Microsoft certainly, not so sure about Google. Anyone can get access to redmond intranet by spending a day searching for credentials on Github, harder to do with Google.
Seems like the banking industry has at least a degree of competency here as well. Who would bother with identity theft if you could just hack the banks and steal the money directly?
Strong disagree. The reason you don't see tons of bank compromises --- apart from the fact that banks don't routinely disclose breaches --- is that it's harder to monetize a breach than people tend to assume it is.
Think it through. So: you "hacked" a "bank". You're on their internal network. Talk me through "stealing the money directly".
Big respect for you usually, but I think you're completely wrong here. See my comment a bit upstream - having that sort of access to mortgage/credit card systems would a great way to steal money, or at the very least fudge things up left and right.
Internal access would also include access to low latency markets and internal risk management systems. Being able to see what kinds of trades - particularly in FX - are made across many, many international counterparties would go very, VERY far to make large amounts of cash.
At that same bank, many green engineers had the ability to do trades on behalf of many large counterparties. Lots of room for monetization there - or more.
I helped start a specialty practice at Matasano focused on trading firms and exchanges. That doesn't make me right or anything, but I'm pretty familiar with the attack surface we're discussing. I think the kind of attack you're contemplating is a lot harder to pull off than you think it is. (Not from a technical perspective.)
I have no trouble believing that you can make money from PII stolen from a bank breach. The issue is that the same PII exists in all sorts of other firms that are lower-hanging fruit, both from a technical perspective and from a "degree to which law enforcement will be invested in tracking you down" perspective.
In any case: banks staff decent-sized security groups, but they're generally nothing like the force Google can bring to bear on the same problems. There's a reason Chris Evans works at Google and not at some random bank.
Yep - I was actually hoping to see your talk on Starfighter last week, but work kept me in a different state. :)
My experience has been in finance for the past ten years at an ops/sysad level and can frankly say that security at these places may be a lot worse than you think. Much of it just seems to be out of laziness/not understanding best practice. Attacks would by no means be trivial, but they're certainly possible with (edit: relatively) low risk.
Keep in mind that the finance field is largely based on very, very old legacy systems that only upgrade as a last resort, including patching. Managing legacy systems on top of improper management of organizational complexity leads to some very, very poorly implemented security. It's pretty frightening.
Things I've seen in finance -
(edit: deleted long list that probably shouldn't stay within easy internet accessible reach)
Technical security at financials, especially in application code and especially in application code that is closer to infrastructure than to line-of-business or retail, is very bad.
But the business processes that are driven by that infrastructure tends to be surprisingly manual and/or reversible, and, for reasons having little to do with technical security, is heavily audited.
I think unless you're the online equivalent of the robbery crew from Heat, if you SQLI your way into a bank (or trading firm or exchange) and try to move large volumes of cash directly, what's really going to happen is you're going to end up in prison before you get a spendable dollar.
This is a better conversation over beer than on HN. There's definitely stuff you can do! But I don't think financial firms are low-hanging fruit.
Imagine that you have hacked a bank. You could try to transfer money directly from the hacked customers' accounts into yours (or one you have set up for that purpose), in which case the account that the funds have been diverted to will instantly be passed on to law enforcement, and any attempts to move money out of that account will result in a SWAT team showing up in your location and arresting you. Remember that banking is double-entry: any debit from an account is a credit into another account, with an audit trail of exactly how the money has flowed.
Or, you could take the names, addresses, social security numbers, occupations, and income levels of all the bank's accounts and sell them on the black market. Your customer could then open credit cards in the name of the breached accounts, adjusting the billing address to an insecure mailbox nearby or hiring local kids to rifle through your mail when not home. (Or just steal credit card numbers.) They can then intercept the resulting card, charge a bunch of purchases to it, and ignore the bills. They won't be found out until the target checks their credit report and notices a bunch of cards they never signed up for, possibly a year or more in the future. The target is responsible for clearing up their identity. The credit card company is responsible for the financial losses. The only way to track the criminal is through their string of purchases, and remember that's not the guy who hacked into the bank in the first place (who is probably sitting on a beach in the Cayman Islands), it's the guy who bought the data.
Not a hypothetical scenario. Data breaches of this type have been reported against Mastercard [1], Bank of America [2], JP Morgan Chase [3], and others, and the mailboxes of both of my previous apartment complexes have been physically broken into.
That is presuming that the end target of the attackers has to do with money. Very often it is not. Consider all the health care breaches of the last few years.
Yeah. I'm not suggesting that it's an A+ job well done. But at the same time, relative to the target they are, seems like they're doing something right.
I'm genuinely interested in why not? Maybe the way I wrote it was a bit flippant, but surely bank computers that control the flow of trillions of dollars are a huge target. The fact there has never (?) been a massive breach that resulted in billions beings stolen must be a sign that someone is doing something right. No?
I'd be interested in how many SOCs or FI security people you've talked to. It isn't perfect, and things will happen. But when I hear how medicine/education/retail secures their stuff (generically), I think the FIs are doing a bang-up job.
I worked at a larger bank that used rot13 to encrypt the RW passwords for the internal databases it connected to. Since risk management in this case included mortgage and credit card systems, it would have disastrous if there was any sort of compromise. The dev's excuse was, "We didn't have enough time to do proper password storage."
I complained to Wells Fargo last year that they shouldn't be storing user passwords. Their response was to not worry about it because they are the ones responsible for fraud.
Maybe 3-4 other "smaller" big startups that have anomalously great programs, which I'm not going to name.