Airing your dirty laundry
The Japanese retail bank Sumitomo Mitsui has disclosed that it has succesfully thwarted an attempt to steal US$424m through an unidentified “hacking” method that somehow involved the use of keystroke loggers on computers at its European sites. (No specific information has been disclosed due to the ongoing investigation.)
There are some fascinating implications to this news story. The concept of the “for profit” hacker (which has long been a reality, albeit much less glamorously than Hollywood and speculative fiction would have you believe) getting maintstream press is actually quite novel. If keystroke loggers were indeed used, then it’s somewhat inconceivable that they could have been of the software variety. This presents us with the upside-down reality that it was easier to install rogue hardware on the bank’s premise than to penetrate their network remotely. Even 5 years ago, to think that a bank’s physical security was a “softer” target than its information security would have been absurd - but in an age of contractors, outsourcing, and wide-reaching partnerships, faces come and go. In such an environment, it’s completely plausible that “social engineering” - the hacker’s euphemism for con-artistry augmented by technology - almost walked away with hundreds of millions of dollars.
What’s really interesting to me, though, is Sumitomo’s choice to disclose the attempted crime. Sure, there were no financial losses whatsoever - the attempted theft was a complete failure - but why talk about a vulnerability even if it wasn’t exploited?
Some “experts” have suggested that the bank’s choice to go public is an attempt to draw out other conspirators, but that seems non-sensical to me. I am not a criminal, but I do know something of investigative technique and I would think that every news channel in the free world broadcasting news of my partner-in-crime’s arrest (yet no details about me personally) would probably drive me further underground, not out in to the light of day.
I would also disagree that the move is intended to intimidate the thieves at large from trying to collect their shares. Risk management in the financial sector - especially for retail banks, where individual consumers are likely to be more emotional than logical about the safety and privacy of their life savings - is generally not discussed in public, for fear of spooking the consumers. The dirty little secret here is that huge - staggeringly huge - sums of money are planned to be lost each year. From offering customers credit card fraud indemnity to the good old-fashioned knockoff of armored cars in eastern Europe by criminal organizations, money loss is an expectation, not a fear. Some money is protected (when the cost to secure that money compares favorably to the chance the money will be lost or when such protection is required to obtain reasonable insurance) and some is written off as a cost of doing business. That doesn’t mean anyone wants to lose money, of course - the more of the “planned loss” that’s safely in the coffers at the end of the fiscal period, the better the bottom line looks.
In other words, losing this kind of money for a bank of Sumitomo’s size would be vigorously pursued, but ultimately it’d be a matter of course - and who wants to have consumers associate their banking brand with “the guys who almost got hacked”? US$424m in extortion money seems like a small price to pay to avoid that stigma.
Sumitomo’s duty is to provide value to its stakeholders, so I also doubt their disclosure was out of some sense of social responsibility. In fact, better security/risk management can be a competitive advantage in the industry if you’re significantly better at keeping your money safe than your peers. Of course the security community is ecstatic that the disclosure was made, for reasons ranging from altruistic (i.e. people/institutions need to know that these kinds of threats exist and are almost omnipresent) to devious (i.e. childish glee from the paranoia and infamy). Either way, anyone peddling information security products or services stands to benefit.
So, after a great deal of pondering, I can’t figure out why this made it to the news… there must be more to the story than is being discussed publicly. An interesting item to watch, then…
March 18th, 2005 at 9:30 am
I heard about the attempted heist a couple days ago on bbc world news. bbc news also questioned why the bank would want word to get out that they had a vulnerability and were almost hijacked. Most of the comments centered on how this kind of publicity could go either way since most banks who get exploited usually keep it very hush hush. The general consensus in this case was that the heist was prevented and therefore the bank could prove that they were better than the hackers and more able to handle future hacking attempts. Still, that kind of publicity is a gamble.
March 18th, 2005 at 9:37 am
A gamble, to say the least… you don’t publicize your wins or your losses in the security field. Making a big, public deal about a security success is the equivalent of a taunting “bring it!” to the unsavory elements of the community, and publicizing failures is tantamount to inviting pile-on. That’s why you don’t see job postings like “Sumitomo Mitsui is desperately seeking firewall experts!” Even hiring in the information security business is typically shrouded in obscurity lest some hint of your security skill weaknesses or even product prefrences get out into the wild.
Curiouser and curiouser…
May 17th, 2006 at 1:17 am
Did you know that everytime you surf the internet you could be at risk for identity theft? Do you know how your identity is stolen? Are you concerned about identity theft happening to you? Do you know what identity theft really is? Do you want to know what identity theft has to do with you? Do you know how to prevent becoming a victim of identity theft? Are you protected from identity theft? Are you looking for help with identity theft or information about identity theft? Do you want a place with a large selection of identity theft information sources and help with identity theft prevention? Get your identity theft information and identity theft help at identitytheft-info.org and learn how to protect yourself from identity theft.
May 18th, 2006 at 8:52 am
With the constant rise in violent crime and drug crimes that are committed on homes, how much home security do you have to keep your family safe? How much home security do you need? The police are not always able to protect your home’s security and your family as the number of police officers are becoming fewer with budget cuts every year. Have you stopped to consider how effective your home security really is? Could the steps you are taking for home security really protect your home and family against an intruder? Do you want more information about home security and what kind of home security is right for you? Do you need help with home security options? Does your home even need home security, and if so, how much home security do you need? You can find help with home security questio
katherine rice (5/17/2006 11:08:45 PM): questions and home security information on this site and many different home security options. Find the home security option that best fits your home security needs here.
http://home-security-help.biz/
May 19th, 2006 at 3:08 am
According to the Federal Reserve, Americans carry on average, $5,800 in credit card debt from month to month. Making the minimum monthly payment on that debt would take 30 years to pay off and include an additional $15,000 in interest. According to the Administrative Office of the Courts, 2,078,415 bankruptcies were filed in 2005, the largest number of bankruptcy petitions ever filed in any 12-month period in the history of the federal courts. With mounting credit card debt and the new tougher bankruptcy laws, people are looking for alternative ways of managing their debts. Debt consolidation loans have become a popular way to free up money each month by consolidating several monthly credit card payments into a single lower interest loan. But, the question is whether it’s best to consolidate your debts into a home equity loan or an unsecured debt consolidation loan.
http://www.debt-consolidation-help.org/
May 20th, 2006 at 11:15 am
WANT TO EARN $10,000 A MONTH ?
Top earners make $50,000 + a month some well
into six figures. It is not unheard of for
beginners to make $100-200 a day when they
first start out. Don’t make the mistake of doing
nothing or spending time, money and effort on scams.
Learn from the masters and start earning today.
Google Cash, Beating Adwords, The Rich Jerk, Adsence
http://www.twofour.biz
May 21st, 2006 at 11:32 am
weightloss or a diet? do you need diet information? Are you looking for a place you can go to find different avenues of weightloss and diet information with different options for weightloss and diet? We have the answer to your weightloss and diet questions and alot of sources for weightloss and diet information and weightloss and diet help. Try looking for your weightloss and diet needs at weightloss-diet-help.com
http://weightloss-diet-help.com/
May 25th, 2006 at 8:07 am
WANT TO EARN $10,000 A MONTH ?
Top earners make $50,000 + a month some well
into six figures. It is not unheard of for
beginners to make $100-200 a day when they
first start out. Don’t make the mistake of doing
nothing or spending time, money and effort on scams.
Learn from the masters and start earning today.
Google Cash, Beating Adwords, The Rich Jerk, Adsence
http://www.twofour.biz
June 26th, 2006 at 4:35 am
diet
diet OAO-3AO-WWW-911998112
June 26th, 2006 at 7:44 am
buy phentermine online
buy phentermine online UXa98Y33BOL001
July 19th, 2006 at 10:23 pm
Stop fretting and fuming about your sexual worries, http://www.cialiswonder.com is there to help you clear all your bedroom dues to your partner.
July 19th, 2006 at 10:24 pm
Stop fretting and fuming about your sexual worries, http://www.cialiswonder.com is there to help you clear all your bedroom dues to your partner.
August 9th, 2006 at 11:19 pm
According to the Federal Reserve, Americans carry on average, $5,800 in credit card debt from month to month. Making the minimum monthly payment on that debt would take 30 years to pay off and include an additional $15,000 in interest. According to the Administrative Office of the Courts, 2,078,415 bankruptcies were filed in 2005, the largest number of bankruptcy petitions ever filed in any 12-month period in the history of the federal courts. With mounting credit card debt and the new tougher bankruptcy laws, people are looking for alternative ways of managing their debts. Debt consolidation loans have become a popular way to free up money each month by consolidating several monthly credit card payments into a single lower interest loan. But, the question is whether it’s best to consolidate your debts into a home equity loan or an unsecured debt consolidation loan.
http://www.debt-consolidation-help.org/
October 11th, 2006 at 4:23 pm
elkay stainless sink elkay stainless sink
November 7th, 2006 at 2:12 pm
vzlljod repmjveruvi
November 7th, 2006 at 2:12 pm
vzlljod repmjveruvi
November 9th, 2006 at 3:18 am
11/9/2006 3:20:14 AM
Rozerem Insomnia
November 10th, 2006 at 12:52 am
11/10/2006 12:52:28 AM
addiction
November 20th, 2006 at 4:05 pm
online poker free
Take online poker free
January 30th, 2007 at 7:07 am
juyzksfz
juyzksfz
March 10th, 2007 at 12:58 pm
kiizkrpa
kiizkrpa
March 13th, 2007 at 8:21 pm
deslmhut
deslmhut
March 19th, 2007 at 10:32 am
devgitpy
devgitpy
March 19th, 2007 at 12:56 pm
lzqncupr
lzqncupr
March 19th, 2007 at 5:43 pm
urzkpxzs
urzkpxzs
March 19th, 2007 at 9:20 pm
cypfivsa
cypfivsa
May 7th, 2007 at 6:41 am
anonvhor
anonvhor
June 12th, 2007 at 2:11 pm
nepnzsrg
nepnzsrg