Banks, law enforcement lack ammo to combat thieves' cyber attacks
The American Bankers Association plans to ask its members for the first time this year to estimate their losses from cyber attacks.
That's because the problem has become too big to ignore.
“It's easier than walking in with a gun,” Glenn Wilson, a vice chairman with the Pennsylvania Bankers Association, said of cyber thefts. “If you do this stuff, it's a different form of bank robbery. … My sense is that it goes on every day to some degree.”
The largest American banks lost an average of $23.6 million to cyber attacks last year, according to the Ponemon Institute, a private research group in Traverse City, Mich.
The problem seems to be growing, too, with losses up 40 percent from the institute's projections a year earlier. No one knows for certain because many thefts — accessing customer bank accounts, using stolen bank card information — go unreported.
It seems as if the criminals are winning the fight, experts told the Tribune-Review.
The FBI and other law enforcement agencies have a hard time tracking criminals online, where they can use masking technologies to hide their identity and location. If the thieves operate from another country — as many of them do — it can be nearly impossible to charge them, recover the money or bring them to the United States for trial.
“They have geography on their side, international borders on their side,” said Patrick Fallon Jr., the FBI's assistant special agent in charge of the Pittsburgh field office. “We don't have treaties with all countries, especially like the Eastern Bloc, so there it's very difficult to trace that back.”
When investigators make arrests in the United States, they tend to nab low-level guys: the people using stolen bank cards to take money out of ATMs or buy merchandise that can be sold for higher profit overseas. Law enforcers rarely get close to the upper-echelon criminal organizations that run the huge schemes, said Doug Johnson, vice president of risk management policy for the American Bankers Association.
“You can find ways as a criminal to insulate yourself from the actual crime,” he said. “It's just a continual arms race of trying to break down those deceptions and break down that anonymity. But it doesn't mean you don't try.”
Banks typically have written off the losses as a cost of doing business.
Since the Roman empire, banks have set aside reserves against theft, said David Thaw, a recently hired professor at the University of Pittsburgh law school. Now they can buy insurance against cyber losses.
“People are always going to try to steal things,” Thaw said. “What has changed is that this presents a new attack vector.”
As the criminal threat has increased, concerned federal regulators have demanded more accountability from banks, adding an information technology assessment to annual safety and soundness exams.
Banks, meanwhile, worry about losing credibility and upsetting their customers, said Wilson, president and CEO of AmeriServ Financial in Johnstown.
He became concerned about cyber threats when he heard bankers talking about losses, including one incident in which criminals wired more than $1 million from a Pennsylvania bank to Russia. He declined to identify the bank.
Even if a bank has great defenses, criminals can target customers to steal passwords and access financial accounts, he said. Oftentimes, the banks end up covering the losses, taking the money out of profits and charging customers higher fees.
“The bad actors are very nimble, sophisticated and very persistent,” said Vivian Maese, a cybersecurity and finance lawyer at Dechert LLP in New York. “They have the technological capability to leapfrog the bank's and our current individual approaches.”
In Pennsylvania, the first challenge has been getting banks to share information when there is a theft, said Benjamin Wallace, executive vice president of operations and technology at Orrstown Bank in Shippensburg. He is chairman of the Pennsylvania Bankers Association's new cyber fraud committee, which will allow members to alert one another about attacks and offer tips on protection.
Once criminals find a successful tactic, they use it to target multiple victims.
“(Banks) are realizing, ‘I can offer all of these services, but how do I protect myself?' ” Wallace said.
Banks are being more proactive about protecting themselves and educating their customers, said Albert Whale, president of IT Security, a Ross-based computer protection company. But criminals are becoming more sophisticated, too, working in large foreign syndicates and constantly looking for ways to maximize their take, the FBI warns.
In a recent twist, gangs have been using stolen money to buy high-end watches, phones, tablets and other merchandise that can be sold for more money on foreign black markets.
“They get the money from high-value people, it goes around the world seven times, and who knows where it stops?” Whale said. “I don't know if it's the perfect crime, but it certainly sounds like the Jesse James and Bonnie and Clyde of our times.”
Andrew Conte is a staff writer for Trib Total Media. He can be reached at email@example.com.
Add Andrew Conte to your Google+ circles.
Show commenting policy
TribLive commenting policy
You are solely responsible for your comments and by using TribLive.com you agree to our Terms of Service.
We moderate comments. Our goal is to provide substantive commentary for a general readership. By screening submissions, we provide a space where readers can share intelligent and informed commentary that enhances the quality of our news and information.
While most comments will be posted if they are on-topic and not abusive, moderating decisions are subjective. We will make them as carefully and consistently as we can. Because of the volume of reader comments, we cannot review individual moderation decisions with readers.
We value thoughtful comments representing a range of views that make their point quickly and politely. We make an effort to protect discussions from repeated comments either by the same reader or different readers.
We follow the same standards for taste as the daily newspaper. A few things we won't tolerate: personal attacks, obscenity, vulgarity, profanity (including expletives and letters followed by dashes), commercial promotion, impersonations, incoherence, proselytizing and SHOUTING. Don't include URLs to Web sites.
We do not edit comments. They are either approved or deleted. We reserve the right to edit a comment that is quoted or excerpted in an article. In this case, we may fix spelling and punctuation.
We welcome strong opinions and criticism of our work, but we don't want comments to become bogged down with discussions of our policies and we will moderate accordingly.
We appreciate it when readers and people quoted in articles or blog posts point out errors of fact or emphasis and will investigate all assertions. But these suggestions should be sent via e-mail. To avoid distracting other readers, we won't publish comments that suggest a correction. Instead, corrections will be made in a blog post or in an article.
- 1 killed, 4 hurt as police chase ends in Oakland crash
- Pittsburgh police solve fewer homicides
- Pittsburgh settles former police trainee’s disability discrimination lawsuit
- Plum officials reassess equipment policy after sexual assault case
- Allegheny County to increase restaurant penalties
- Plum teacher’s lawyer says latest allegations don’t measure up
- Duquesne man arrested again for Megan’s Law violations
- Detour signs highlight woes expected in Bigelow and Baum projects in Pittsburgh
- Security cameras, more police planned at Monroeville Mall
- Newsmaker: Sara Mantick
- Pittsburgh police find missing 75-year-old man