Banks, law enforcement lack ammo to combat thieves' cyber attacks
The American Bankers Association plans to ask its members for the first time this year to estimate their losses from cyber attacks.
That's because the problem has become too big to ignore.
“It's easier than walking in with a gun,” Glenn Wilson, a vice chairman with the Pennsylvania Bankers Association, said of cyber thefts. “If you do this stuff, it's a different form of bank robbery. … My sense is that it goes on every day to some degree.”
The largest American banks lost an average of $23.6 million to cyber attacks last year, according to the Ponemon Institute, a private research group in Traverse City, Mich.
The problem seems to be growing, too, with losses up 40 percent from the institute's projections a year earlier. No one knows for certain because many thefts — accessing customer bank accounts, using stolen bank card information — go unreported.
It seems as if the criminals are winning the fight, experts told the Tribune-Review.
The FBI and other law enforcement agencies have a hard time tracking criminals online, where they can use masking technologies to hide their identity and location. If the thieves operate from another country — as many of them do — it can be nearly impossible to charge them, recover the money or bring them to the United States for trial.
“They have geography on their side, international borders on their side,” said Patrick Fallon Jr., the FBI's assistant special agent in charge of the Pittsburgh field office. “We don't have treaties with all countries, especially like the Eastern Bloc, so there it's very difficult to trace that back.”
When investigators make arrests in the United States, they tend to nab low-level guys: the people using stolen bank cards to take money out of ATMs or buy merchandise that can be sold for higher profit overseas. Law enforcers rarely get close to the upper-echelon criminal organizations that run the huge schemes, said Doug Johnson, vice president of risk management policy for the American Bankers Association.
“You can find ways as a criminal to insulate yourself from the actual crime,” he said. “It's just a continual arms race of trying to break down those deceptions and break down that anonymity. But it doesn't mean you don't try.”
Banks typically have written off the losses as a cost of doing business.
Since the Roman empire, banks have set aside reserves against theft, said David Thaw, a recently hired professor at the University of Pittsburgh law school. Now they can buy insurance against cyber losses.
“People are always going to try to steal things,” Thaw said. “What has changed is that this presents a new attack vector.”
As the criminal threat has increased, concerned federal regulators have demanded more accountability from banks, adding an information technology assessment to annual safety and soundness exams.
Banks, meanwhile, worry about losing credibility and upsetting their customers, said Wilson, president and CEO of AmeriServ Financial in Johnstown.
He became concerned about cyber threats when he heard bankers talking about losses, including one incident in which criminals wired more than $1 million from a Pennsylvania bank to Russia. He declined to identify the bank.
Even if a bank has great defenses, criminals can target customers to steal passwords and access financial accounts, he said. Oftentimes, the banks end up covering the losses, taking the money out of profits and charging customers higher fees.
“The bad actors are very nimble, sophisticated and very persistent,” said Vivian Maese, a cybersecurity and finance lawyer at Dechert LLP in New York. “They have the technological capability to leapfrog the bank's and our current individual approaches.”
In Pennsylvania, the first challenge has been getting banks to share information when there is a theft, said Benjamin Wallace, executive vice president of operations and technology at Orrstown Bank in Shippensburg. He is chairman of the Pennsylvania Bankers Association's new cyber fraud committee, which will allow members to alert one another about attacks and offer tips on protection.
Once criminals find a successful tactic, they use it to target multiple victims.
“(Banks) are realizing, ‘I can offer all of these services, but how do I protect myself?' ” Wallace said.
Banks are being more proactive about protecting themselves and educating their customers, said Albert Whale, president of IT Security, a Ross-based computer protection company. But criminals are becoming more sophisticated, too, working in large foreign syndicates and constantly looking for ways to maximize their take, the FBI warns.
In a recent twist, gangs have been using stolen money to buy high-end watches, phones, tablets and other merchandise that can be sold for more money on foreign black markets.
“They get the money from high-value people, it goes around the world seven times, and who knows where it stops?” Whale said. “I don't know if it's the perfect crime, but it certainly sounds like the Jesse James and Bonnie and Clyde of our times.”
Andrew Conte is a staff writer for Trib Total Media. He can be reached at firstname.lastname@example.org.