NEW YORK — Goldman Sachs and Citigroup have stepped up warnings to shareholders about Internet attacks as the U.S. government prodded banks and government agencies to bolster their defenses.
Online and mobile banking give new points of entry that can be used to disrupt or penetrate operations, the two New York-based firms said last week in annual regulatory filings. The companies said they’re vulnerable to tactics that overload websites to shut off public access, such as assaults that disrupted the nation’s largest lenders late last year.
U.S. banks are speculating that foreign nations, organized crime or terrorists are behind efforts to cripple their websites and warning that costs to keep intruders at bay will rise.
President Barack Obama directed the government on Feb. 12 to develop voluntary security standards for companies running vital infrastructure and is pushing Congress to set formal rules.
“We are going to see more disclosures, and that’s a warning sign that things are really getting bad,” said Lawrence Ponemon, chairman of Ponemon Institute, a Traverse City, Mich.-based security research firm, which predicts a 30 percent increase in expenses tied to computer network intrusions this year.
Attacks in December hit Bank of America, JPMorgan Chase, U.S. Bancorp, Wells Fargo and SunTrust Banks, two executives at security companies said at the time. PNC Financial Services Group, the second-biggest regional bank, said in its annual filing that attacks may hurt customer confidence and increase costs at the Pittsburgh-based company.
The intrusions aren’t limited to financial firms, with Microsoft, the largest software maker, saying Feb. 22 a small number of its computers were infected by malicious software in an attack similar to those experienced by Facebook and Apple.
Internet security gained renewed national attention in the past few years with revelations about a security breach of a Federal Reserve website, intrusions at The New York Times and other news organizations attributed to Chinese hackers, and a wave of so called denial-of-service attacks that disrupted the websites of the biggest U.S. banks and payment networks.
The tactic can disable a website by flooding it with traffic. While that doesn’t give intruders access to cash or personal data, regulators warned banks in December the attacks might be used to distract staff while accounts are penetrated, or to block banks and customers from informing each other.
“We know hackers steal people’s identities and infiltrate private e-mail; we know foreign countries and companies swipe our corporate secrets,” Obama said in his State of the Union speech. “Now our enemies are also seeking the ability to sabotage our power grid, our financial institutions and our air-traffic-control systems.”
MasterCard Inc., the second-biggest U.S. payments processor, said in its Feb. 14 annual filing the firm routinely receives threats, “and our technologies, systems and networks have been subject to cyber attacks.”
U.S. Bancorp, ranked fifth by deposits among commercial banks, told regulators Feb. 22 it had been targeted, and that it might not be able to stop all attackers “because the techniques used change frequently or are not recognized until launched, and because security attacks can originate from a wide variety of sources.” The Minneapolis-based lender cited organized crime, terrorists and hostile foreign governments, and said risks increase as it adds more Internet and mobile-banking options.
Wells Fargo, the biggest U.S. home lender, reiterated in its Feb. 27 filing that attacks against banks may be meant to “test their cyber security in advance of future and more advanced cyber attacks,” and said preventing or cleaning up after intrusions may get expensive for the San Francisco-based firm. It didn’t specify the cost.
Bank of America, whose customers complained that websites run by the Charlotte, N.C.-based company were repeatedly slowed or knocked offline, previously acknowledged it had faced a series of denial of-service attacks and may be required to spend significant amounts to address future attacks.
Mobile and online banking are adding vulnerability, as are customers and vendors who link directly to data systems, Fed Governor Sarah Bloom Raskin told bankers and regulators last week during an Atlanta speech. That has led to “concerted cooperative work between government and financial institutions,” and the Department of Homeland Security has provided firms with technical assistance, she said.
The biggest U.S. banks work closely with the Central Intelligence Agency, National Security Agency, Defense Department and governments around the world to address “hundreds of thousands” of cyber attacks, according to Jamie Dimon, chief executive officer of New York-based JPMorgan.
“It’s a big deal; it’s going to get worse,” Dimon, 56, said during an Oct. 10 panel discussion at the Council on Foreign Relations. “Computers in 10 years are going to be a hundred thousand times faster. And so they’ll be able to do calculations quicker and get through quicker.”
Business, Pages 23 on 03/05/2013