It is claimed that when famed bank robber Willie Sutton was asked why he robbed banks, he replied, “because that’s where the money is.” Although later in his life he denied saying it, that statement is the basis for “Sutton’s Law”. It makes sense, though, and it seems to apply to cyber attacks, at least to some extent.
According to the Wall Street Journal, the number of bank robberies is decreasing while cybercrime is increasing. The article discusses some of the reasons including the relative ease of catching bank robbers compared to that of catching cybercriminals. Since cybercriminals may be in jurisdictions outside those where the target can get extradition, the criminals may never be caught or prosecuted.
One other issue is that even for banks there are multiple possible vectors for attack. I’ve written before about ATM skimmers. Stolen ATM cards and guessed PINs have been a problem for years. Nick Beery of Data Genetics did a wonderful analysis of PIN numbers. It turns out that the top 20 are used about 20% of the time. With those and person’s birthday, address, etc. (from a purse or wallet) guessing a PIN might not be too hard.
It seems the newest trend is CATs or Corporate Account Takeovers. The idea is that the thieves trickle money out of the accounts of businesses large and small. Hopefully, the amounts are so small the companies don’t notice or don’t investigate, at least initially. Once they do, the money is long gone. Since business accounts are not insured, at least in the US, the money is indeed gone forever.
It is surely difficult to avoid banks altogether in the modern world. So, what can we do? For now, not a whole lot other than watching our statements diligently. That applies to both people and businesses. Don’t put off the reconciliation and look for unexpected transfers. If it is happening to you, it is likely happening to others at the same bank, so report suspicious activities promptly.
Banks work hard to deter, detect and prevent theft. But the software systems are so complex, it’s difficult and many employ security testers. I’m planning on interviewing one of those testers for an upcoming post.
We’d all love to believe that everything we do with our bank is safe. It’s clearly not always. It wasn’t 100 years ago and it’s not now. The issue now is scale but at least it’s safer for the humans in the banks.