Cybercrime Follows Money Trail

[InfoSec News <isn () c4i org>]

http://www.wired.com/news/business/0,1367,57911,00.html

By Joanna Glasner 
Mar. 05, 2003 

When asked why he always went after banks, the famed Depression-era
robber Willie Sutton once explained that he picked them because
"that's where the money is."

Nowadays, with more banking transactions performed over electronic
networks than teller windows, a federal agency believes the same logic
might appeal to cyberterrorists.

In a report released this week on "Efforts of the Financial Services
Sector to Assess Cyber Threats," the U.S. General Accounting Office
concluded that entities handling monetary transactions face a
particularly high risk of attack by criminals or terrorist
organizations.

The GAO, the investigative arm of Congress, included financial
services in a list of industries that provide so-called "critical
infrastructure," such as telecommunications or electrical power.

In the case of financial services, the GAO found that "the potential
for monetary gains and economic disruptions may increase its
attractiveness as a target."

In the online context, however, Sutton's logic plays out on a bigger
scale. As of mid-2002, the report estimates, financial services
providers in the United States, including commercial banks, insurance
companies, mutual funds, pension funds and securities brokers, among
others, held more than $23.5 trillion in assets.

Increasingly, assets are changing hands over computer networks, for
purposes ranging from Internet banking to electronic stock trading to
the backend operations required for settling transactions. But the
growth of these services, the GAO found, "has also increased the
degree of access to the systems used to support these services." As
access grows, so does the risk of criminal intrusions.

The GAO's concerns dovetail findings in a biannual report on Internet
security threats published by Symantec in February. The security firm
found that the overall volume of cyberattacks in the second half of
2002 declined by about 6 percent from the first half of the year.  
Symantec said it was the first time it had recorded such a decline.

But while overall cyberattacks were down, the financial services
industry was not spared. According to Symantec, the financial services
industry "experienced a sharp rise in attack volume and relative
attack severity."

Vincent Weafer, director of Symantec Security Response, said some of
the rise in reported attacks can be attributed to the usual suspects:  
cybercriminals on the prowl for credit card numbers and bank account
records. Weafer said that banks are better at detecting intrusion
attempts, so more attacks are being counted.

Like the GAO, however, Weafer sees online banking and other
applications in which customers access financial institutions from
their personal computers as particularly risky.

"Where we really need to focus attention is on the home users," he
said. "They're being used by criminals as launch pads to attack
critical infrastructure."

But while cyberattack risks remain high for financial services firms,
the GAO acknowledged that a number of industry groups and regulatory
agencies are actively working to boost security.

Private-sector efforts include a plan by the Securities Industry
Association for a virtual command center that will be activated when a
significant disaster occurs. Another group, the Financial Services
Technology Consortium, developed a database through which financial
institutions could find space to get their operations back up and
running in the event of a disaster.

Meanwhile, federal regulators, such as the Federal Reserve and the
Securities and Exchange Commission, are increasing scrutiny of
information security risks among the financial institutions they
oversee.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.