Bank hacktavists are at it again, and this time Regions Financial (RF 2.02%) was the target. The large regional bank's website was down part of the day last Friday, and the bank confirmed that it had been the victim of a distributed denial of service (DDoS) attack. Online customers were unable to access their accounts, or if they could, found that their login information or debit card transactions were being denied.

Although Region's site seemed to be up and running by late Friday, these kinds of attacks are becoming the norm, and are striking regional banks more often. Are banks truly taking these attacks seriously, and what are they doing to protect themselves?

How dangerous?
Cyber attacks on websites, particularly the DDoS-type of disruption, first began in 2001. Back then, sites like eBay(EBAY -0.35%) and Yahoo! were targeted, possibly in an attempt to disrupt e-commerce. Since then, groups like Izz ad-Din-as-Qassam or groups tied to the Iranian government have staged assaults on the websites of big banks like Bank of America (BAC 0.14%), Wells Fargo (WFC -0.31%), and Citgroup (C -0.17%), as well as large regionals such as BB&T(TFC -0.06%) and PNC Financial.

While these service interruptions are considered inconvenient for customers and costly to banks, it is unclear just how important it is to banks to fight these onslaughts. When American Banker surveyed banks at the end of the first quarter, only slightly over 50% responded that such attacks were a critical threat to the financial system's security.

Recently, al-Qassam reemerged after a break, threatening more mayhem. American Banker quoted an analyst from Intuit(INTU 0.76%), a business and financial software provider, as noting that DDoS attacks "have less of an impact" on banks' business than those designed to hide more nefarious cyber activities. Another analyst from NSS Labs, an information and security research and advisory firm, stated that DDoS assaults in and of themselves don't really cost banks much, though they are inconvenient for customers.

Of course, banks can't know when an attack is merely disruptive, and when it may be covering for criminal activity. Security company Symantec (GEN 0.56%)has commented that these assaults have become a way for hackers to distract banks while funds are illegally withdrawn. Though most of the thefts have occurred in Europe, where attacks have progressed from website outages to actual bank heists, at least one U.S. bank, Citigroup, disclosed some losses due to cyber thievery earlier this year.

Banks, regulators at odds
But even DDoS website disruptions can frustrate customers, chipping away at the trust between banks and consumers -- which is the very intention of al-Qassam. 

Though banks have thrown millions of dollars at the problem, it continues unabated. Recently, federal regulators have been nudging banks to do a better job at preventing these assaults, causing bankers to bristle. After all, they say, when countries like Iran are behind these attacks, shouldn't the government pitch in to help?

The recent Quantum Dawn 2 test, administered by the Securities Industry and Financial Markets Association and involving 50 financial entities, attempted to test banks' responses to these assaults. Though it was declared a success, it tested only human reactions to a simulated threat, not the security of the financial system's cyber infrastructure.

Some of the larger banks are becoming more concerned about the dangers of cyber assaults, and Wells Fargo has acknowledged that DDoS attacks are likely a method for hackers to test banks' security before more sophisticated onslaughts take place. With that kind of threat looming, banks need to bump up staffing, as well as network security, according to regulators. JPMorgan Chase (JPM 0.35%), for instance, has over 600 workers that are trained specifically in security issues -- and plans to add more.

All of this costs money, but there seems to be no alternative, and time is of the essence: al-Qassam has vowed to launch a new offensive very soon. Banks need to take these DDoS incidents more seriously before these attacks evolve into outright robbery.