Goldman Sachs Group Inc. and Citigroup Inc. stepped up warnings to shareholders about cyber attacks as the U.S. prodded banks and government agencies to bolster their defenses.

Online and mobile banking give new points of entry that can be used to disrupt or penetrate operations, the two New York-based firms said last week in annual regulatory filings. The companies said they’re vulnerable to tactics that overload websites to shut off public access, such as assaults that disrupted the nation’s largest lenders late last year.

U.S. bank are speculating that foreign nations, organized crime or terrorists are behind efforts to cripple their websites and warning that costs to keep intruders at bay will rise.

President Barack Obama directed the government on Feb. 12 to develop voluntary security standards for companies running vital infrastructure and is pushing Congress to set formal rules.

“We are going to see more disclosures, and that’s a warning sign that things are really getting bad,” said Lawrence Ponemon, chairman of Ponemon Institute LLC, a Traverse City, Mich.-based security research firm, which predicts a 30 percent increase in expenses tied to cyber intrusions this year.

Attacks in December hit Bank of America Corp., JPMorgan Chase & Co., U.S. Bancorp, Wells Fargo & Co. and SunTrust Banks Inc., two executives at security companies said at the time. PNC Financial Services Group Inc., the second-biggest regional bank, said in its annual filing that cyber attacks may hurt customer confidence and increase costs at the Pittsburgh-based company.

Security Breaches

The intrusions aren’t limited to financial firms, with Microsoft Corp., the largest software maker, saying Feb. 22 a small number of its computers were infected by malicious software in a cyber attack similar to those experienced by Facebook Inc. and Apple Inc.

Cyber security gained renewed national attention in the past few years with revelations about a security breach of a U.S. Federal Reserve website, intrusions at the New York Times and other news organizations attributed to Chinese hackers, and a wave of so-called denial-of-service attacks that disrupted the websites of the biggest U.S. banks and payment networks.

The tactic can disable a website by flooding it with traffic. While that doesn’t give intruders access to cash or personal data, regulators warned banks in December the attacks might be used to distract staff while accounts are penetrated, or to block banks and customers from informing each other.

New Threat

“We know hackers steal people’s identities and infiltrate private e-mail; we know foreign countries and companies swipe our corporate secrets,” Obama said in his State of the Union speech. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air- traffic-control systems.”

MasterCard Inc., the second-biggest U.S. payments processor, said in its Feb. 14 annual filing the firm routinely receives threats, “and our technologies, systems and networks have been subject to cyber attacks.” So far, the impact hasn’t been material, according to the Purchase, New York-based firm.

U.S. Bancorp, ranked fifth by deposits among commercial banks, told regulators Feb. 22 it had been targeted, and that it might not be able to stop all attackers “because the techniques used change frequently or are not recognized until launched, and because security attacks can originate from a wide variety of sources.” The Minneapolis-based lender cited organized crime, terrorists and hostile foreign governments, and said risks increase as it adds more Internet and mobile-banking options.

Testing Defenses