The number of organised hacking syndicates targeting financial institutions around the world is growing at a disturbingly fast rate. And so is the number of banks willing to pay these high-tech extortionists hush money to protect their reputations, according to a security expert at The World Bank.
Cases in which banks, brokerage firms and other financial institutions have quietly paid hacking syndicates extortion money are "extremely widespread," said Tom Kellermann, senior data risk management specialist at The World Bank in Washington. Kellermann, who co-authored a study on the electronic security risks facing the global financial community, presented the findings during an October 29 online seminar sponsored by Cable and Wireless Internet Services in Virginia.
The 127-page study details the growing security challenges facing the financial sector as a result of the industry's unprecedented dependence on the public telecommunications system, rapid adoption of wireless systems and outsourcing of operations to third parties.
And the growing dependency on Internet technologies that are linked to sensitive back-end systems, such as customer databases and real-time stock data, has made online extortion a major "safety and soundness issue" for the financial markets, Kellermann said.
80 per cent Go Unreported
Kellermann cited reports from IDC and Gartner in the US that indicate that roughly 80 per cent of cybercrime incidents in the financial sector go unreported to law enforcement agencies.
Moreover, he contends that IT employees keep many of these incidents from senior banking executives "due to the reality that they may be fired." Banks don't report these incidents mainly because they want to maintain customer and investor trust, according to Kellermann.
At the same time, massive underreporting has created a vicious catch-22 for an industry that continues to struggle with dwindling budgets. "It has a magnifying effect because there's no actuarial data to justify the extra expense on security," said Kellermann. "We are losing this war."
Budget issues have also led banks and other financial companies to outsource operations. But that can have disastrous consequences for hundreds of banks at once if the hosting company doesn't implement proper security protections, Kellermann said. He cited an incident last year in which hackers penetrated the systems run by S1 Corp., an Atlanta-based provider of electronic finance services to the financial industry. The incident led to the compromise of more than 300 banks, credit unions, insurance providers and investment firms simultaneously.
Coverups Not Common
Security experts and banking officials contacted for this story agreed that the vast majority of incidents go unreported. However, they said they aren't convinced that internal coverups by bank IT personnel are widespread.
"I don't think that security incident coverups are common," said Joe Busa, an IT manager at Citizens Bank NA in Providence, R.I. "It is very hard to cover a mistake completely from your peers."
According to Gartner analyst John Pescatore, all publicly traded companies are required by the U.S. Securities and Exchange Commission to report all events that could have a material effect on the business. However, "there have been very few computer security incidents serious enough to be classified as a material event," said Pescatore.
SIDEBAR: Lack of Incident Reporting Hinders FBI
Following last year's terrorist attacks, U.S. Federal Bureau of Investigation (FBI) Director Robert Mueller made the battle against cybercrime and cyberterrorism the bureau's No. 3 priority, behind counterterrorism and counterintelligence. But private-sector cooperation in that fight remains woefully inadequate, Mueller told a meeting of industry and government officials this week.
"We probably get one-third of the [cybercrime] reports that we would like to get," said Mueller, speaking at the invitation-only National Forum on Combating e-Crime and Cyberterrorism, sponsored by the Information Technology Association of America (ITAA) and Computer Sciences Corp.
"You're not enabling us to do the job," said Mueller, referring to the lack of incident reporting coming out of the private sector. Unless more companies step forward and cooperate with law enforcement on prosecuting cybercrimes, the FBI's analysis and prediction capability won't improve, nor will the overall state of security on the Internet, he said.
"We understand that there may be privacy [and public relations] concerns," said Mueller. "We, as an organisation, have learned that you don't want us [responding] in raid jackets; you want us there quietly."
ITAA President Harris Miller said it is "absolutely critical" that the private sector and the government work together, although he acknowledged that "the reality is that our interests are not always in alignment." However, the chances of battling e-crime and cyberterrorism without the government's help "are literally zero," he said.