Bank Robbing by Computer: Low Number of Attacks, High Potential for Losses

There were 62 data breaches involving financial institutions in 2009 — three of them occurring in the last month of the year. These breaches represent only a portion of the total of 498 incidents compiled in the 2009 Data Breach Report compiled by the Identity Theft Resource Center (ITRC), based in San Diego. But the largest of them, the Heartland Payment Systems breach, involved an estimated 130 million credit and debit card numbers taken, accounting for more than half of the 222 million records potentially taken in 2009. Insiders caused the largest number of data breaches within the financial services industry, says the executive director of the ITRC, and this threat will continue to be a problem for financial institutions in 2010, “The numbers come out almost every year, and they have said for the past eight or nine years that 70 percent of all hacking happens internal to the company,” the director said. May was the month with the most breaches (10), followed by August with nine and March with eight. June was the month with the fewest recorded breaches — just one.

Breaches hit both big and small banks. For example, hackers have stolen the login credentials for more than 8,300 customers of a small New York bank after breaching its security and accessing a server that hosted its online banking system. The intrusion at Suffolk County National Bank (SCNB) happened over a six-day period that started on November 18, according to a release issued January 11. It was discovered on December 24 during an internal security review. In all, credentials of 8,378 online accounts were pilfered, a number that represents less than 10 percent of SCNB’s total.

Fraud through illegal use of credit cards also continues as a security worry.

Card fraud costs the U.S. card payments industry an estimated $8.6 billion per year, according to a report released on January 13 by Aite Group. Though this sum is small compared with the $2.1 trillion in total yearly U.S. card volume, this area remains troubling for the industry. Fighting card fraud effectively involves triage and telepathy — picking appropriate battles to fight while anticipating fraudsters’ next steps based on the rapidly evolving technological landscape, Aite’s analysts say. Card technologies in the United States are unlikely to be universally upgraded anytime soon due to prohibitively high implementation costs and the loss of signature interchange. Given the relative speed and cost efficiency for deployment, the most practical method of mitigating card fraud currently would be based around end-to-end encryption, they say.

Information on ID management and bank security is on the Security Magazine Web site at www.securitymagazine.com – use the keyword search function.