During Congressional testimony, Homeland Security, FBI and Secret Service officials warned of continued attacks and evolving cyber-threats against the financial sector.
Cyber-criminals continue to target United States businesses,
the country's financial institutions and government agencies in an ongoing
effort to steal both money and information. Still, despite the best efforts of
local, state and federal law enforcement, these cyber-criminals show no signs of slowing down, according to
new Congressional testimony by some of the country's leading cyber-security
Financial services is "where the money is" so
cyber-criminals increasingly target this sector, Greg Schaffer, acting deputy
undersecretary at the Department of Homeland Security, told the members of the
House of Representatives Financial Services Committee's Subcommittee on
Financial Institutions and Consumer Credit on Sept. 14. Officials from the
Secret Service and the Federal Bureau of Investigation joined Schaffer to
discuss trends in cyber-crime.
The FBI is currently investigating more than 400 cases of
fraudulent wire transfers from business bank accounts that total about $255 million in stolen funds, testified Gordon
Snow, the agency's assistant director. There are other types of attacks against
financial systems, such as payment processor breaches, stock trading fraud, ATM
skimming and mobile banking attacks.
Cyber-criminals' capabilities are at "an all-time
high," Snow said.
Noting the number of security breaches and security attacks
in this year alone, U.S. Rep. Shelley Moore Capito (R.-W.Va) said the threats
were "especially acute" in the financial services industry.
The annual cost of cyber-crime is about $388 billion,
including money and time lost, or about $100 billion more than the global black
market trade in heroin, cocaine and marijuana, said Brian Tillet, chief
security strategist at Symantec.
The good news is that financial institutions are doing
"Statistics indicate financial institutions are doing a
better job of stopping fraudulent transactions from being created and from funds
leaving the financial institution," said William Nelson, president of the
Financial Services Information Sharing and Analysis Center. According to a
recent FSISAC study, only 36 percent of reported commercial account takeovers
resulted in funds leaving the financial institution in 2010, compared to 63
percent in 2009.
The financial services industry has generally "been
ahead of the curve" when it comes to recognizing cyber-security attacks,
but they need to be able to respond to evolving threats, Tillet said.
Mobile banking and Twitter offer new opportunities for
cyber-crime, the FBI warned. Criminals are sending malicious text messages and
posting specially crafted links on Twitter to gain access to users' online
banking accounts. To counter this trend, financial institutions often send text
to users to verify that online transactions were actually initiated by
the authorized user. However, criminals have found a way around this practice
"Infected mobile phones
forward messages to the
criminal, thwarting the bank's two-factor authentication," said Gordon
Snow, assistant director of the FBI's cyber-division.
It was critical for financial institutions to share information
with other institutions, as well as federal law enforcement agencies, in order
to "effectively combat" cyber-criminals, Capito said.
"We are in a better place today, in terms of
information sharing, than we've been in the 15 to 17 years I've been in this
space," responded Greg Schaffer, acting deputy under secretary at the
Department of Homeland Security. However, companies are sometimes unwilling
because of concerns about privacy and liability
, Schaffer said.
"Some institutions have concerns about the privacy
implications of sharing information with the government or about brand damage
that may result from reporting an incident," Schaffer of DHS said.
Snow said he's met with his counterparts in DHS and Secret
Service more than 150 times, adding that "we have meetings even when we
don't want to have meetings." He said information sharing needed to be
faster and not wait for face-to-face meetings since threats are coming "in
"The bottom line is: No one entity has all the
information; it takes team work to bring all the pieces together to complete the
picture," said Greg Garcia of Bank of America. Actionable threat
information that is not shared is "useless information," he added.
Criminals are also better at information sharing than law
enforcement agencies, said A.T. Smith, assistant director of the Secret
Service. They harvest personal information belonging to the victims and
distribute it to other attackers and exchange attack tools and strategies
online, Smith added.
Cyber-threats are still not being taken seriously enough
across the industry, Snow said. Industry standards aren't very high and most
firms are sending out the "freshman team" to handle security, as
opposed to the more experienced and skilled staff, Snow said.
The hearing is one of the many being held in Congress as
lawmakers look over the White House's comprehensive cyber-security proposal
released in May. The Senate
has already held several cyber-security hearings
Both Democrats and Republicans have identified cyber-security as critical to
both national security and the economy, and it is likely that a package will
reach the floor for full debate in both the Senate and the House of
Representatives this fall.