Hacker News new | past | comments | ask | show | jobs | submit login

Isn't that the point? If you can't monetize a breach of their network then it seems like they're doing their job.



Imagine that you have hacked a bank. You could try to transfer money directly from the hacked customers' accounts into yours (or one you have set up for that purpose), in which case the account that the funds have been diverted to will instantly be passed on to law enforcement, and any attempts to move money out of that account will result in a SWAT team showing up in your location and arresting you. Remember that banking is double-entry: any debit from an account is a credit into another account, with an audit trail of exactly how the money has flowed.

Or, you could take the names, addresses, social security numbers, occupations, and income levels of all the bank's accounts and sell them on the black market. Your customer could then open credit cards in the name of the breached accounts, adjusting the billing address to an insecure mailbox nearby or hiring local kids to rifle through your mail when not home. (Or just steal credit card numbers.) They can then intercept the resulting card, charge a bunch of purchases to it, and ignore the bills. They won't be found out until the target checks their credit report and notices a bunch of cards they never signed up for, possibly a year or more in the future. The target is responsible for clearing up their identity. The credit card company is responsible for the financial losses. The only way to track the criminal is through their string of purchases, and remember that's not the guy who hacked into the bank in the first place (who is probably sitting on a beach in the Cayman Islands), it's the guy who bought the data.

Not a hypothetical scenario. Data breaches of this type have been reported against Mastercard [1], Bank of America [2], JP Morgan Chase [3], and others, and the mailboxes of both of my previous apartment complexes have been physically broken into.

[1] http://www.advfn.com/nyse/StockNews.asp?stocknews=BAC&articl...

[2] http://www.bankinfosecurity.com/bofa-breach-a-big-scary-stor...

[3] http://www.lowcards.com/major-data-breach-jp-morgan-chase-hi...


An attacker could still at least get the bank's customers' personal information in that case.


That is presuming that the end target of the attackers has to do with money. Very often it is not. Consider all the health care breaches of the last few years.


There are many ways to monetize a breach.


Yeah. I'm not suggesting that it's an A+ job well done. But at the same time, relative to the target they are, seems like they're doing something right.


No, that is not the point.


I'm genuinely interested in why not? Maybe the way I wrote it was a bit flippant, but surely bank computers that control the flow of trillions of dollars are a huge target. The fact there has never (?) been a massive breach that resulted in billions beings stolen must be a sign that someone is doing something right. No?




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: