[aidos]

It's just staggering.

I know it's silly to think that banks would be better than anyone else, but good lord, malware running on machines capable of transferring millions of dollars that's able to send out video feeds from the network without anyone noticing?! Your various IT/Security teams should be absolutely ashamed. And then the banks don't even have to stand up and admit their incompetence publicly; that's a total disgrace.

That's the state of corporate security I guess. I've dealt with corporate IT departments over the years where they put these "processes" in place to mitigate these security issues but it's all a load of rubbish. Filling in forms to tick boxes so that everyone can go home happy pretending there's security going on, when really their network is a leaky sieve.

At one point I saw a release by a 3rd party supplier to a large corporate system that included privilege escalation, blatantly, at the start of a T-SQL script. It was done because the IT department refused to carry out the action on request via the official channel but it was work that needed to be done to complete a project. The 3rd party knew the admins would just be running scripts as SA so they escalated their own account to do what they needed to do later.

I know it's silly to be so frustrated about it, but we've all dealt with crappy banking systems for years, with totally insane security measures; meanwhile hackers can just walk away with millions using a bit of malware.

[dredmorbius]

A key differentiator for banks vs. many other service providers is that financial transfers can be reversed. Releases of information however cannot be.

So where a bank has a risk of an unauthorized financial transaction, there are multiple options to claw that back (or to shift the risk to other parties, notably merchants).

A disclosure, though, of account information is a different case, and here the results can be damaging to the banks and their customers. One instance I'm generally aware of is an increasing number of disclosures pertaining to offshore banking, many uncovered by the the ICIJ (International Consortium of Investigative Journalists: http://www.icij.org/) and the Guardian. Again, the case involves banks, but it's rather more difficult to reverse transactions when it's your client list and balances, or communications, which have spilled.

Many revealed by insiders, as it turns out.

[aidos]

That's an interesting point, though it's a pretty thin silver lining on a very dark cloud. Being able to undo the operation doesn't really soften the blow of having hackers inside your bank sending outgoing video feeds of employee's screens.

Do you think they'll be getting back the money in this case? Presumably the people involved know enough about the operations to have moved the cash to somewhere out of reach before being exposed.

[vanzard]

> financial transfers can be reversed.

Not this time: hackers withdrew some of the money from ATMs.

[dredmorbius]

Fair point. As the responses note, the damage here is usually limited -- ATMs carry only so much cash each, and (usually) only dispense up to a few hundred dollars (or equivalents) at a time. There've been some exceptions where an exploit is found and utilized in mass effect at many locations in a short period. That takes a high level of organization though.

[ams6110]

The total amount of cash and the per-withdrawal limits in an ATM limits the loss there. You can't steal millions of dollars from an ATM.

[tedivm]

These guys stole $45 million from ATMs- http://www.nytimes.com/2013/05/10/nyregion/eight-charged-in-...

[ams6110]

On Feb. 19, cashing crews were in place at A.T.M.'s across Manhattan and in two dozen other countries ... Starting at 3 p.m., the crews made 36,000 transactions and withdrew about $40 million from machines in the various countries in about 10 hours

I stand corrected. That's quite impressive and amazing that they had that many people involved and nobody tipped it off.

[chubot]

So are you saying that bank IT is no better than corporate IT? They don't have any special software or policies? (like the star network thing I mentioned)

I would honestly expect it to be a bit better than average. I suppose there are many different types of banks and they all vary. Let's just consider your chain banks like Wells Fargo or BoA, since I'm sure somebody around here has worked at one of those places.

[busterarm]

I used to work in financial IT.

Across the industry it's generally better than corporate IT. A lot better. However, it varies widely by sector.

Companies with trading floors or that interact regularly with traders have the best IT practices in the industry. Banking conglomerates are kind of messy - they combine IT operations for each business and never change anything and the systems don't cooperate.

I remember one such company's backup procedures. At that point they were made up of 13 separate large (regional/national) banks. They were trying to standardize the backup procedures between all the banks and run them from a centralized system. At the time that I got there, the nightly backup process failed every single day for over a year and a half. I didn't even get a computer or working logins to be able to do any work for nearly a month. Anyway, getting it to work involved getting the people responsible for the backups at each individual bank's IT group to get their system to cooperate. All of them knew that this would be putting them out of a job at the completion of the project, so there was tons of resistance and it usually took a week of calling peoples' bosses to get the work done. This was also in the middle of forced relocations for most of them. Most of the folks responsible for the work quit. It was really ugly.

[aidos]

To be honest, I have no experience - so I can't say, if the description in the article is at all accurate though, they're in a pretty bad way:

"The cybercriminals sent their victims infected emails — a news clip or message that appeared to come from a colleague — as bait. When the bank employees clicked on the email, they inadvertently downloaded malicious code. That allowed the hackers to crawl across a bank’s network"

There must be plenty of people on HN with experience in this field, so it'll be interesting to hear their take on it.

My (very ranting/rambling) point was that I've seen other large organisations pretending to do security (and probably believing it themselves), where it's really just security theatre.

[linuxydave]

>Filling in forms to tick boxes so that everyone can go home happy pretending there's security going on, when really their network is a leaky sieve.

I saw a DefCon video where the guys were talking about something similar. Lots of small banks in the US use 3rd party services for their banking software. One of them had horrendous security and so some hackers made off with several million dollars before anyone found out.