Banking on ‘ethical hackers’

Amid a wave of cyber attacks on Citi, the IMF and other financial institutions, banks are seeking an unusual method of building up defences.

By Ross Kerber and Maria Aspan

BOSTON/NEW YORK: Professional hacker Nicholas Percoco received an unusual request from a major financial institution this week: How can you help us avoid becoming the next Citigroup Inc?

Amid a wave of cyber attacks on Citi, the International Monetary Fund (IMF) and other institutions, Percoco and his team at security firm Trustwave Holdings Inc are fielding more and more calls from banks wanting to stress-test their online defences.

Trustwave is increasingly being hired for so-called ethical hacking of banking systems to hunt for weaknesses, he said. It is also selling more data loss prevention software, which can freeze a computer network before an intruder can extract sensitive information.

“It’s not a new technology, but in the wake of these data losses there’s more interest,” Percoco, senior vice-president at the Chicago-based firm, told Reuters. Trustwave has filed for an initial public offering of stock.

Some cyber experts fear many financial institutions have inadequate defences, due to distractions during the financial crisis and after that led them to ignore IT systems as they dealt with more pressing issues.

Percoco says his group almost always manages to penetrate bank firewalls or find other ways to cause mischief, from viewing confidential checking account images online to physically strolling into unsecured data centres.

“We’ll call the CIO (chief information officer) and tell them, ‘We’re standing in the middle of your data centre. Do you want to come get us?’” he said.

Arms race

Still, there are signs of progress. Financial institutions are now keeping a closer eye on their databases and making more use of one-time transaction passwords to customers’ mobile phones.

Bank of America Corp , for example, has a SafePass service started in 2008.

Two-thirds of US banks plan to raise spending on fraud-detection and authentication systems in 2011, including all 14 of those with more than US$75 billion in deposits, according to a Gartner Research poll of 76 banks.

“This is an arms race,” said Bill Conner, chief executive of Dallas-based security company Entrust, which sold US$35 million worth of security software to financial institutions last year, up 50% from 2009.

“The risks are out there, the regulators are breathing heavy on this. Now the financial institutions are going to have to spend,” Conner said.

The question is how quickly can this spending make a difference. Banks have always been targeted by cyber criminals but have so far avoided the worst breaches as hackers focused on softer targets, such as stealing credit and debit card data from retailers.

But banks got wake-up calls this month, when the attacks on the IMF and Citi, the third-largest U.S. bank, came to light.
Security specialists say Citi suffered the largest direct hit on a financial institution to date.

Mobile banking weaknesses

As stewards of the payment system, banks face an extra burden to keep the confidence of their customers.

Many financial institutions are starting to bulk up security around their treasury services divisions, which can process trillions of dollars daily for large corporate clients, according to the American Bankers Association.

But now a new push toward mobile payments by big banks, from BofA to Wells Fargo, has some cyber experts worried.

On average, only 8 US cents of every dollar that banks spend on IT infrastructure goes toward sustaining and securing that infrastructure, according to Tom Kellermann, chief technology officer at AirPatrol Corp in Maryland and a member of the Obama Administration’s Commission on Cyber Security.

Bank security chiefs “are always playing second fiddle to the folks that are saying, ‘Let’s create the wonderful wireless Web portals with access to financial services through our mobile phones,” he told Reuters Insider. “Most security wonks would say ‘That’s a really, really bad idea.’”

“I think there’s been an over-emphasis in security on perimeter defences, on the walls and moats of castles, and not enough attention is being paid on remote access and website security,” he added.

Clearinghouses vulnerable

The threats go beyond retail banking. Among the financial system’s most vulnerable points are the clearinghouses that act as central counterparties to all traders, security experts speaking at a Reuters-hosted cyberterrorism panel said last Thursday.

Mark Clancy, chief information security officer at the Depository Trust & Clearing Corporation, agreed last Friday that clearinghouses are especially attractive targets to hackers – not because their defences are weaker than other financial institutions but because they house so much concentrated data.

“If you wanted to destroy financial operations, those are the kinds of places you look because they are aggregation points… they’re just more interesting to that kind of bad guy,” he told Reuters.

He said the DTCC’s spending on cyber security has “really in the last 12 months ratcheted” up.

Market operators are also vulnerable. Hackers breached Nasdaq OMX Group’s systems this year, leaving “suspicious files” on the exchange’s servers and sparking an investigation involving the FBI.

None of the largest US banks would discuss the latest attacks or make security executives available for interviews.

JPMorgan Chase in the past had touted its use of security tokens, but a spokeswoman said it would not discuss the program currently “for security reasons”.

Some specialists question whether the banks themselves have done enough to fight hackers in the past. Woodbury Advisor payments consultant Steven Kietz, a former credit card executive for Citigroup and JPMorgan Chase, said he helped to implement federal guidelines for Internet security standards in 2006 while at Citigroup.

But he said those standards are now far out of date, and “five years later we’ve seen really no new efforts by any of the major banks to protect customers”.

- Reuters