The Japanese retail bank Sumitomo Mitsui has disclosed that it has succesfully thwarted an attempt to steal US$424m through an unidentified “hacking” method that somehow involved the use of keystroke loggers on computers at its European sites. (No specific information has been disclosed due to the ongoing investigation.)

There are some fascinating implications to this news story. The concept of the “for profit” hacker (which has long been a reality, albeit much less glamorously than Hollywood and speculative fiction would have you believe) getting maintstream press is actually quite novel. If keystroke loggers were indeed used, then it’s somewhat inconceivable that they could have been of the software variety. This presents us with the upside-down reality that it was easier to install rogue hardware on the bank’s premise than to penetrate their network remotely. Even 5 years ago, to think that a bank’s physical security was a “softer” target than its information security would have been absurd - but in an age of contractors, outsourcing, and wide-reaching partnerships, faces come and go. In such an environment, it’s completely plausible that “social engineering” - the hacker’s euphemism for con-artistry augmented by technology - almost walked away with hundreds of millions of dollars.

What’s really interesting to me, though, is Sumitomo’s choice to disclose the attempted crime. Sure, there were no financial losses whatsoever - the attempted theft was a complete failure - but why talk about a vulnerability even if it wasn’t exploited?

Some “experts” have suggested that the bank’s choice to go public is an attempt to draw out other conspirators, but that seems non-sensical to me. I am not a criminal, but I do know something of investigative technique and I would think that every news channel in the free world broadcasting news of my partner-in-crime’s arrest (yet no details about me personally) would probably drive me further underground, not out in to the light of day.

I would also disagree that the move is intended to intimidate the thieves at large from trying to collect their shares. Risk management in the financial sector - especially for retail banks, where individual consumers are likely to be more emotional than logical about the safety and privacy of their life savings - is generally not discussed in public, for fear of spooking the consumers. The dirty little secret here is that huge - staggeringly huge - sums of money are planned to be lost each year. From offering customers credit card fraud indemnity to the good old-fashioned knockoff of armored cars in eastern Europe by criminal organizations, money loss is an expectation, not a fear. Some money is protected (when the cost to secure that money compares favorably to the chance the money will be lost or when such protection is required to obtain reasonable insurance) and some is written off as a cost of doing business. That doesn’t mean anyone wants to lose money, of course - the more of the “planned loss” that’s safely in the coffers at the end of the fiscal period, the better the bottom line looks.

In other words, losing this kind of money for a bank of Sumitomo’s size would be vigorously pursued, but ultimately it’d be a matter of course - and who wants to have consumers associate their banking brand with “the guys who almost got hacked”? US$424m in extortion money seems like a small price to pay to avoid that stigma.

Sumitomo’s duty is to provide value to its stakeholders, so I also doubt their disclosure was out of some sense of social responsibility. In fact, better security/risk management can be a competitive advantage in the industry if you’re significantly better at keeping your money safe than your peers. Of course the security community is ecstatic that the disclosure was made, for reasons ranging from altruistic (i.e. people/institutions need to know that these kinds of threats exist and are almost omnipresent) to devious (i.e. childish glee from the paranoia and infamy). Either way, anyone peddling information security products or services stands to benefit.

So, after a great deal of pondering, I can’t figure out why this made it to the news… there must be more to the story than is being discussed publicly. An interesting item to watch, then…