How big of a problem is cybertheft from banks?

By Felix Salmon
December 23, 2009
front-page story yesterday was clear and unhedged:

The Federal Bureau of Investigation is probing a computer-security breach targeting Citigroup Inc. that resulted in a theft of tens of millions of dollars by computer hackers who appear linked to a Russian cyber gang, according to government officials.

" data-share-img="" data-share="twitter,facebook,linkedin,reddit,google" data-share-count="true">

The WSJ’s front-page story yesterday was clear and unhedged:

The Federal Bureau of Investigation is probing a computer-security breach targeting Citigroup Inc. that resulted in a theft of tens of millions of dollars by computer hackers who appear linked to a Russian cyber gang, according to government officials.

The fallout, however, is incredibly muddy and opaque. Citigroup is strenuously denying that there was any breach at all, let alone any losses; it also said in the original story that the WSJ’s smoking gun — the disappearance of $1 million from a Citibank bank account in Mt Vernon, NY — was “an isolated incident of fraud”.

PCWorld says that the story is wrong:

A source within federal law enforcement who declined to be identified said the Wall Street Journal story was inaccurate and appears to have confused a known 2007 hack of Citigroup-branded automated teller machines with a long-running criminal effort to hack online banking customers and move money out of their accounts.

“They’ve screwed up so many different things,” he said.

ABC has weighed in too, deciding that Citigroup and the WSJ are both wrong, and that “the truth here is somewhere in the middle”, whatever that’s supposed to mean.

Paul Murphy has an interesting theory:

Citigroup, like every major bank in the Western world, is covering up the fact that online fraud — both sophisticated and unsophisticated — is running at epidemic levels. But it can’t be seen to be singled out as an institution with weak controls, where the public at large might be fearful of depositing their money. So it goes on the denial warpath.

But hang on, you say! How about the Citi guy saying: “We had no breach of the system and there were no losses, no customer losses, no bank losses.”

Well, maybe the Russian crooks were siphoning cash out of a Citi customer’s account, using his or her computer. The customer would suffer no loss because the bank routinely makes good on the missing money; the bank, meanwhile, makes no loss because when it discovers a fraud such as this it simply contacts the correspondent bank in Latvian/China/Ukraine/Russian to which the money was transferred and demands it back.

Murphy is convinced that banks are losing billions of dollars to cyber thieves, just because they can’t afford the IT investments needed to stop such theft, and in any case have no assurance that such investment would actually be successful in preventing further theft. All they can do is quietly reimburse any customers who are hit, while keeping the scale of the problem as secret as possible.

It does seem to me that the biggest problem with the WSJ story is not its accuracy, but rather its scope. The paper here concentrates on a single alleged theft, the outcome of which is unclear, even to the reporters involved: one of them, Siobhan Gorman, told Ryan Chittum that she was “in the process of clarifying with sources” what exactly had happened.

But by concentrating on a single instance at a single bank, the WSJ and papers like it force banks into a defensive crouch where they deny that any theft has taken place at all. After all, if Citibank were to say that the story was true, that would make it seem that Citibank was less secure than its rivals. As the original story reported:

U.S. banks have generally been loath to disclose computer attacks for fear of scaring off customers. In part this is an outgrowth of an experience Citibank had in 1994, when it revealed that a Russian hacker had stolen more than $10 million from customer accounts. Competitors swooped in to try to steal the bank’s largest depositors.

I think then it’s important for stories like this to try to make clear whether they’re talking about individual thefts which could and should have been prevented, and which would not have happened at a safer bank, or whether on the other hand they’re talking about symptoms of a much broader system-wide problem. If banks always refund thefts and the thefts are rare and isolated, there isn’t a problem here on a systemic scale, and there isn’t a risk to depositors either. On the other hand, if Murphy is right and cybertheft is endemic, then that poses a systemic risk to the banking system which ought to be addressed in a high-profile manner, in conjunction with regulators who are charged with overseeing the safety of the system as a whole.


We welcome comments that advance the story through relevant opinion, anecdotes, links and data. If you see a comment that you believe is irrelevant or inappropriate, you can flag it to our editors by using the report abuse links. Views expressed in the comments do not represent those of Reuters. For more information on our comment policy, see

I had problems with cyber-theft at Bank of America, not once but twice. In each instance, their fraud division squatted on the problem for over 120 days before defending their inactivity with a token refund for recurrences of the original siphonage, but only within the 60 days preceding “resolution”. Half or more of what started out as my missing money was gone forever, and that as far as they were concerned was “just too bad”.

Even the bank’s own customers have a devil of a time getting a direct telephone number to BofA’s fraud division, and nobody I know with similar issues has managed ever to hold them completely accountable as advertised.

Thus, and from other pertinent observations, I must conclude as follows:

They pay PR agencies a fortune in fancy lip-service to giving a hoot about the “serious” problem of cyber-theft, or any other theft but, when push comes to shove, major U.S. banks are not their customers’ friends at all.

Posted by HBC | Report as abusive

If you follow the column “Security Fix” by Brian Krebs, you’ll see that bank hacking is clearly a big problem.

Given the high percentage of PCs already infected with some kind of adware/trojan, one can only assume that bank hacking trojans will improve both their capabilities and ability to remain undetected by commercial anti-virus packages.

There are two things that the banks need to do here:

- Do not display full bank account numbers (last 4 digits only) in online banking screens.

- Limit online bill-pay capabilities to only known and registered vendors. For all other vendors, the bank should mail a check.

Allowing unrestricted ACH transfers from personal bank accounts is like leaving your wallet in plain view on your dashboard with the doors unlocked. Sooner or later someone is going to wander by and steal it.

Posted by Anonymous | Report as abusive

The banks don’t really care about cybertheft, beyond the security measures already in practice.

Because as the old saying goes:

“One man’s cybertheft, becomes that same man’s tax deduction.”

Posted by Anon86 | Report as abusive