Banks lose $US23 million on average from cybercrime by Paresh Dave

01/09/2014 07:12

As the FBI and US Secret Service investigated the scope of recent cyber attacks on US financial institutions, America's largest banks said Thursday that they hadn't seen any unusual fraud activity from their customers' accounts.

Officials at JPMorgan Chase & Co, Bank of America. and Citibank said they didn't immediately see any customers being victimised.

"Companies of our size unfortunately experience cyber attacks nearly every day," JPMorgan spokeswoman Patricia Wexler said. "We have multiple layers of defence to counteract any threats and constantly monitor fraud levels."

Computer hackers constantly sniff around to find an opening into the networks of companies, and financial firms and their wealth of sensitive information have suffered the heaviest damage. Losses from cybercrime exceeded $US23 million ($24.6 million), on average, at US financial services companies in fiscal 2013 - the highest average for any sector, according to a Ponemon Institute survey.

The attacks on banks have come from many fronts, but who might be behind the latest wave and how they found security holes remained under investigation.

Tom Kellermann, chief cybersecurity officer at Trend Micro, was among those who believe the attacks were linked to sanctions the US levied on Russia over its actions in the Ukraine.

Trend Micro, which counts large financial institutions as clients, recently reported that banks have been enduring an upswing in attacks since those sanctions came down. The most significant was a breach of the European Central Bank's network in July.

"Geopolitics will serve as a harbinger of cyber attacks in today's age," Kellermann said. "For all of these people in Washington - the FBI and Secret Service - to work this hard together ahead of a long weekend suggests something unprecedented is awry."

Since 2012, hacking groups have repeatedly brought down the websites of major banks by spamming them with visitor traffic. The service disruptions prevent real customers from accessing the websites for brief periods, but lead to little financial damage. Other hackers have found weaknesses in payment applications used to wire money or have physically altered ATMs to illegally siphon funds.

But many recent significant attacks, including the data breach at Target that affected millions of Americans, have been the result of a company's vendor having its system compromised.

JPMorgan Chief Executive Jamie Dimon warned of that attack style in his annual letter to shareholders earlier this year.

"Cybersecurity attacks are becoming increasingly complex and more dangerous," Dimon said. "The threats are coming in not just from computer hackers trying to take over our systems and steal our data but also from highly coordinated external attacks both directly and via third-party systems (suppliers, vendors, partners, exchanges)."

Dimon also noted the bank's spending on cybersecurity would reach $US250 million this year, up from $US200 million two years ago.

But despite the rising spending on cybersecurity, companies continue to be victimised because of bureaucracy and a focus on preventing fraud rather than intrusions, said Avivah Litan, a Gartner Research analyst.

"Organisational issues - as opposed to the technology issues - are generally the main impediments to successful defence of the bank's assets," Litan said in a statement Thursday.

Many companies have adopted warning systems that can detect the early signs of a sophisticated attack, but the attacks can proceed unchecked if the information doesn't quickly surge to the right people.

"You can't prevent attacks, but if you're vigilant and smart you can stop them in real time," said Jim Noble, chief executive of the Advisory Council International and the former chief information officer for Merrill Lynch & Co.

When they can't be stopped, banks have "strong safeguards" to prevent money from being fraudulently used, Litan said.

"I see a lot more money spent on preventing the use of stolen data than I do on preventing the theft of the data itself - for simple economic reasons," she said. "The use of stolen data directly affects the company's bottom line. The theft of data generally doesn't have that impact unless it's disclosed to the public since the stolen data is generally used at another enterprise."

Still, cybersecurity experts are urging financial institutions to spend more on defense systems. Jonathan Klein, president of MicroStrategy., said its product to replace users names and passwords was being tested by least one large financial firm in New York.

Called Usher, the tool turns smartphones into a virtual key that can unlock applications. Klein said freshmen at Georgetown University would be using Usher this year to log on to computer networks and complete transactions at campus stores.

"At the end of the day, the way someone is going to root around a network is by exploiting the user name and password scheme that the institution has established," he said. "It's a central premise in any breach, so why not try to make it a hundred times more secure?"

Los Angeles Times