« Coming to Law -- Churches in Bankruptcy Edition | Main | Scarcity of Money? Or Time? »

Hacking and Systemic Financial Risk (Encore)

posted by Adam Levitin

The data breach stories just don't seem to stop. (And why would they?). The latest (I think) is about a massive and sophisticated multi-million dollar hacking of several banks.  If you read down through the story, one of the things the hackers did was manipulate the balances of real accounts.  They'd change a real $1,000 balance to $10,000 and then have $9,000 wired to an account at another institution.  

But why take out only $9,000?  The hackers were being nice, I suppose, in that they didn't steal any actual depositor's funds (as far as we know). And that was also probably smart, because if they zeroed out an account, there might be a bounced transaction that would alert the consumer and then the bank to the theft.  But I don't know that we can count on future hackers being so polite, considerate, or careful. Indeed, they might actually want to create havoc by messing with account balances.  

I raised this scenario several months ago, and before that a couple of years ago. I think today's news confirms that the financial Armageddon via hacking scenarios I have nightmares about aren't totally farfetched. Between state-sponsored hacking (I'm looking at you DPRK), terrorist hacking (ISIS and Newsweek), and rogue individuals, I think we're looking at a matter of when, not if, we see consequences from financial hacking that go beyond a few hundred million in losses and result instead in institutions failing. 


Only taking $9000 makes a lot of sense today. My experience with young people who've always had online access to accounts is that they ignore paper (or electronic) statements, etc. and just check their balance periodically. Even more than people who didn't balance a checkbook back in the days of mail and paper, they won't notice a couple extra transactions, especially if there's no (significant) impact on the account balance.

So by altering the balance and then withdrawing the difference, chances are the account holder won't notice for a long time (if at all) and the bank is stuck tracking down the "deposit" (balance adjustment) if / when it's found in a transaction audit. Assuming some care with the account the money is wired to, the risk of capture is almost zero and the rewards (at a few thousand dollars a transaction) are fairly large.

This is a risk of our continued move away from cash. With almost all large (and increasingly small) transactions becoming electronic, anonymous, jurisdiction-less theft becomes easier and easier. Insisting on cyber security can help, but any system can eventually be hacked -- the reason (at least in the past) the only truly secure computers were those behind locked doors with no electronic connection to the outside world.

The comments to this entry are closed.


Current Guests

Follow Us On Twitter

Like Us on Facebook

  • Like Us on Facebook

    By "Liking" us on Facebook, you will receive excerpts of our posts in your Facebook news feed. (If you change your mind, you can undo it later.) Note that this is different than "Liking" our Facebook page, although a "Like" in either place will get you Credit Slips post on your Facebook news feed.



  • As a public service, the University of Illinois College of Law operates Bankr-L, an e-mail list on which bankruptcy professionals can exchange information. Bankr-L is administered by one of the Credit Slips bloggers, Professor Robert M. Lawless of the University of Illinois. Although Bankr-L is a free service, membership is limited only to persons with a professional connection to the bankruptcy field (e.g., lawyer, accountant, academic, judge). To request a subscription on Bankr-L, click here to visit the page for the list and then click on the link for "Subscribe." After completing the information there, please also send an e-mail to Professor Lawless ([email protected]) with a short description of your professional connection to bankruptcy. A link to a URL with a professional bio or other identifying information would be great.