The Japanese retail bank Sumitomo Mitsui has disclosed that it has succesfully thwarted an attempt to steal US$424m through an unidentified “hacking” method that somehow involved the use of keystroke loggers on computers at its European sites. (No specific information has been disclosed due to the ongoing investigation.)

There are some fascinating implications to this news story. The concept of the “for profit” hacker (which has long been a reality, albeit much less glamorously than Hollywood and speculative fiction would have you believe) getting maintstream press is actually quite novel. If keystroke loggers were indeed used, then it’s somewhat inconceivable that they could have been of the software variety. This presents us with the upside-down reality that it was easier to install rogue hardware on the bank’s premise than to penetrate their network remotely. Even 5 years ago, to think that a bank’s physical security was a “softer” target than its information security would have been absurd - but in an age of contractors, outsourcing, and wide-reaching partnerships, faces come and go. In such an environment, it’s completely plausible that “social engineering” - the hacker’s euphemism for con-artistry augmented by technology - almost walked away with hundreds of millions of dollars.

What’s really interesting to me, though, is Sumitomo’s choice to disclose the attempted crime. Sure, there were no financial losses whatsoever - the attempted theft was a complete failure - but why talk about a vulnerability even if it wasn’t exploited?

Some “experts” have suggested that the bank’s choice to go public is an attempt to draw out other conspirators, but that seems non-sensical to me. I am not a criminal, but I do know something of investigative technique and I would think that every news channel in the free world broadcasting news of my partner-in-crime’s arrest (yet no details about me personally) would probably drive me further underground, not out in to the light of day.

I would also disagree that the move is intended to intimidate the thieves at large from trying to collect their shares. Risk management in the financial sector - especially for retail banks, where individual consumers are likely to be more emotional than logical about the safety and privacy of their life savings - is generally not discussed in public, for fear of spooking the consumers. The dirty little secret here is that huge - staggeringly huge - sums of money are planned to be lost each year. From offering customers credit card fraud indemnity to the good old-fashioned knockoff of armored cars in eastern Europe by criminal organizations, money loss is an expectation, not a fear. Some money is protected (when the cost to secure that money compares favorably to the chance the money will be lost or when such protection is required to obtain reasonable insurance) and some is written off as a cost of doing business. That doesn’t mean anyone wants to lose money, of course - the more of the “planned loss” that’s safely in the coffers at the end of the fiscal period, the better the bottom line looks.

In other words, losing this kind of money for a bank of Sumitomo’s size would be vigorously pursued, but ultimately it’d be a matter of course - and who wants to have consumers associate their banking brand with “the guys who almost got hacked”? US$424m in extortion money seems like a small price to pay to avoid that stigma.

Sumitomo’s duty is to provide value to its stakeholders, so I also doubt their disclosure was out of some sense of social responsibility. In fact, better security/risk management can be a competitive advantage in the industry if you’re significantly better at keeping your money safe than your peers. Of course the security community is ecstatic that the disclosure was made, for reasons ranging from altruistic (i.e. people/institutions need to know that these kinds of threats exist and are almost omnipresent) to devious (i.e. childish glee from the paranoia and infamy). Either way, anyone peddling information security products or services stands to benefit.

So, after a great deal of pondering, I can’t figure out why this made it to the news… there must be more to the story than is being discussed publicly. An interesting item to watch, then…

Come on, cryptoarchaeology is fun! The tomb of St. Paul has been unearthed (possibly), and it’s right where everyone thought it would be. Australian researchers, however, found a hidden tomb by accident, discovering the best 26th Dynasty find to date off of the main chamber of another well-known tomb that they were investigating. (Which reminds me of a slew of Starbucks jokes, like The Onion article “New Starbucks opens in restroom of existing Starbucks” and the bit in Shrek 2 where a mob flees from one coffee store to another coffee store of the same name across the street, but I digress…)

Not all secret tombs are found by accident, however, so it’s good to know that someone had the good sense to try to use inexplicable cosmic rays to find hidden Mayan burial chambers.

Alright party people… here are some demos to check out this weekend:

The Empire Earth 2 single player-demo should be fun if you like RTS games - the original EE was a great game and the computer opponent difficulty went up to 11 (if you know what I mean).

Speaking of single-player demos, I’m not sure how I missed it - it’s almost 2 weeks old - but the SWAT 4 demo is up for grabs. If you like tactical FPS games (and you know you do), then go ahead and give it a look-see.

Finally, a story that got some press on both Blue’s News and Evil Avatar (both are daily reads for me and generally good sites if you stay away from the comments): The Great Scam. It’s an entertaining (if not always well-written) story about one person’s descent from MMORPG player to elaborate, con-artist level griefer. It’s one of those stories that may be partially or completely untrue, but it’s almost beside the point since it’s utterly believable. Not recommended for Desiree or anyone else who is likely to get highly upset at people completely screwing other people over.

That last story is one of what the Guardian’s game blog calls “10 unmissable examples of new games journalism”. They seem to define “new” games journalism as people writing more about their experience playing games and less about formulaic reviews (e.g. “ok, we covered gameplay, graphics, and sound, so now we have to comment on…”) and x/10 ratings. It’s a little more personal, but if you can sort through the author’s idiosyncracies, then it can provide a lot more insight into whether or not you want to invest your time and money into a game, which is always a good thing.