Why don't banks get hacked?

Question

From reading a lot of info on this website I came to the conclusion that if someone with enough skill really badly wants to gain access somewhere, then there is absolutely nothing stopping them from doing so. Additionally I learned that getting access to a company computer is much easier than a singular computer at home.

However I am completely confused. What exactly prevents someone from for example, stalking one(or more) of the bank employees, getting information on them and then gaining access into their system? As far as I have seen financial fields have one of the most soul sucking programming tasks which usually end up in small amount of security holes. So what would prevent someone from waltzing into the bank's system, causing gigantic chaos (not for sake of stealing money, but for sake of screwing them up), and then walk out.

For example I know from internal sources that this has one of the worst security methods implemented. This makes me assume that this is not the first software that a bank would release that would allow data to be stolen and/or modified.

Does this actually happen but the banks do not care because they suffer very small damages? Or is a bank completely impossible to get into and destroy data?

Answer 1

I think it's fair to say that the idea that any large organisation is entirely impervious to attack has been proven false over the last five years or so. Everyone from nation states through large corporations, security consultancies and other security minded companies have had breaches.

One reason that a bank hasn't been thrown into "complete chaos" as you put it is likely down to a combination of the security measures they have in place to react to attacks, the size and complexity of their systems and the motivations of people who have the resources to effectively attack them.

If you think about people who are most motivated to attack banking systems, it's criminals who want to steal money from them. From their perspective there's no reason to cause chaos, they want to get in, steal things and get away without being noticed, if possible.

Answer 2

To turn a quick profit, It is easier to go after end users. This is why there are so many phishing attacks and password stealing Trojans.

Banks internet-facing operations tend to be well secured. The internal office environments less so, although they tend to have good AV. This stops casual metasploit users, although an advanced attacker with zero day exploits could readily compromise an internal workstation through the browser, and proceed to a major attack.

I expect at the moment both the NSA and Chinese have large scale hacks at many banks around the world. But they wouldn't be so crass as to just wipe the bank. It's far more valuable to quietly sit and harvest data. If they did decide to wipe the bank, there would be backups, but it would be incredibly hard to resume day-to-day operations - your looking at weeks even with crack teams of contractors on it. The bank would be commercially destroyed.

I read that during the 2nd gulf war the US could have done this to Iraqi banks, but they made a strategic decision not to.

It's a scary world out there :)

Answer 3

When one secure a box, he puts several defenses layer so, would some "hacker" defeat a protection, the immediate consequences will be limited, and by the time a defeats the next following protection layers his action will hopefully be detected and neutralized.

This is for a simple box. Now with a bank which is one of the largest international institution, main body of the financial system, you just multiply these layers at the whole company level, and restrict at the minimum the interaction within them, and for each interaction you define very strict procedures imposing that, the most potential impact has this interaction, the most people must be involved (in such domains the four-eyes principle is widely applied).

By distributing widely the responsibilities and the data, you distribute the power, so when a part of the bank gets hacked (or if an employee turns against the system) it provides very little power so the few backup restoration and access cancellation would most likely annihilate the damages.

However, no system can never be taken as 100% safe, and that's why what you describe just happens from time to time. For instance, here in France, just a few years ago a trader defeated these protections and caused a loss of 4.9 billions of dollars to his bank (see Jérôme Kerviel ; interesting to note that the most critical danger are not external hackers as one may think, but internal employees...), and yes, as you said, it was a "gigantic chaos".

So, to answer your question, banks actually get hacked, as any other information systems, but hopefully due to their size this does not happens very often.

Answer 4

Let's debunk a misconception: banks do get hacked, they are just (way) more controlled then the average company. From my experience as a penetration tester, it is not unusual for banks and financial firms to have vulnerable systems, but there are elements that make them harder to succesfully attack.

First of all, banks usually respect the minimum privilege principle, reducing the people allowed to do certain tasks (critical or not) to a limited group. This practice effectively reduces phishing capabilities and also provides a specific perimeter whenever a problem arises (e.g. attack, fraud).

Furthermore, specific country laws often require banks to thorougly monitor and log activities on their systems, making it harder to perform an attack without being detected in a short amount of time. Also consider that money trails can be followed and stopped (within certain limits) if considered fraudolent.

Finally, banks usually perform several security assessments of their critical applications, especially the ones exposed on the Internet and used by their clients. This effectively lowers the risk of getting hacked, but doesn't eliminate the risk entirely.

In the end, no system is completely secure and the human factor can indeed be the weak link. However, in a heavily controlled environment, such as the one found in banking companies, the efficacy of attacks (external and internal) is mitigated by the severe security implemented.

Answer 5

While it sounds odd to someone who is focused only on the technical aspects of hacking into a bank, one reason banks are more secure than many organizations is that they have a comprehensive set of information security policies. These policies guide the organization through many areas that help protect their customers.

A good example is a policy that defines exactly who should have access to what information. By ensuring that only the people in department X can edit the accounts, they limit the ability of an attacker who might be trying to social engineer his way into the accounts. Another policy might be that all passwords are 16+ characters long, and another might state that people with access to cash may not have access to systems, etc. They could have policies on firewalls, IDP devices, USB devices, smart phones, Wi-Fi authentication, etc. A bank might have dozens or even hundreds of these policies.

It's all part of an overall strategy called "defense in depth". Just as you wouldn't call a bank secure simply because their fence gate is locked, you don't rely only on firewalls to stop attackers.

Answer 6

The critical resource assuring the security of banks is, surprisingly, not technical at all. :)

Most importantly, banks maintain large internal security departments staffed with considerable number of security specialists. Banks are more or less the only organizations who are capable of footing the bill for this sort of operation.

The rest is rather simple: internal security guys are constantly performing audits and security stings. In fact, bank fraud instigated by employees is very common (dozens of cases per year per bank), but we seldom hear of these things, because normally fraud is rather quickly identified by the security guys, damage reverted and the offenders get kicked out (in a fairly hush hush manner, as to not spoil the bank reputation).

To summarize, the technology is not quite ready yet to solve social problems, thus big battalions and good shots are still necessary to maintain proper security.

Answer 7

It is pretty darn hard to rob a bank,while hacking a bank may just be relatively easier,as well as giving you the obvious advantage of getting away with how much ever you want to. Just to clarify,banks have security analysts and committees that decide the framework of the security of the servers or the website.As a result,unless you are Jonathan James or Mr McAfee himself,you will require a team or group of dedicated hackers,insider info,and a large chunk of incompetence on the bank's behalf to even think about hacking a bank. If you do ***get away with it,***you can safely retire and spend the rest of your life in a penthouse in Brazil or Isle of Man.

Bangladesh Bank Robbery

650 Million Pounds

13 Million Dollars

So in conlusion,banks are hackable with adequate resources,but extorting money from stupid users would be a easier method of earning money in the summers.

Answer 8

Banks usually buy huge systems to prevent these kinds of attacks and discover vulnerabilities with a click of a button (Qualys for example). Money isn't a problem when it comes to banks. Mostly they do not need high skilled personnel to defend their systems.