How big of a problem is cybertheft from banks?
The WSJ’s front-page story yesterday was clear and unhedged:
The Federal Bureau of Investigation is probing a computer-security breach targeting Citigroup Inc. that resulted in a theft of tens of millions of dollars by computer hackers who appear linked to a Russian cyber gang, according to government officials.
The fallout, however, is incredibly muddy and opaque. Citigroup is strenuously denying that there was any breach at all, let alone any losses; it also said in the original story that the WSJ’s smoking gun — the disappearance of $1 million from a Citibank bank account in Mt Vernon, NY — was “an isolated incident of fraud”.
PCWorld says that the story is wrong:
A source within federal law enforcement who declined to be identified said the Wall Street Journal story was inaccurate and appears to have confused a known 2007 hack of Citigroup-branded automated teller machines with a long-running criminal effort to hack online banking customers and move money out of their accounts.
“They’ve screwed up so many different things,” he said.
ABC has weighed in too, deciding that Citigroup and the WSJ are both wrong, and that “the truth here is somewhere in the middle”, whatever that’s supposed to mean.
Paul Murphy has an interesting theory:
Citigroup, like every major bank in the Western world, is covering up the fact that online fraud — both sophisticated and unsophisticated — is running at epidemic levels. But it can’t be seen to be singled out as an institution with weak controls, where the public at large might be fearful of depositing their money. So it goes on the denial warpath.
But hang on, you say! How about the Citi guy saying: “We had no breach of the system and there were no losses, no customer losses, no bank losses.”
Well, maybe the Russian crooks were siphoning cash out of a Citi customer’s account, using his or her computer. The customer would suffer no loss because the bank routinely makes good on the missing money; the bank, meanwhile, makes no loss because when it discovers a fraud such as this it simply contacts the correspondent bank in Latvian/China/Ukraine/Russian to which the money was transferred and demands it back.
Murphy is convinced that banks are losing billions of dollars to cyber thieves, just because they can’t afford the IT investments needed to stop such theft, and in any case have no assurance that such investment would actually be successful in preventing further theft. All they can do is quietly reimburse any customers who are hit, while keeping the scale of the problem as secret as possible.
It does seem to me that the biggest problem with the WSJ story is not its accuracy, but rather its scope. The paper here concentrates on a single alleged theft, the outcome of which is unclear, even to the reporters involved: one of them, Siobhan Gorman, told Ryan Chittum that she was “in the process of clarifying with sources” what exactly had happened.
But by concentrating on a single instance at a single bank, the WSJ and papers like it force banks into a defensive crouch where they deny that any theft has taken place at all. After all, if Citibank were to say that the story was true, that would make it seem that Citibank was less secure than its rivals. As the original story reported:
U.S. banks have generally been loath to disclose computer attacks for fear of scaring off customers. In part this is an outgrowth of an experience Citibank had in 1994, when it revealed that a Russian hacker had stolen more than $10 million from customer accounts. Competitors swooped in to try to steal the bank’s largest depositors.
I think then it’s important for stories like this to try to make clear whether they’re talking about individual thefts which could and should have been prevented, and which would not have happened at a safer bank, or whether on the other hand they’re talking about symptoms of a much broader system-wide problem. If banks always refund thefts and the thefts are rare and isolated, there isn’t a problem here on a systemic scale, and there isn’t a risk to depositors either. On the other hand, if Murphy is right and cybertheft is endemic, then that poses a systemic risk to the banking system which ought to be addressed in a high-profile manner, in conjunction with regulators who are charged with overseeing the safety of the system as a whole.