3/18/2005

Airing your dirty laundry

Filed under: — Dan @ 9:06 am

The Japanese retail bank Sumitomo Mitsui has disclosed that it has succesfully thwarted an attempt to steal US$424m through an unidentified “hacking” method that somehow involved the use of keystroke loggers on computers at its European sites. (No specific information has been disclosed due to the ongoing investigation.)

There are some fascinating implications to this news story. The concept of the “for profit” hacker (which has long been a reality, albeit much less glamorously than Hollywood and speculative fiction would have you believe) getting maintstream press is actually quite novel. If keystroke loggers were indeed used, then it’s somewhat inconceivable that they could have been of the software variety. This presents us with the upside-down reality that it was easier to install rogue hardware on the bank’s premise than to penetrate their network remotely. Even 5 years ago, to think that a bank’s physical security was a “softer” target than its information security would have been absurd - but in an age of contractors, outsourcing, and wide-reaching partnerships, faces come and go. In such an environment, it’s completely plausible that “social engineering” - the hacker’s euphemism for con-artistry augmented by technology - almost walked away with hundreds of millions of dollars.

What’s really interesting to me, though, is Sumitomo’s choice to disclose the attempted crime. Sure, there were no financial losses whatsoever - the attempted theft was a complete failure - but why talk about a vulnerability even if it wasn’t exploited?

Some “experts” have suggested that the bank’s choice to go public is an attempt to draw out other conspirators, but that seems non-sensical to me. I am not a criminal, but I do know something of investigative technique and I would think that every news channel in the free world broadcasting news of my partner-in-crime’s arrest (yet no details about me personally) would probably drive me further underground, not out in to the light of day.

I would also disagree that the move is intended to intimidate the thieves at large from trying to collect their shares. Risk management in the financial sector - especially for retail banks, where individual consumers are likely to be more emotional than logical about the safety and privacy of their life savings - is generally not discussed in public, for fear of spooking the consumers. The dirty little secret here is that huge - staggeringly huge - sums of money are planned to be lost each year. From offering customers credit card fraud indemnity to the good old-fashioned knockoff of armored cars in eastern Europe by criminal organizations, money loss is an expectation, not a fear. Some money is protected (when the cost to secure that money compares favorably to the chance the money will be lost or when such protection is required to obtain reasonable insurance) and some is written off as a cost of doing business. That doesn’t mean anyone wants to lose money, of course - the more of the “planned loss” that’s safely in the coffers at the end of the fiscal period, the better the bottom line looks.

In other words, losing this kind of money for a bank of Sumitomo’s size would be vigorously pursued, but ultimately it’d be a matter of course - and who wants to have consumers associate their banking brand with “the guys who almost got hacked”? US$424m in extortion money seems like a small price to pay to avoid that stigma.

Sumitomo’s duty is to provide value to its stakeholders, so I also doubt their disclosure was out of some sense of social responsibility. In fact, better security/risk management can be a competitive advantage in the industry if you’re significantly better at keeping your money safe than your peers. Of course the security community is ecstatic that the disclosure was made, for reasons ranging from altruistic (i.e. people/institutions need to know that these kinds of threats exist and are almost omnipresent) to devious (i.e. childish glee from the paranoia and infamy). Either way, anyone peddling information security products or services stands to benefit.

So, after a great deal of pondering, I can’t figure out why this made it to the news… there must be more to the story than is being discussed publicly. An interesting item to watch, then…

28 Responses to “Airing your dirty laundry”

  1. desiree Says:

    I heard about the attempted heist a couple days ago on bbc world news. bbc news also questioned why the bank would want word to get out that they had a vulnerability and were almost hijacked. Most of the comments centered on how this kind of publicity could go either way since most banks who get exploited usually keep it very hush hush. The general consensus in this case was that the heist was prevented and therefore the bank could prove that they were better than the hackers and more able to handle future hacking attempts. Still, that kind of publicity is a gamble.

  2. Dan Says:

    A gamble, to say the least… you don’t publicize your wins or your losses in the security field. Making a big, public deal about a security success is the equivalent of a taunting “bring it!” to the unsavory elements of the community, and publicizing failures is tantamount to inviting pile-on. That’s why you don’t see job postings like “Sumitomo Mitsui is desperately seeking firewall experts!” Even hiring in the information security business is typically shrouded in obscurity lest some hint of your security skill weaknesses or even product prefrences get out into the wild.

    Curiouser and curiouser…

  3. IDENTITY THEFT INFO Says:

    Did you know that everytime you surf the internet you could be at risk for identity theft? Do you know how your identity is stolen? Are you concerned about identity theft happening to you? Do you know what identity theft really is? Do you want to know what identity theft has to do with you? Do you know how to prevent becoming a victim of identity theft? Are you protected from identity theft? Are you looking for help with identity theft or information about identity theft? Do you want a place with a large selection of identity theft information sources and help with identity theft prevention? Get your identity theft information and identity theft help at identitytheft-info.org and learn how to protect yourself from identity theft.

  4. home security Says:

    With the constant rise in violent crime and drug crimes that are committed on homes, how much home security do you have to keep your family safe? How much home security do you need? The police are not always able to protect your home’s security and your family as the number of police officers are becoming fewer with budget cuts every year. Have you stopped to consider how effective your home security really is? Could the steps you are taking for home security really protect your home and family against an intruder? Do you want more information about home security and what kind of home security is right for you? Do you need help with home security options? Does your home even need home security, and if so, how much home security do you need? You can find help with home security questio
    katherine rice (5/17/2006 11:08:45 PM): questions and home security information on this site and many different home security options. Find the home security option that best fits your home security needs here.

    http://home-security-help.biz/

  5. Debt Says:

    According to the Federal Reserve, Americans carry on average, $5,800 in credit card debt from month to month. Making the minimum monthly payment on that debt would take 30 years to pay off and include an additional $15,000 in interest. According to the Administrative Office of the Courts, 2,078,415 bankruptcies were filed in 2005, the largest number of bankruptcy petitions ever filed in any 12-month period in the history of the federal courts. With mounting credit card debt and the new tougher bankruptcy laws, people are looking for alternative ways of managing their debts. Debt consolidation loans have become a popular way to free up money each month by consolidating several monthly credit card payments into a single lower interest loan. But, the question is whether it’s best to consolidate your debts into a home equity loan or an unsecured debt consolidation loan.

    http://www.debt-consolidation-help.org/

  6. TwoFour Says:

    WANT TO EARN $10,000 A MONTH ?
    Top earners make $50,000 + a month some well
    into six figures. It is not unheard of for
    beginners to make $100-200 a day when they
    first start out. Don’t make the mistake of doing
    nothing or spending time, money and effort on scams.
    Learn from the masters and start earning today.
    Google Cash, Beating Adwords, The Rich Jerk, Adsence

    http://www.twofour.biz

  7. weight loss Says:

    weightloss or a diet? do you need diet information? Are you looking for a place you can go to find different avenues of weightloss and diet information with different options for weightloss and diet? We have the answer to your weightloss and diet questions and alot of sources for weightloss and diet information and weightloss and diet help. Try looking for your weightloss and diet needs at weightloss-diet-help.com

    http://weightloss-diet-help.com/

  8. TwoFour Says:

    WANT TO EARN $10,000 A MONTH ?
    Top earners make $50,000 + a month some well
    into six figures. It is not unheard of for
    beginners to make $100-200 a day when they
    first start out. Don’t make the mistake of doing
    nothing or spending time, money and effort on scams.
    Learn from the masters and start earning today.
    Google Cash, Beating Adwords, The Rich Jerk, Adsence

    http://www.twofour.biz

  9. diet Says:

    diet

    diet OAO-3AO-WWW-911998112

  10. buy phentermine online Says:

    buy phentermine online

    buy phentermine online UXa98Y33BOL001

  11. cialis Says:

    Stop fretting and fuming about your sexual worries, http://www.cialiswonder.com is there to help you clear all your bedroom dues to your partner.

  12. cialis Says:

    Stop fretting and fuming about your sexual worries, http://www.cialiswonder.com is there to help you clear all your bedroom dues to your partner.

  13. Debt Says:

    According to the Federal Reserve, Americans carry on average, $5,800 in credit card debt from month to month. Making the minimum monthly payment on that debt would take 30 years to pay off and include an additional $15,000 in interest. According to the Administrative Office of the Courts, 2,078,415 bankruptcies were filed in 2005, the largest number of bankruptcy petitions ever filed in any 12-month period in the history of the federal courts. With mounting credit card debt and the new tougher bankruptcy laws, people are looking for alternative ways of managing their debts. Debt consolidation loans have become a popular way to free up money each month by consolidating several monthly credit card payments into a single lower interest loan. But, the question is whether it’s best to consolidate your debts into a home equity loan or an unsecured debt consolidation loan.

    http://www.debt-consolidation-help.org/

  14. elkay stainless sink Says:

    elkay stainless sink elkay stainless sink

  15. Rebecca Says:

    vzlljod repmjveruvi

  16. Rebecca Says:

    vzlljod repmjveruvi

  17. Rozerem Insomnia Says:

    11/9/2006 3:20:14 AM
    Rozerem Insomnia

  18. addiction Says:

    11/10/2006 12:52:28 AM
    addiction

  19. online poker free Says:

    online poker free

    Take online poker free

  20. juyzksfz Says:

    juyzksfz

    juyzksfz

  21. kiizkrpa Says:

    kiizkrpa

    kiizkrpa

  22. deslmhut Says:

    deslmhut

    deslmhut

  23. devgitpy Says:

    devgitpy

    devgitpy

  24. lzqncupr Says:

    lzqncupr

    lzqncupr

  25. urzkpxzs Says:

    urzkpxzs

    urzkpxzs

  26. cypfivsa Says:

    cypfivsa

    cypfivsa

  27. anonvhor Says:

    anonvhor

    anonvhor

  28. nepnzsrg Says:

    nepnzsrg

    nepnzsrg

Leave a Reply

Powered by WordPress :: All content copyright 2002-2005 extrasonic.com. All rights reserved.