Online and mobile banking give new points of entry that can be used to disrupt or penetrate operations, the two New York- based firms said last week in annual regulatory filings. The companies said they’re vulnerable to tactics that overload websites to shut off public access, such as assaults that disrupted the nation’s largest lenders late last year.
U.S. banks are speculating that foreign nations, organized crime or terrorists are behind efforts to cripple their websites and warning that costs to keep intruders at bay will rise. President Barack Obama directed the government on Feb. 12 to develop voluntary security standards for companies running vital infrastructure and is pushing Congress to set formal rules.
“We are going to see more disclosures, and that’s a warning sign that things are really getting bad,” said Lawrence Ponemon, chairman of Ponemon Institute LLC, a Traverse City, Michigan-based security research firm, which predicts a 30 percent increase in expenses tied to cyber intrusions this year.
Attacks in December hit Bank of America Corp. (BAC), JPMorgan Chase & Co. (JPM), U.S. Bancorp, Wells Fargo & Co. (WFC) and SunTrust Banks Inc. (STI), two executives at security companies said at the time. PNC Financial Services Group Inc., the second-biggest regional bank, said in its annual filing that cyber attacks may hurt customer confidence and increase costs at the Pittsburgh-based company.
The intrusions aren’t limited to financial firms, with Microsoft Corp., the largest software maker, saying Feb. 22 a small number of its computers were infected by malicious software in a cyber attack similar to those experienced by Facebook Inc. and Apple Inc.
Cyber security gained renewed national attention in the past few years with revelations about a security breach of a U.S. Federal Reserve website, intrusions at the New York Times (NYT) and other news organizations attributed to Chinese hackers, and a wave of so-called denial-of-service attacks that disrupted the websites of the biggest U.S. banks and payment networks.
The tactic can disable a website by flooding it with traffic. While that doesn’t give intruders access to cash or personal data, regulators warned banks in December the attacks might be used to distract staff while accounts are penetrated, or to block banks and customers from informing each other.
“We know hackers steal people’s identities and infiltrate private e-mail; we know foreign countries and companies swipe our corporate secrets,” Obama said in his State of the Union speech. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air- traffic-control systems.”
MasterCard Inc. (MA), the second-biggest U.S. payments processor, said in its Feb. 14 annual filing the firm routinely receives threats, “and our technologies, systems and networks have been subject to cyber attacks.” So far, the impact hasn’t been material, according to the Purchase, New York-based firm.
U.S. Bancorp, ranked fifth by deposits among commercial banks, told regulators Feb. 22 it had been targeted, and that it might not be able to stop all attackers “because the techniques used change frequently or are not recognized until launched, and because security attacks can originate from a wide variety of sources.” The Minneapolis-based lender cited organized crime, terrorists and hostile foreign governments, and said risks increase as it adds more Internet and mobile-banking options.
Wells Fargo, the biggest U.S. home lender, reiterated in its Feb. 27 filing that attacks against banks may be meant to “test their cyber security in advance of future and more advanced cyber attacks,” and said preventing or cleaning up after intrusions may get expensive for the San Francisco-based firm. It didn’t specify the cost.
Bank of America, whose customers complained that websites run by the Charlotte, North Carolina-based company were repeatedly slowed or knocked offline, previously acknowledged it had faced a series of denial-of-service attacks and may be required to spend significant amounts to address future attacks.
The bank, ranked second by assets, didn’t add any detail in its latest filing, and spokesmen for all the lenders declined to elaborate on their cyber-security measures.
Non-U.S. companies also felt the impact. HSBC Finance Corp., the Illinois-based unit of Europe’s largest bank by market value, HSBC Holdings Plc (HSBA), said in today’s regulatory filing it faced several denial-of-service attacks last year across Latin America, Asia and North America. Royal Bank of Canada (RY)’s CEO Gordon Nixon told shareholders last week the number of attacks faced daily by his Toronto-based company is “frightening.”
“The good news is they don’t get through the firewalls and our various protective measures have served us extremely well,” Nixon said at the bank’s Feb. 28 annual meeting.
With incidents becoming widespread, banks are putting aside rivalries and collaborating more closely on how to block intruders, said Ed Powers, a principal at Deloitte & Touche LLP in New York who specializes in information security and risk management.
“These attacks have started to go beyond nuisance,” Powers said in an interview. While none has resulted in a “catastrophe,” it’s reasonable to foresee something much more disruptive ahead, he said.
Mobile and online banking are adding vulnerability, as are customers and vendors who link directly to data systems, Fed Governor Sarah Bloom Raskin told bankers and regulators last week during an Atlanta speech. That has led to “concerted cooperative work between government and financial institutions,” and the Department of Homeland Security has provided firms with technical assistance, she said.
The biggest U.S. banks work closely with the Central Intelligence Agency, National Security Agency, Defense Department and governments around world to address “hundreds of thousands” of cyber attacks, according to Jamie Dimon, chief executive officer of New York-based JPMorgan.
“It’s a big deal; it’s going to get worse,” Dimon, 56, said during an Oct. 10 panel discussion at the Council on Foreign Relations. “Computers in 10 years are going to be a hundred thousand times faster. And so they’ll be able to do calculations quicker and get through quicker.”
Cyber threats could cost firms the opportunity to improve their systems and save money. Travelers Cos., which represents the insurance industry in the Dow Jones Industrial Average, said Feb. 19 it may forgo new and more efficient technologies if they further expose the New York-based company to attacks.
A group calling itself Izz ad-Din al-Qassam Cyber Fighters has claimed responsibility for the most recent intrusions on U.S. banks, saying they’re in response to a video uploaded to Google Inc.’s YouTube ridiculing the Prophet Muhammad and offending some Muslims. NBC News and former Senator Joseph Lieberman, a Connecticut independent, have said Iran may have been behind these attacks.
The group hit U.S. bank websites with a new round of denial-of-service attacks on Feb. 25, according to Rodney Joffe, senior vice president at Neustar Inc. of Sterling, Virginia, and Carl Herberger, a vice president of security solutions at Tel Aviv-based Radware Ltd., who both provide security to some of the targeted banks.
In a statement posted on the website pastebin.com on Feb. 26, the group said it targeted more than 11 banks for new assaults including Bank of America and PNC.
The U.S. Securities and Exchange Commission told companies in October 2011 they should disclose real or potential cyber attacks capable of disrupting business operations or financial stability and should address the threat if a network breach is “reasonably likely” to have a material effect.
Obama’s executive order includes parts of Senate legislation that failed to pass last year. Republicans and the U.S. Chamber of Commerce, the nation’s largest business lobby, said the bill’s standards would amount to burdensome regulation.
The Obama administration soon will submit priorities for cyber security legislation to Congress to build on his executive order, said Caitlin Hayden, a White House spokeswoman.
“Although this executive order will help raise the nation’s cyber defenses, it does not obviate the urgent need for legislation,” Hayden said last week via e-mail. She didn’t specify the priorities or the timeframe for sending them to Congress.
To contact the reporter on this story: Elizabeth Dexheimer in New York at email@example.com