Warning that banks face serious threats from computer hackers and employee theft, regulators and anti-fraud experts are urging the industry to bolster its guard against criminals.
"No system is immune," said H.S. "Tuck" Ackerman, senior program administrator for examiner education at the Federal Financial Institutions Examination Council, which sponsored a risk-management conference here last week.
Herman W. Kelley, a Boston security consultant, said hackers are increasingly focusing on financial institutions' Web sites. He said that only government and military computers are more popular targets.
"It is a big threat," Mr. Kelley said.
Every bank Web site is vulnerable, he said. Flaws in Microsoft Corp.'s NT and Windows operating systems give hackers the ability to crash any site, but actually retrieving customer data is much tougher, he said. Programs designed to steal passwords, however, are readily available on hacker Web pages, according to Mr. Kelley. Also, a new e-mail-borne virus can give a hacker control of a personal computer, including access to its network, he said.
"There is nothing you can do about it but educate your people," Mr. Kelley told more than 300 bankers at the risk-management conference.
The danger from hackers has increased in the past two months, he said. One hacker group broke into The New York Times' Web page and poked fun at other hackers. The latter groups then retaliated by hacking into thousands of Web pages, setting off a spiral of retaliation, he said.
While computer hacking may cause headaches for bankers, employee theft is costing the industry billions of dollars, said Patrick M. Ardis, a partner at Wolff Ardis, a law firm in Memphis.
"Where is your real threat? I can promise you it is inside," said Mr. Ardis, who estimated that up to one-quarter of a bank's employees would steal if given the opportunity. "Anyone on the job for six months at the financial institution who cannot steal is an idiot," he said.
To deter fraud, Mr. Ardis said, banks must pursue it zealously. Punishment should not depend upon how much is stolen, and every instance must be prosecuted, he said.
Also, he said, bankers should stop being so "cheap" and pay for background checks of employees. "You will save yourself a lot of problems if you do a little screening up-front," he said.
Red flags should be raised if employees leave their sick beds to come in to work or run a loan portfolio for several years without any losses. "Perfection is a sign of fraud," he said.
Unfortunately, he said, few of these crimes are successfully prosecuted. He estimated that only one-one hundredth of 1% of all fraud is detected, reported, and prosecuted.
Mr. Ardis also criticized poor fraud-detection systems, saying that auditors and internal controls catch few crimes.
Rather, the vast majority of employee crimes are detected by accident, he said.
"The frauds are simple," he said. "They take advantage of a flaw in the system and keep shooting through it."
