Banks: A veil of safety

But consumer organizations say more public disclosure is needed. They note that banks are notorious for pushing to shield many aspects of their operations from scrutiny, employing armies of lobbyists to pursue their agendas on Capitol Hill.

"If there is increasing concern about break-ins and security with online banking, I believe the government should be clearer about the insecure nature of these online banking services," said Edmund Mierzwinski, a consumer banking advocate with the U.S. Public Interest Research Group, the national lobbying office for state non-partisan public-interest groups.

Insurance against sabotage
With such high stakes, all parties involved inevitably blame each other when a breach occurs, because there are so many points of potential vulnerability in the vast and complex systems of financial operations: hosting companies, Internet service providers, databases, transaction software and all manner of hardware. And all hope to deflect the legal liability inevitably associated with such incidents.

Accordingly, banks are turning to insurance companies because their coverage has failed to keep up with risks related to the Internet. Traditional insurance for banks covers robberies, but the new policies specifically deal with losses stemming from entire systems crashing because of sabotage or hacker or virus attacks that destroy data and programs.

Progressive and Chubb are among those now offering policies tailored to shield banks from losses resulting from computer intrusions. Progressive said that hundreds of small community banks have signed up for its Internet Banking Protection Package since it introduced the policy last summer.

"We are getting more and more interest from banks as they realize the risks," said Judi Kovach, a Progressive manager. "We had to enhance our insurance to include Internet banking exposure because the traditional coverage was written 100 years ago."

Some of these new policies also cover liability issues in case a customer sues because his privacy was breached. The federal government insures each bank account up to $100,000, but that applies only when an entire institution collapses.

Security breaches have not been confined to younger, Internet-only banks like NetBank in the United States and Egg in Britain; established global leaders such as Citibank, Credit Suisse Group's Direct Net and Barclays Bank have proven vulnerable as well. Security lapses have also been reported by regional institutions such as Wells Fargo in California, Republic Bank in Florida and First Virginia.

Moreover, security concerns involving online banking are rising with the advance of Web services, a new way of writing software that makes it easier to link systems and get information online. If this budding industry takes hold, people may find their private information on vulnerable servers or databases connected somewhere to the Net regardless of whether they have ever banked online.

"Many old-guard banks depend on legacy systems like mainframes. There's also corporate desktop systems and branch computers and ATMs; all live on the network, and all have some degree of access," said Adrian Lamo, a self-described "ethical hacker" whose conquests include the New York Times' internal network, where he viewed the Social Security numbers and other private information of former President Jimmy Carter and hip-hop artist Queen Latifah, among others. "Even branch terminals are frequently older and obscure, potentially vulnerable to anyone knowledgeable in their foibles."

The weakest links
One notoriously weak link, for example, is a Microsoft server in wide use. Early last year the FBI's National Infrastructure Protection Center warned that several organized hacker groups from Russia and the Ukraine were targeting online banks and other e-commerce sites by exploiting vulnerabilities in un-patched versions of Microsoft's Internet Information Server software. The FBI advisory blamed the international groups for online break-ins at 40 companies in 20 states.

In its regular security alert, Microsoft detailed how a computer connecting to the server could exploit a feature meant to allow controlled Internet access to a database, secretly redirecting information back to the intruder. Using this method, according to the FBI, hackers gained unauthorized access and downloaded proprietary bank information, customer databases and credit card numbers.

They then coolly turned around and notified companies of the intrusion, offering services to patch their systems against further attacks. If a company declined to pay for their services, the hackers became more belligerent and threatened to sell pilfered customer information. In October, the FBI reissued the advisory to emphasize that this particular line of attack was still a dangerous threat.

Microsoft had released patches to plug that particular security hole in 1998 and reissued security bulletins to customers through 2000, but many companies failed to make the repairs. The scenario exemplifies how such "fixes" are routinely ignored by many systems administrators--if they are aware of the problem at all--and underscores the ease of denying culpability when a system is breached. The banks can blame Microsoft, while the software giant can point to negligent technology departments at the financial institutions.

Complicating matters further, the type of software used by financial institutions can vary widely from company to company. The larger institutions develop software tailored to their systems, while smaller banks try to customize off-the-shelf technologies. In either case, vulnerabilities are likely.

"It turns out that the specialized, in-house stuff has more security holes than the off-the-shelf ones," said a former investigator for the Treasury Department who is now a head of security for a multinational bank. "If you use an off-the-shelf system, you may have a secure infrastructure, but if you configure it poorly or customize it, you could introduce holes to it."

The latter occurred with a small, regional financial institution that enlisted an outside security team to evaluate an off-the-shelf system it had already begun to use. The consultants found one field of data that was exchanged between the server and browser that required a four-digit number between 1 and 10,000--from 0001 to 9999--that was generated automatically by the application.

"If we could successfully guess this number, we could become some user. The fact is that 1 in 10,000 doesn't take long to guess if I can guess 100 permutations per minute with an automated number generator," said Predictive's Skoudis, who did not disclose the identity of the bank involved. "We weren't told if we were called in because of an incident, but the vulnerability was there and a present threat."

Hackers often target hosting companies and ISPs, usually the weakest links in the chain, to bypass firewalls. In December, Lamo broke in to MCI WorldCom's ISP network and was able to view the secure networks of Citibank and Bank of America, which ran over leased lines.

Lamo exploited something called an "open proxy," a server normally used by a company to filter data on an Internet connection. The open proxy had been mistakenly installed on a Web server when it was first configured, leaving it exposed.

"Any intruder could have taken control of the routers with the information I had," Lamo said.

Sometimes, all it takes is one errant ISP connection to bring down an entire system.

Even a bank with a fully protected internal network could find itself exposed if a teller were to sign on to a personal America Online account from inside the network, for example. This could happen because AOL forms a virtual network adapter and assigns a separate IP address, according to Lamo.

"That automatically creates something of a tunnel through many firewalls when the user signs on," Lamo said, explaining that while that bank network remains secure, a workstation within the bank becomes vulnerable by way of the AOL address.

This scenario was exploited less than two years ago when intruders cracked one of AOL's customer information databases by establishing a connection to the computers of some of the company's customer service representatives. "It illustrates how any organization can't really prepare against all possibilities when they're using a public network," Lamo said.

Human error
Despite all the possible technical weaknesses in the online banking infrastructure, humans often present far more risk than any technology. Investigators and security experts note that a bank insider more often than not plays a role in security breaches.

An insider can be someone working at any point along the financial network infrastructure, from a current or former employee in the bank's technology department to someone affiliated with an off-the-shelf software company.

"Insiders know your systems. They can inflict the most damage," Skoudis said. "They might be gone for months but may have installed remote-control software to get in from anywhere."

Investigators and security experts said the pressure and worry that built steadily to make sure that computer systems were ready for the infamous Y2K bug presented a great opportunity for insiders to "go bad."

"Financial institutions were running around like mad, hiring people right out of the phone book to make sure they could put up all the signs and banners saying, 'We are Y2K ready--don't pull all your money out,'" said Hale Guyer, a special investigator and member of the Illinois attorney general's Task Force on the Investigation of Internet Crime and Child Exploitation. "They all did very poor background checks because of the rush. What would have kept one of those people from putting in a back door to your systems?"

Even without inside help, hackers can prey on what investigators say is the most susceptible link of all: the bank customer tapping in from home, often on a computer with little or no security software. This person presents the most tempting target, the one least aware of how much damage can be done simply by opening an e-mail attachment or clicking a link.

Home PCs still routinely fall victim to "Trojan horses," types of software that pretend to do something useful but in fact punch security holes in individual systems and allow hackers to log keystrokes or record conversations if a microphone is attached to the computer. Lamo said most of the fraud discussed on less-sophisticated hacker chats relates to stealing information using Trojan horses.

This stolen information is still only one phase of a process that takes weeks of work, requiring a hacker to painstakingly gather all the information necessary to impersonate someone online. But that may change with newer, more sophisticated hacking technologies.

"It is likely that we will see automated attacks appearing eventually, using viruses to attack many users of online banking indiscriminately," said Mike Bond, a computer security researcher at Cambridge University. He added, though, that this is unlikely to occur in the near future.

Bond and his colleague Richard Clayton made headlines last year when they developed a program that allowed them to bypass one of IBM's most secure cryptographic co-processors, a system used to store PIN codes for ATMs. The researchers demonstrated the breach on a laboratory computer, and IBM subsequently fixed the flaw.

"No matter how great a job you do, a determined attacker will eventually find some sort of problem," Bond said. "You have to find just one fault to exploit, while banks need to cover all possible faults."

Anatomy of a hacking