Electronic attacks on the nation's largest banks seem to be increasing lately. In the past few months, we've seen a rash of massive cyberattacks take down several megabank websites.
And late last month, a gang of criminals in California allegedly exploited a weakness in Citibank's electronic transaction security protocols to steal more than $1 million by withdrawing much more than the balance of 14 checking accounts set up for the purpose. The total time that elapsed between the beginning of the attack and the end? 60 seconds.
From the U.S. Attorney's Office:
According to court documents, the alleged scheme worked as follows: Defendant Ara Keshishyan recruited conspirators who were willing to open multiple Citibank checking accounts. He then supplied his co-defendants with "seed" money, which was deposited into the recently opened accounts. After the money was deposited into the checking accounts, Keshishyan and his conspirators would travel to nearly a dozen casinos … When inside the casino, the conspirators, including Keshishyan, used cash advance kiosks at casinos in California and Nevada to withdraw (all within 60 seconds) several times the amount of money deposited into the accounts, by exploiting the Citibank security gap they discovered.
The indictment alleges that, after the cash was collected from the casino "cages," Keshishyan would typically give conspirators their "cut" and keep the remainder of the stolen funds, which were often used to gamble. The casinos frequently "comped" the conspirators with free rooms due to their extensive gambling activity. As part of the alleged scheme, the defendants also were careful to keep both their deposits and withdrawals under $10,000 to avoid federal transaction reporting requirements and conceal their fraud.
Like the hacking attacks on the websites of big banks we've been seeing lately, this incident emphasizes one of the big disadvantages of being a megabank. They're a huge target for criminals around the world.
As a result, they have to spend millions of dollars hardening your networks against attacks mounted by some of the most talented and well-funded hackers in the world -- a threat their smaller competitors may not have to worry about quite as much.
If you're wondering what that has to do with you, Citigroup alone spent $5.133 billion on technology and communication expenses in 2011, according to financial statements, a good chunk of which I'd bet gets spent on information security. Those costs are then passed on, to the extent possible, to customers in the form of higher fees.
What do you think? Do big banks have a bigger target on their backs than their smaller counterparts?