On the same day that news broke that 40 million customer account records were stolen from retail giant Target, the regulator of the nation’s largest financial institutions warned that customers’ financial information is increasingly under assault in their banks as well.
The Office of the Comptroller of the Currency on Thursday, in its Semiannual Risk Perspective, warned that “Cyber-threats continue to increase in sophistication and frequency.” The agency noted, “Known impacts include … identity theft, fraud, and theft of intellectual property.”
The report found that one new tactic employed by hackers is to target a bank’s home page with a so-called “denial of service” attack, in which thousands of hacked computers try to log on to the web site simultaneously, thereby disabling it for regular customers’ use. While security experts are distracted by the DOS attack, the report found, the hackers go after their real target by, for instance, draining customer accounts through fraudulent wire transfers.
“It’s an increasing problem,” agreed Richard F. Cross, a former vice president and director of bank security at Bank of New York, now a private consultant. “You have to assume that the crooks are always one step ahead of what the financial community is doing to protect itself.”
The OCC cautioned that small banks appear to be more frequent targets of hackers, because criminals perceive them as being less likely to have strong security measures in place.
Cross said that in his experience, that tends to be true. “The problem usually is with small community banks,” he said. “I hate to say it, but sometimes they don’t want to spend the money.”
Protection doesn’t come cheap, the OCC found. While the tools necessary to reduce the risk of a cyber attack are “readily available,” according to the report, “the costs and resources needed to manage the risks continue to increase.”
Banks that are at increased risk, the agency said, are early adopters of new technologies, and banks that hire third parties to provide certain information technology-related services, both of which create additional risks that are difficult to measure and to manage.
The good news for consumers is that they can do a lot to protect themselves. Most cases of identity theft and bank fraud begin with the customer making the mistake of providing personal information, willingly or unwillingly, to crooks – although they often won’t know it until later.
One of the most common methods is through “phishing” – a technique in which an official-looking email is sent to a bank customer either directly soliciting account information or carrying a hidden computer virus that will give hackers access to the customer’s computer.
Cross cautioned that consumers can’t rely solely on banks to protect them – and have to be aware of everything they do while online.
“If an email comes in and it looks even a wee bit suspicious, you have to ignore it,” he said. “But people are busy. They see an email and they click on it, then it’s too late.”Follow Rob Garver on Twitter @rrgarver
Top Reads from The Fiscal Times: