'How are we meant to pay bills?': Kiwibank disruption continues

Tuesday, 14 September 2021

Kiwibank has faced problems with its internet banking services over several days following a DDoS attack.

MetService and Kiwibank were both battling more problems with their websites on Tuesday, as concern continues about cyberattacks.

The two organisations suffered problems last week when a distributed denial of service (DDoS) attack hit several New Zealand organisations.

Others affected included ANZ, New Zealand Post and the Ministry for Primary Industries.

Kiwibank has been dealing with “intermittent” issues with internet banking ever since.

* NZ Post plans outage and ANZ faces ongoing disruption amid cyber attacks

* Explainer: The DDoS cyber attack affecting your banking app is nothing serious, so far

MetService users have reported problems accessing the meteorological service’s website.

“We are experiencing intermittent issues with customer access to internet banking, our app, and phone banking, which we are working urgently to fix,” a Kiwibank spokeswoman said.

“There are no current issues with payments, ATMs or cards. We sincerely apologise for any inconvenience this is causing our customers and will continue to post updates via our social channels.”

MetService said the issue was first identified about 9.30am on Tuesday.

“All safety-critical information remains available on our backup website www2.metservice.com, which users are being directed to as needed until further notice. If it doesn’t redirect, users can access the site directly by typing ‘www2.metservice.com’ into the address bar of their browser.

“Our team is working to resolve this issue.”

Customers on Kiwibank’s social media channels expressed frustration at the problems. “Haven't been able to access my account for three days now,” one posted.

“And even before then [I] wouldn't be able to access straight away. It's pouring down where I live and my petrol light’s on and I can't get through to Kiwibank to transfer funds so I can pick my daughter up from school.”

Another posted: “We can't check our accounts, we can't do any payment, we can't do any transfer, so how exactly are we supposed to be patient without being able to access any bank account for one week?”

Others said they could not pay bills or pay their staff wages.

DDoS attacks involve cyber-criminals overloading and crashing an organisation’s online services by bombarding their internet-facing systems with vast amounts of traffic.

Because they do not involve hacking into an organisation’s computer systems, there is no risk of bank customers losing money or having information stolen through this sort of attack.

Technology commentator Paul Spain said these sorts of attacks were “a bit of an arms’ race”.

How quickly they could be brought under control would depend on how well companies were prepared, he said. Banks would spend hundreds of thousands of dollars a year on protection, he said.

“The attackers don’t have to follow any legal mechanisms; they have at their service usually many thousands of computers under their control that can be involved in an attack. There are different types of DDoS attack, and they can be quite difficult for the tools to differentiate between what’s legitimate and illegitimate to shut the illegitimate access down. It can look exactly the same.

“It can be a complicated one to address, and some of these criminals will keep at it to see whether they can get a payment out of an organisation.”

He said many organisations would look at how well they were protected. “There's always a level of risk from a cyber-security perspective, and organisations have to pick and choose to some degree in terms of how much they are going to invest in what particular areas.”

Spain said New Zealand organisations might see an improvement once they are able to host their services in New Zealand via big data centres locally.

“Microsoft is going to be the first cab off the rank. Realistically these things should be able to be handled just fine in most cases with the current providers and so on that are out there, but it will probably change the picture a little bit once those data centres are housed within New Zealand.”