U.S. banks lose billions in cyber attacks Friday, 27 April 2001 20:14 (ET)

U.S. banks lose billions in cyber attacks By RICHARD SALE, Terrorism Correspondent

NEW YORK, April 27 (UPI) -- U.S. banks, including some of the country's top banking corporations, have suffered billions of dollars worth of losses because of highly sophisticated attacks by domestic and overseas hackers, according to administration officials, sources at the U.S. Navy War College, and several information technology experts.

The targeted banks include two giant New York City-based institutions, and two major California-based banks. Major names in the insurance and financial services industry have also been hit, the sources, who requested anonymity, claimed. The names of the institutions were given to United Press International.

Labeled "a major problem" by the sources, the hacking incidents go unreported because "banking is based on customer confidence, and if you lose confidence, you lose customers," said James Adams, CEO of iDefense, a Virginia-based intelligence and information technology firm. A senior administration official agreed: "Banks are not publicizing these hits. But the banking infrastructure is enormously vulnerable. It's not a pretty picture."

The banks' secrecy extends to not even informing the Federal Bureau of Investigation of the hit, said sources.

"The problem with the FBI is that it acts like an law enforcement agency: it comes in and seizes computers, servers, work areas, records, CD-ROMs, interferes with business," said Brian Jenkins of the Rand Corp., a Santa Monica, California-based Air Force think-tank. "If you're the bank, you lose control of the situation."

"So banks lie to the FBI, and let their insurance cover the losses," said one expert IT source. Several IT experts who spoke on condition of anonymity belong to companies holding highly classified contracts with the U.S. government

Says James Adams: "In the Internet world where velocity is everything, you can't be slowed down by a two-year investigation of some kind. The investigation costs you far too much money. The hacker armed robbery is a small loss by comparison."

Part of the banking community's reluctance to talk is fear of damaging their image. "The bankers say to themselves, look at the losses I'm taking on bad checks, credit card fraud or embezzlement. What the hackers are talking doesn't begin to compare with those -- only millions as compared to billions," said a Naval War College source.

"For a bank the most important product it has to sell is trust," said John Byrne, senior counsel and compliance manager for the American Bankers Association. "Losses to hacking are just part of the cost of doing business. If you look, you'll find that banks lost annually more than $800 million in credit card fraud, more than $679 million to check fraud."

But he conceded: "There are losses taking place. It's a problem, a top concern."

Lawsuits by shareholders arising from hacking losses are also a major worry of the banks. "What will happen when the first major disappearance of some asset base vanishes and becomes public? It will dwarf all class-action suits to date," the senior administration official said.

He then named two top banks, one in New York and the other based in California, adding: "They've lost billions."

An information technology source whose company holds several top secret IT contracts with the Department of Defense, said: "What happens when several billion disappear? Well, people say it didn't disappear, that it's just been misplaced."

An expert source at the U.S. Naval War College in Rhode Island told UPI: "The banks are handling this in a miserly business fashion. They picture the hackers as a burglar going down a row of locked doors, looking for the one that's been left open. They put up enough protection to prod the hacker to move on to an easier victim and leave them alone."

Jenkins who had worked as a special advisor to the International Chamber of Commerce, said of bank hacks, "They're happening." He added that in many cases "the top management of the banks is not aware of what is going on."

Many of the hacking assaults come from Russian-based hackers with connections to organized crime, says Adams.

He spoke of the Moscow-based Moonmaze operation, "an op by Russian organized crime that attacked highly classified sites at the Pentagon's Defense Advanced Research Projects Agency (DARPA), NASA and other sites " with a high degree of success." Other losses could be due to viruses seeded by Russian operatives during the Cold War.

But when it comes to banking, "Customer accounts are the ones on the brink," said a former IT security chief for Citicorp.

The administration official said that hacker attacks can be swift, final, devastating: "Three key strokes and it's disappeared. The money will be broken down into hundreds of fractions and passed into small accounts that no one can dislodge."

He then named two extremely well-known U.S. banks, adding, "They've lost billions."

Officially, the banks denied any such cash hemorrhage exists. Bank of America spokesman Scott Scredon denied the reports of hacker attacks on BofA, saying, "We don't have any reports or knowledge of any problems with hackers," adding: "We think we would know if something like that were going on."

The Bank of America represents a big, juicy target for a cyber-armed robber. It has $680 billion in total assets, 150,000 associates in 38 countries around the world, and clients include McDonalds, MCI, Apple Computer, and Visa International, among others.

A Chase Manhattan Bank spokesman said, "We have no knowledge of any losses due to hacker attacks."

Bank of New York spokesman Frank Scarangello replied to a query about attacks on his bank in almost the same words: "I have no knowledge of any such attempts." UPI also received denials of any losses to hacking from spokesmen for Aetna, Well Fargo Bank, and Citicorp.

Yet Adams insisted he knew of one New York bank that was losing "$500 million a year" to hackers a few years ago, but declined to give the name. "Banks are likely to sue if named," he said.

Another expert IT government contractor said, "The losses are in the hundreds of millions, but it's a vague statistic because nobody wants to talk." Another expert agreed: "Who's going to admit it? Even the FBI isn't being told."

Part of the banking communities reluctance to talk is economic. "The bankers say to themselves, look at the losses I'm taking on bad checks, credit card fraud or embezzlement. What the hackers are talking doesn't begin to compare with those -- only millions as compared to billions," said a Naval War College source.

But Adams notes that U.S. banks "are not blasé. Most have become aware in recent times of the risks associated with interconnectivity."

Byrne said that although "Banks were slow" to put up new technology for protection, that today "they have the best technology available." Particularly with the Internet, Web-based systems "with appropriate firewalls" are in place, he said.

But in spite of the facts banks "are among the most protected enterprises in the country," they are still taking hits," Adams said. Only recently the FBI sent out an alert to bankers saying that "intercepts showed that criminals were boasting of a high success rate in hacking banks," said the former Citicorp security chief.

Another bank safety expert who has several high-level Web security contracts with U.S. government agencies said, "We know a lot of people that have taken the situation very seriously. They have been sharing threat information for quite some time." But in spite of that, "Protection against Internet hackers is only marginally successful here in the States," he said.

-- Copyright 2001 by United Press International. All rights reserved. --

-- Tom Flook (tflook@earthlink.net), April 28, 2001