Joseph A. Cooper, the president of a computer security firm that tests its customers networks by trying to hack into them, said it is very credible that someone could someday break into a bank by computer and steal a large portion of customers funds.
We have been able to bring up bank teller screens around the country from our office in San Antonio, said Mr. Cooper, of Digital Defense Inc. You dont have to be that sophisticated to do it.
With the number of hacking incidents against U.S. corporations doubling annually and technology-savvy companies such as Citigroup Inc. getting stung, security experts are stepping up their warnings that U.S. banks are ill-prepared to combat cyber-terrorism. How-to blueprints on hacking are being shared all over the Internet, they say, so the threat could come from a kid down the street or an organized gang in Russia.
A 12-year-old could follow the instructions and break into a transactional home-banking system, Mr. Cooper said.
Though bankers are fearful of those doomsday scenarios, some say that the warnings are overblown and that viruses not hackers are the biggest security threat. They say that because their industry has been so heavily regulated it has been ahead of the curve on security, and that banks were among the first to adopt security measures some of which are now standard, and others still cutting-edge such as one-time user passwords, encryption, biometrics, and digital certificates.
We are very used to people trying to get money, said Rhonda MacLean, the senior vice president and director of information protection at Bank of America Corp. Banks are the early adopters of good security tools and practices because of the nature of our business of selling trust. Weve always been in the business of selling trust, even in the days of Jesse James.
Ms. MacLean guides Bank of Americas network security strategy and chooses the technologies the bank uses to protect customer information. You have to use judgment based on the value of what you are trying to protect, she said.
In her view, computer viruses pose one of the greatest risks, because theyre easily brought in. Five hundred new viruses make their way into cyberspace each week, she said, and they are getting nastier and more destructive. Viruses can cause the bank to lose data and bring down services, she said.
One of the challenges we have as banks providing services is to educate customers that they have a shared responsibility to protect their transactions with the bank, Ms. MacLean said. Those using Internet banking need to use firewall protections and other security tools and to keep their anti-virus software current, she said.
You have security for the same reason you have brakes on a car. You dont have brakes so you can drive slow on a highway but so that you can drive fast, she said.
Other security experts say that banks should never take a complacent view of their security systems, or they will get caught by surprise. Julie Fergerson, a co-founder of ClearCommerce Corp. in Austin, Texas, which sells Internet fraud protections and other products, said that in the past six months the folks who are committing fraud are exploiting security holes and that they have become much more tech-savvy.
Ms. Fergerson, who is also the vice president of emerging technologies at the firm, said that organized crime is becoming more aggressive in targeting e-commerce.
Russia and Eastern Europe have a lot of very smart technology people, and its virtually impossible to enforce any type of law when fraud happens, she said. They have rooms full of users who are stealing credit card numbers and placing orders.
The worlds first reported online robbery occurred in 1994, when Citibank admitted that a group of Russian hackers, led by a 24-year-old named Vladimir Levin and using a cheap computer in St. Petersburg, had broken into its network and transferred a total of $10 million to accounts around the world. (Citibank said that the amount was so high only because the bank had allowed some of the hacks to occur while cooperating with law enforcement authorities. In the end, the bank said, it lost $400,000.)
Banks generally try to avoid the spotlight when it comes to the threat from hackers, partly because that is itself a smart security measure details could be useful to hackers. But reticence also makes it harder to gauge how often hacks occur and can lull banks into a false sense of security.
A problem that we are seeing is that banks dont want to talk about it, said Mr. Cooper. Getting real information about what is going on out there is difficult to come by.
Even with incomplete data, some trends can be detected. The federally funded Computer Emergency Response Team at Carnegie Mellon University in Pittsburgh reported that there were more than twice as many computer break-in incidents at U.S. corporations (not just banks) in 2000 as in 1999, and that the number in 1999 was more than twice the number in 1998. An incident, CERT said, is a set of related activities, so a single incident can involve anything from a single hack to several of the same type of hacks.
The threat to financial institutions comes from a variety of sources, said Chris J. Alberts, a senior member of the technical staff at CERT. Some people do it just to disrupt organizations, to embarrass an organization. They are no more than vandals like graffiti artists just doing it for kicks.
But Mr. Alberts said other hackers are intent on financial gain.
Banks should view security like other risk management decisions, he said. They should maintain a balanced approach, not focusing too much on one area and leaving another poorly defended. For example, he said, one organization he examined was so preoccupied with the threat of hackers that it had meager internal security and had left its physical infrastructure vulnerable to natural disasters.
When you look across the spectrum, there are lot of different people with a lot of different motivations, which is what makes it such a complex problem, Mr. Alberts said.
Banks have to look at the complete picture, he said. They are at risk from a number of threats and should balance their resources to cover as many fronts as possible, he added.
According to a report issued in March by the National Infrastructure Protection Center, a government body created in 1998 to protect against threats to the nations critical infrastructures, organized hacker groups from Eastern Europe, specifically Russia and Ukraine, have already penetrated e-commerce and banking computer systems in the United States. The agency has been investigating organized hacker activities targeting U.S. e-commerce computer systems.
More than 40 victims located in 20 states have been identified, the report said, and to date more than one million credit card numbers have been stolen.
Mr. Cooper of Digital Defense said it has been in business since January 2000 and has worked with about 70 clients, some of them banks. The company is one of a growing cadre of white hat hacking firms, and he said that an astonishing 70% of the time it can transfer funds via the Internet out of a bank without access to inside information such as passwords. Mr. Cooper said that if his company had passwords it would be able to breach these security systems 100% of the time.
For instance, when Digital Defense was hired by a midsize bank in California in late July it found that a hacker had already been in the system and put programs in [it] that allowed him to gather all the financial data on that network and download it to his site, he said.
Debra Hynds, a partner with KPMG LLPs information risk management practice in New York, said only when banks view security as part of their overall business strategy can they achieve it. Security when its a compliance mechanism doesnt become part of the core of the organization, and it is then hard for banks to stay ahead of the curve on new technologies and procedures, she said.
Where banks are taking a plug-the-hole approach to security, they are not looking at security as part of their business strategy, Ms. Hynds said. They are going to end up spending more dollars.
In allocating those dollars, she said, banks should mirror their business. For instance, those focused on online lending should spend money there, and those investing heavily in credit cards should spend money securing that line of business.
The security firms also offered some ideas about how banks can beef up security.
Mr. Cooper said that when banks use technology outsourced from a vendor they often leave security issues in the vendors hands. That company, he said, is clearly responsible for the security of its own product but not for how it fits into the banks overall security system.
Things are happening so fast on the technology side that banks are not thinking about the real risks, he said. They are creating huge holes in their networks, and most of the time people have no idea the system they just put up is vulnerable at all. Their vendor told them, Youre in great shape.
Ms. Fergerson of ClearCommerce said that banks should make sure they update security patches for software where holes have been identified. Banks should also monitor data from their firewall to look for unusual traffic: If you usually get 1,000 visitors in an hour, and then you get 5,000, that should send up a flag.
She said banks are often reactive rather than proactive about security. Banks have better security policies than anybody else does, but I would still call them lax when it comes to being proactive. 
From Our Archive
