Banks, named new main target for financial crackers, ponder radical tactics for defense

Sharing data to mine for potential threats or informal tip sessions run counter to banking culture

Major banks are reportedly preparing to use a few of their actual core skills – not the ones they had to learn to stay in business – to identify security threats as they're developing, rather than when a huge catastrophe makes them too obvious to miss.

In order to make the new effort work they'll have to overcome their major cultural weakness, however: secrecy, according to the Wall Street Journal, which broke the story today.

This month, according to the journal, security execs from Morgan Stanley and Goldman Sachs Group Inc. plan to meet with researchers at the Polytechnic Institute of New York University to talk about how to create a center available to all major banks that would mine mountains of banking data to find patterns that could indicate an attempt to probe existing security or create new ways to spoof identities, steal passwords or create money-transfer authorizations where none should be.

Bank of America is trying to put together a separate industry-security cooperative by hosting experts from other banks at informal conferences that allow them to share information about recent attacks and the responses that did or did not counter them.

Sharing information of any kind is a tetchy subject with banks. Information about customers and about the banks' own transactions are highly regulated and any irregularity tends to hint at theft or embezzlement, rather than sloppy record keeping, which is the default solution in most other industries.

Talking to other banks about anything but the weather also tends to make regulators think "collusion" and "conspiracy," rather than "professional networking."

So banks are even more reluctant to talk about security threats than other types of companies, none of which wants to be either embarrassed by a foiled scam or identified as an easy mark by a successful one.

"The mentality of the banks has been, 'Let's do everything internally because we don't want to give anything away,' " bank analyst Peyman Mestchian, with Chartis Research in London told the Journal.

Banks are becoming the target of choice for serious hackers, according to recent studies from PricewaterhouseCoopers LLP.

Organized-crime gangs are turning away from consumers and toward banks to increase their productivity and efficiency. And because, as leading 20th century bank robber Willie "The Actor" Sutton is reputed only in urban legend to have said, "that's where the money is."

(Sutton stole more than $2 million during a 40-year career. Though says he never told anyone he robs banks because that's where the money is, Sutton is so famous for the phrase that medical schools teach "Sutton's Law" "Consider the obvious first" as a way to remind budding doctors to consider the obvious causes of an ailment first before investigating exotic causes. An older version of the same dictum goes "when you hear hoofbeats outside the window, don't assume it's a zebra." Though he was known for clever plans and disguises, Sutton is not known ever to have used a zebra in one of his robberies.)

"We realized that just as the fraudsters collaborate with each other, we as an industry must collaborate," according to a WSJ quote from Keith Gordon, a Bank of America senior vice president of security.

Neither project is likely to deliver much benefit in the short term. Even banks discussing the NYU-Polytecnic project are resisting the idea of pooling data in favor of allowing each bank to sift its own and share homogenized results.

The continuing problem, according to other sources in the Journal, is confidence. Banks will avoid, deny and even lie about attempts at fraud, even when they're spending money to stop it and haven't been successfully hit, just to keep anyone from thinking they're vulnerable.

It is only threats such as spear phishing and the Zeus trojan, which is designed specifically to attack banks, that is driving the financial industry toward circling all the wagons rather than just their own.

The question is whether even a large-scale effort will do any good by creating an honest pool of data, or if the whole thing will be hamstrung by banks keeping their most embarrassing (and most useful) data locked up where no one can see it.

Read more of Kevin Fogarty's CoreIT blog and follow the latest IT news at ITworld. Follow Kevin on Twitter at @KevinFogarty. For the latest IT news, analysis and how-tos, follow ITworld on Twitter and Facebook.

ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon