« Elizabeth Warren in Jeopardy! -- Em . . . That Is, the Game Show Jeopardy! | Main | Here's the (edit: Proposed) Contempt Order »

Hacking and Systemic Financial Armageddon

posted by Adam Levitin

The revelation that 76 million JPMorgan Chase consumer accounts were compromised by hacking should be scaring the heck out of us. The Chase hacking is a red flag that hacking poses a real systemic risk to our banking system, and a national security risk as well. Frankly, I find this stuff a lot scarier than either ISIS or our still largely unregulated shadow banking space.  

Consider this nightmare scenario:  what if the hackers had just zeroed out all of those 76 million Chase accounts and wipes out months of transaction history making it impossible to determine exactly how much money was in the accounts at the time they were zeroed out? The money wouldn't even have to be stolen.  Just the account records changed.  What would happen then?

 "Not to worry," you say, "Chase's equity will make things good.  Jamie's got a fortress balance sheet."  Perhaps.  But 76 million accounts could be an awful lot of money, rendering Chase undercapitalized.  And what if Chase's equity isn't enough?

"Relax," you say, "the accounts are FDIC insured." But the FDIC can only pay insurance on account balances it can verify. If the FDIC can't determine account balances it's going to be hard to pay consumers without serious disruption.

"No problem," you say, "I've got my bank records to prove the balance." But do you? Where are they?

"On line," you say.  But that's just the bank's records, which were zeroed out.  

"Yeah, but the bank's got backup copies," you say. Well sure, I assume that account data is backed up a ridiculous number of times and that copies of the data are delinked from the Internet and stored in high-security kevlar-encrusted Fürher bunkers located under a mountain top next to NORAD. But what if the backup data has been corrupted too?  All the data protection in the world isn't going to do a lot if the data that's being protected is already corrupted. 

"Chill out," you say, "I've got my paper statements."  But those are a month old.  How probative are they of current balances?  How quickly could this get sorted out? What would happen in the interim? 

Oh," you say.  And now consider the consequences of millions of accounts getting zeroed out.  

First, those poor consumers whose accounts were affected would be in a terrible situation--they would not be able to transact or pay their bills, and a whole series of bad consequences would cascade as payroll, rent, utility, and tuition checks bounced, debit cards were denied at gas stations and restaurants, etc. Not only would this create even more trouble for the consumers, but it would also create real trouble for businesses. 

Second, there would be a run on the afflicted bank and likely on other banks because if one bank's security is suspect, all banks' security becomes suspect to consumers who cannot differentiate between bank security systems.  And no amount of federal bailout money would easily convince depositors to put their money back in the bank.  The damage to the US economy would be enormous. This is a systemic Armageddon scenario. 

I want to be clear that I am not saying it is a likely scenario. But I worry that it is possible. 

Here's the problem.  Banking is built on trust.  Depositors trust that banks will maintain accurate records of their accounts.  Historically we trusted but verified:  in paper only-days, both consumers and banks maintained copies of account records, and bank's internal records were maintained on paper.  Things like passbooks provided evidence of account transactions and balances. The system was inefficient and had its own risks:  fire and flood, for example. But those could be mitigated by storing multiple copies of records in multiple locations.  It was unlikely that millions of consumer accounts would be compromised by malicious activity.  

The past several years have seen a major shift in this paradigm. Many consumers have opted for electronic statements only, something banks pitch as good for the environment, but which is really about saving banks the costs of printing and mailing the statements. Electronic records, however, are inherently vulnerable to hacking, and the paper records consumers are never up-to-date (unless you've still got a passbook).  Hacking, whether by criminal enterprises, terrorists, or state actors poses a huge threat to the integrity and stability of our financial system. 

I don't see any great way around this problem. It seems like it inevitably devolves into an IT arms race, which banks will sometimes lose, and which is particularly bad news for small institutions that just can't amortize the costs effectively over their account base.

Now, there's a lot I don't know here about the IT security of banks. I know banks spend a LOT on security and that there are all sorts of security measures I can't even fathom. In some measure the issue for banks is all about outrunning the other guy, not outrunning the bear because the devil will take the hindmost--the weakest links will get hacked. But there's also a big target on national champions, just as there was on American and United Airlines in Al Qaeda's eyes. Plus, there's the Willie Sutton problem: hackers rob banks because that's where the money is. 

National security folks have fretted for years about the vulnerability of "the grid" to attack by terrorists or foreign powers:  we are deeply dependent upon having reliable electric power. But the financial services sector is an equally worrisome vulnerable. Think of the chaos that would ensue if Visa or DTC went down.  Indeed, one only has to look at 9/11 to recognize the risk:  with air space shut down after 9/11, our paper check clearing system broke down, and the Fed had to guarantee payment on all checks in the system. If the 9/11 attacks had hit elsewhere in lower Manhattan, the economic chaos could have been much worse. The irony is that 9/11 exposed the vulnerability of a paper-based system, and our response was the Check21 Act, allowing for image exchange of checks--a move toward a more fully electronic system. The attack on Chase should remind us that electronic systems have their own vulnerabilities. 

We live in a world of electronic money.  Hacking is the new counterfeiting.  It is a threat to the integrity of the money supply and to the economy as a whole.  Regulators need to be taking this really seriously as both a safety-and-soundness threat and a national security threat. I know that their actions in this area will not be transparent to the public, but I hope they're on top of it. There's a much greater potential threat to the US from hackers targeting financial institutions than from ISIS, barbaric though they may be. I hope our government is taking it seriously. 

Comments

It's not really true that "banks spend a lot on security" at least in a relevant way. Banks spend a lot on *their* security, on the security of their internal discussions, trading strategies, and so forth. Keeping consumer data secure is not complex and doesn't require a large expenditure.

But they don't even spend that. The biggest source of data theft for fraud are the credit card scanning machines used by vendors, which can be accessed from outside. These are *supposed to*, by contract, have levels of password protection and delete data and so forth. Checking to verify that these rules ar enforced would be impossibly cheap-a few phone calls a month into each machine. Do the banks spend that money? No.

How else does consumer data get compromised? Take the bank's consumer interfaces for example. That isn't where consumer banking data is stored or transactions get processed, but it has access to that deeper data stores. And the interface security is, universally, garbage. Obvious garbage. Garbage that anyone in digital security has known is garbage for decades. You'll let me use a non-random password? Shocker when it's the same one I use at momnpops no-security bakery. You store passwords in plaintext for convenience (LinkedIn...)? Shocker when that fails. Don't pretend these are hard problems, they were solved decades ago, and google makes the technology available for free.

They want to "verify my identity" with my address and the last four digits of my soc? so every bank phone rep, every day, learns enough data to get into the accounts of hundreds of people at a multitude of institutions that all use the same system.

Again, these are all "solved problems" in computer security that would be easy to fix, but the banks simply do not care.

They do, however, spend, tens of millions on statistical methods to detect fraudulent credit card use --- because in that case it's the bank rather than the consumer who is being defrauded.

Make companies liable for these data leaks and they'll be gone in 6 months.

There is certainly a risk of banks or other institutions losing account records. And things like backup copies all too often turn out to be unusable (because the bank rarely reads the backup).

On the other hand, 100 years ago fire in the bank building would have the same effect, and I'd guess that the bank would not have had numerous backup copies (being much more expensive to produce) which are standard today.

@ThomasW: agreed. But 100 years ago, we didn't have mega-banks. If there was a fire in the bank building, it destroyed one branch's records, not the entire bank's (unless it was a one-branch bank). The potential scale of the harm is much larger now, plus it can all be done remotely.

The BOE just did a set of fire-drills and continues ongoing resiliency tests for banks in regard to Cyber Hacking. They already consider this a systemic source of risk (having dealt already with the risks of GRexit, CyprExit, ScotExit, and the ongoing Russian issue!).
See this: http://www.bbc.co.uk/news/technology-27781381

The issues could be much more serious than just compromising consumer accounts. JPM is an intermediary bank so is processing far more money in transactions than it has in its accounts. This and more could be easily compromised--payment systems, Swift, securities settlement, interbank transfers, FedFunds, etc. We saw how easy it was for one fire to take down Chicago O'Hare and vicinity. I don't want to be alarmist but it is truly worthwhile investing in both the security and robustness of these crucial systems.

Under some states of the world, bills and coins are preferable!

Why do you guys accept these claims uncritically? This is consumer banking -- small savings and checking accounts, credit cards, consumer auto and home loans. The institutions' track-record of honesty with the public is appalling at best.

Here is their incentive to mislead: Current law would hold them liable to the customer for failing to provide access to funds; forbid them from billing for fraudulent credit card charges; and so forth.

The consumer banks would very-much like to be relieved of those obligations. In fact they've been lobbying for it extensively for more than a decade, and they've done well in shifting the costs onto consumers.

Whatever *systemic* risk there seems to be here is avoidable at minimal cost by the institutions involved. Even if all of an institution's data stores were corrupted simultaneously without detection (yes, they do have effective backups), the accounts could be completely reconstructed through transaction records maintained by other institutions. They already do that for individual accounts.

Seriously -- why do you take these claims by the banks at face value?

The comments to this entry are closed.

Contributors

Current Guests

Follow Us On Twitter

Like Us on Facebook

  • Like Us on Facebook

    By "Liking" us on Facebook, you will receive excerpts of our posts in your Facebook news feed. (If you change your mind, you can undo it later.) Note that this is different than "Liking" our Facebook page, although a "Like" in either place will get you Credit Slips post on your Facebook news feed.

Categories

Bankr-L

  • As a public service, the University of Illinois College of Law operates Bankr-L, an e-mail list on which bankruptcy professionals can exchange information. Bankr-L is administered by one of the Credit Slips bloggers, Professor Robert M. Lawless of the University of Illinois. Although Bankr-L is a free service, membership is limited only to persons with a professional connection to the bankruptcy field (e.g., lawyer, accountant, academic, judge). To request a subscription on Bankr-L, click here to visit the page for the list and then click on the link for "Subscribe." After completing the information there, please also send an e-mail to Professor Lawless ([email protected]) with a short description of your professional connection to bankruptcy. A link to a URL with a professional bio or other identifying information would be great.

OTHER STUFF