Hacking and Systemic Financial Risk (Encore)

The data breach stories just don't seem to stop. (And why would they?). The latest (I think) is about a massive and sophisticated multi-million dollar hacking of several banks. If you read down through the story, one of the things the hackers did was manipulate the balances of real accounts. They'd change a real $1,000 balance to $10,000 and then have $9,000 wired to an account at another institution.

But why take out only $9,000? The hackers were being nice, I suppose, in that they didn't steal any actual depositor's funds (as far as we know). And that was also probably smart, because if they zeroed out an account, there might be a bounced transaction that would alert the consumer and then the bank to the theft. But I don't know that we can count on future hackers being so polite, considerate, or careful. Indeed, they might actually want to create havoc by messing with account balances.

I raised this scenario several months ago, and before that a couple of years ago. I think today's news confirms that the financial Armageddon via hacking scenarios I have nightmares about aren't totally farfetched. Between state-sponsored hacking (I'm looking at you DPRK), terrorist hacking (ISIS and Newsweek), and rogue individuals, I think we're looking at a matter of when, not if, we see consequences from financial hacking that go beyond a few hundred million in losses and result instead in institutions failing.

Contributors

Pamela Foohey
   bio | posts

Anna Gelpern
   bio | posts

Mitu Gulati
   bio | posts

Melissa Jacoby
   bio | posts

Dalié Jiménez
   bio | posts

Jason Kilborn
   bio | posts

Bob Lawless (blog admin)
   bio | posts

Adam Levitin
   bio | posts

Stephen Lubben
   bio | posts

Nathalie Martin
   bio | posts

John Pottow
   bio | posts

Mark Weidemaier
   bio | posts

Jay Westbrook
   bio | posts

Alan White
   bio | posts

Like Us on Facebook

Like Us on Facebook

By "Liking" us on Facebook, you will receive excerpts of our posts in your Facebook news feed. (If you change your mind, you can undo it later.) Note that this is different than "Liking" our Facebook page, although a "Like" in either place will get you Credit Slips post on your Facebook news feed.

Bankr-L

As a public service, the University of Illinois College of Law operates Bankr-L, an e-mail list on which bankruptcy professionals can exchange information. Bankr-L is administered by one of the Credit Slips bloggers, Professor Robert M. Lawless of the University of Illinois. Although Bankr-L is a free service, membership is limited only to persons with a professional connection to the bankruptcy field (e.g., lawyer, accountant, academic, judge). To request a subscription on Bankr-L, click here to visit the page for the list and then click on the link for "Subscribe." After completing the information there, please also send an e-mail to Professor Lawless ([email protected]) with a short description of your professional connection to bankruptcy. A link to a URL with a professional bio or other identifying information would be great.

Comments

Only taking $9000 makes a lot of sense today. My experience with young people who've always had online access to accounts is that they ignore paper (or electronic) statements, etc. and just check their balance periodically. Even more than people who didn't balance a checkbook back in the days of mail and paper, they won't notice a couple extra transactions, especially if there's no (significant) impact on the account balance.

So by altering the balance and then withdrawing the difference, chances are the account holder won't notice for a long time (if at all) and the bank is stuck tracking down the "deposit" (balance adjustment) if / when it's found in a transaction audit. Assuming some care with the account the money is wired to, the risk of capture is almost zero and the rewards (at a few thousand dollars a transaction) are fairly large.

This is a risk of our continued move away from cash. With almost all large (and increasingly small) transactions becoming electronic, anonymous, jurisdiction-less theft becomes easier and easier. Insisting on cyber security can help, but any system can eventually be hacked -- the reason (at least in the past) the only truly secure computers were those behind locked doors with no electronic connection to the outside world.

Posted by: ThomasW | February 14, 2015 at 10:56 PM