Hackers Take $1 Billion a Year as Banks Blame Their Clients
Valiena Allison got a call from her bank on a busy morning two years ago about a wire transfer from her company’s account. She told the managers she hadn’t approved the transfer. The problem was, her computer had.
As Allison, chief executive officer of Sterling Heights, Michigan-based Experi-Metal Inc., was to learn, her company computer was approving other transfers as she spoke. During hours of frantic phone calls with her bank, Allison, 45, was unable to stop this cybercrime in progress as transfer followed transfer. By day’s end, $5.2 million was gone.
She turned to her bank, a branch of Comerica Inc., to help recover the money for her metal-products firm. It got all but $561,000 of the funds. Then came the surprise: the bank said the loss was Experi-Metal’s problem because it had allowed Allison’s computer to be infected by the hackers.
“At the end of the day, the fraud department at Comerica said: ‘What’s wrong with you? How could you let this happen?'” Allison said.
In increments of a few thousand dollars to a few million per theft, cybercrooks are stealing as much as $1 billion a year from small and mid-sized bank accounts in the U.S. and Europe like Experi-Metal, according to Don Jackson, a security expert at Dell SecureWorks. And account holders are the big losers.
‘Losing More Now’
“I think they’re losing more now than to the James Gang and Bonnie and Clyde and the rest of the famous gangs combined,” said U.S. Senator Sheldon Whitehouse, a Rhode Island Democrat who chaired a Select Committee on Intelligence task force on U.S. cybersecurity in 2010.
Organized criminal gangs, operating mostly out of Eastern Europe, target small companies, school districts and local governments that maintain fat commercial bank accounts protected by rudimentary security measures at community or regional banks. The accounts typically aren’t covered by insurance as individual accounts are.
“If everyone knew their money was at risk in small and medium-sized banks, they would move their accounts to JPMorgan Chase,” said James Woodhill, a venture capitalist who is leading an effort to get smaller banks to upgrade anti-fraud security for their online banking programs.
JPMorgan Chase & Co., the second-largest U.S. bank, is the only major U.S. bank that insures commercial deposits against the type of hacking that plagues smaller banks, Woodhill said.
“Chase has invested substantially in fraud prevention and detection capabilities for our clients,” Patrick Linehan, a JPMorgan spokesman, said in an e-mail. “If there is fraud on an account, we work with our clients on a case-by-case basis.”
Smaller banks as well as many of the victims tend not to make the thefts public, according to interviews with the customers and experts such as Woodhill. As the threat becomes better known, small-business customers and other target entities may shift their business to large, national banks, which can better absorb the losses to maintain customer relations and which have better security policies to protect clients from such crimes.
“It’s frightening for small businesses because they have no clue about this,” said Avivah Litan, an analyst at Stamford, Connecticut-based Gartner Inc., which does computer analysis. “They just don’t have any clue, and everyone expects their bank to protect them. Businesses are not equipped to deal with this problem, and banks are barely equipped.”
Customers used to being made whole when they are victims of credit-card fraud or ATM thefts have had to sue small and medium-size banks to recover losses after being blamed by their branches for permitting the crime, as Allison was.
The traditional help of law enforcement hasn’t been there either for such customers. In the heyday of bank robberies in the 1930s, the FBI became famous for Tommy-gun shootouts with the bad guys, who were put on the Most Wanted list. In most cases, the identities of the John Dillingers and Pretty Boy Floyds of the 21st Century aren’t known because of online anonymity, and the bureau doesn’t disclose statistics on how much these cybercrooks are stealing.
Victims in the last two years have ranged from Green Ford Sales, a car dealership in Abilene, Kansas, to Golden State Bridge Inc., a construction company in California wine country. No need to use a mask or gun. These criminals can steal millions from the comfort of their homes dressed in their pajamas.
The crime profits can be staggering and the risks minimal. Jackson, the security expert, said three sophisticated gangs each haul in at least $100 million a year. That dwarfs the $43 million taken in all conventional bank heists in the U.S. last year, from stick-ups to burglaries, according to the FBI.
A $100 Million Hit
“A $100 million hit on a bank or a series of banks,” Whitehouse said. “That’s a pretty big bank robbery. And it doesn’t even make the press. It just trickles through in FBI tip sheets.”
To law enforcement officials, cybercrime is a new priority. Both the Federal Bureau of Investigation and the U.S. Secret Service, which has jurisdiction over financial crimes, have boosted manpower to combat computer-enabled robberies and have formed partnerships with foreign law-enforcement agencies.
Those efforts have been swamped by the explosion in e-commerce, said Chris Swecker, a former FBI assistant director who advises companies on cybersecurity. As millions of customers have shifted online, criminals have followed, their hacking tools and nimble criminal organizations racing ahead of old-school law enforcement models.
“Through cybercrime, transnational criminal organizations pose a significant threat to financial and trust systems,” including banking, stock markets and credit-card services, according to a National Security Council report issued in July.
National Security Threat
Cybercrime has risen to the level of a national security threat, according to the report, citing a “critical shortage of investigators with the knowledge and expertise to analyze the ever increasing amounts of potential digital evidence.”
The banking industry’s reluctance to confront this problem head-on has allowed criminals to reinvest some of their booty to create better, more effective malicious software, known as malware, according to Woodhill.
Malware is what hurt Earl Goossen, business manager for Green Ford Sales, when he logged on to the company’s payroll account at First Bank Kansas at 7:45 a.m. central standard time on Nov. 3, 2010. Just two days earlier he’d used his computer to arrange for the bank to send out the $63,000 payroll to employee accounts. Everything went smoothly at first. Goossen responded to a follow-up e-mail request from First Bank Kansas to okay the payroll, just as he did on the 1st and 15th of every month.