanlon, a DDoS expert at Juniper Networks, “Withlarger banks putting adequate DDoS protection measures in place,smaller financial institutions may be viewed as the low-hangingfruit by cyber criminals, putting them at greater risk of beingattacked. Smaller (financial institutions) when attacked are alsohit much harder due to the smaller staff on hand, and with littleor no protection any defense at the time of the attack comes 'toolittle, too late.'”

The worse news: Increasingly, DDoS can be bought as a service,on a for-hire basis, with fees often as low as $50 per day. Becauseit is made available as a service, essentially no technical skillsare required to deploy it. Pay in advance, point the DDoS attack ata chosen target, and the service does the rest.

That easy availability of DDoS is why many experts insist thatcredit unions need to find a way to have mitigation toolsavailable.

At what cost? Drake said that through Ongoing Operations feesrange from $500 per month to $4,000, depending upon the exactpackage selected by a credit union.

But credit unions are not necessarily signing up forprotections.

Said Drake, “We saw a big rush (of new customers) last year,then it cooled off. A lot of credit unions are still researchingsolutions and don't really understand A) the problem, and B)solution options.”

Bolstridge sighed, “Yes, the attacks have subsided. But therisks are out there. We are constantly finding criminals probingwebsites for weaknesses. We are seeing searches that are massive inscope. This is not over. And the criminals know that.”