As the FBI and U.S. Secret Service investigated the scope of recent cyberattacks on U.S. financial institutions, the nation’s largest banks said Thursday that they hadn’t seen any unusual fraud activity from their customers’ accounts.
Officials at JPMorgan Chase & Co., Bank of America Corp. and Citibank said they didn’t immediately see any customers being victimized.
“Companies of our size unfortunately experience cyberattacks nearly every day,” JPMorgan spokeswoman Patricia Wexler said. “We have multiple layers of defense to counteract any threats and constantly monitor fraud levels.”
Computer hackers constantly sniff around to find an opening into the networks of companies, and financial firms and their wealth of sensitive information have suffered the heaviest damage. Losses from cybercrime exceeded $23 million, on average, at U.S. financial services companies in fiscal 2013 — the highest average for any sector, according to a Ponemon Institute survey.
The attacks on banks have come from many fronts, but who might be behind the latest wave and how they found security holes remained under investigation.
Tom Kellermann, chief cybersecurity officer at Trend Micro Inc., was among those who believe the attacks are linked to sanctions the U.S. levied on Russia over its actions in the Ukraine.
Trend Micro, which counts large financial institutions as clients, recently reported that banks have been enduring an upswing in attacks since those sanctions came down. The most significant was a breach of the European Central Bank’s network in July.
“Geopolitics will serve as a harbinger of cyberattacks in today’s age,” Kellermann said. “For all of these people in Washington — the FBI and Secret Service — to work this hard together ahead of a long weekend suggests something unprecedented is awry.”
Since 2012, hacking groups have repeatedly brought down the websites of major banks by spamming them with visitor traffic. The service disruptions prevent real customers from accessing the websites for brief periods, but lead to little financial damage. Other hackers have found weaknesses in payment applications used to wire money or have physically altered ATMs to illegally siphon funds.
But many recent significant attacks, including the data breach at Target Corp. that affected millions of Americans, have been the result of a company’s vendor having its system compromised.
JPMorgan Chief Executive Jamie Dimon warned of that attack style in his annual letter to shareholders earlier this year.
“Cybersecurity attacks are becoming increasingly complex and more dangerous,” Dimon said. “The threats are coming in not just from computer hackers trying to take over our systems and steal our data but also from highly coordinated external attacks both directly and via third-party systems (suppliers, vendors, partners, exchanges).”
Dimon also noted the bank’s spending on cybersecurity would reach $250 million this year, up from $200 million two years ago.
But despite the rising spending on cybersecurity, companies continue to be victimized because of bureaucracy and a focus on preventing fraud rather than intrusions, said Avivah Litan, a Gartner Research analyst.
“Organizational issues — as opposed to the technology issues — are generally the main impediments to successful defense of the bank’s assets,” Litan said in a statement Thursday.
Many companies have adopted warning systems that can detect the early signs of a sophisticated attack, but the attacks can proceed unchecked if the information doesn’t quickly surge to the right people.
“You can’t prevent attacks, but if you’re vigilant and smart you can stop them in real time,” said Jim Noble, chief executive of the Advisory Council International and the former chief information officer for Merrill Lynch & Co.
When they can’t be stopped, banks have “strong safeguards” to prevent money from being fraudulently used, Litan said.
“I see a lot more money spent on preventing the use of stolen data than I do on preventing the theft of the data itself — for simple economic reasons,” she said. “The use of stolen data directly affects the company’s bottom line. The theft of data generally doesn’t have that impact unless it’s disclosed to the public since the stolen data is generally used at another enterprise.”
Still, cybersecurity experts are urging financial institutions to spend more on defense systems. Jonathan Klein, president of MicroStrategy Inc., said its product to replace users names and passwords was being tested by least one large financial firm in New York.
Called Usher, the tool turns smartphones into a virtual key that can unlock applications. Klein said freshmen at Georgetown University would be using Usher this year to log on to computer networks and complete transactions at campus stores.
“At the end of the day, the way someone is going to root around a network is by exploiting the user name and password scheme that the institution has established,” he said. “It’s a central premise in any breach, so why not try to make it a hundred times more secure?”