Now that we were alone I asked Jonny why he kept asking the managers about policy and the probability of failure. It was a question that I’d been waiting to ask for some time. After all, we were not business consultants; what did the FBI care if Bendix managers were out of touch with the reality of the technical situation? Why harp on it?
“Because,” Jonny explained, “any time upper management denies there is lax security, and refuses to look into breaches when they occur, the door is left wide open for an inside attack. Do not think for a moment that the employees are unaware of management’s attitude.”
I whistled softly between my teeth. It made sense. If employees know that managers turn a blind eye to security incidents, then there is no deterant. By covering up problems, the banks make themselves all the more vulnerable.
Banking relies upon trust; it is the very essence of the business. A bank fails when consumers lose faith in the bank’s ability to safeguard money. When there is a security breach at a bank, it would seem quite rational for the bank to gloss over the problem. Even if a bank must sustain the financial losses associated with a successful hack, that may well be preferable to letting the inability of the bank to protect itself and its customers become public knowledge. This is the point that Jonny had made upon our first meeting, in Agnes’ office.
“I was trying to establish that the Bendix employees had the opportunity to commit inside attacks on the EFT system,” Jonny finished.
I would say he succeeded! The environment at Bendix was ripe for fraud.
“We see this all the time with ATM fraud,” Jonny said conversationally. “It isn’t at all uncommon for security personnel at banks to be quietly fired for disciplinary reasons. On the other hand, it is uncommon to hear a public admission by a bank that recent ATM fraud was traced back to the bank’s own security department. The numbers don’t add up; people are being fired for theft but nobody is reporting the thefts.
“Not only do the security personnel know better than anybody where the flaws are, but they know better than anybody just how strong the impulse is to deny that a problem exists. I learned during my case-work on ATM fraud that bank managers like to fool themselves into thinking that each and every case of ATM fraud is an isolated incident, a fluke, that can’t possibly be repeated and therefore requires no corrective action. You saw that for yourself this morning.”
Tony still had not returned. I took advantage of Jonny’s talkative mood and asked why the current case was different. Why was this case getting so much attention, both from the FBI and from the banks? Neither Bendix nor First Chicago appeared to be sweeping it under the rug. At Bendix the signs of upheaval were obvious.
He reminded me that the Bendix reaction was very ambiguous. On the one hand the offices were a site of mass hysteria and over-reaction. On the other hand, the bank managers attributed the problem to a fluke occurence that was unlikely to be repeated. They claimed that Bendix security was exemplary.
Jonny answered my question by noting that there were several reasons why this case was different. He tapped his pencil on his fingers as he ticked them off.
- The bogus EFT’s were perfect forgeries, meaning that whoever was responsible was capable of doing substantial damage. The gravity of the situation had the banks in a panic.
- The FBI was making a concerted effort of late to turn up pressure on the banks.
He started to give another reason but then stopped abruptly. Whatever that last reason was, he thought better of telling me. Instead he changed the subject slightly and said, “if you want an example of the sort of tolerance I’m talking about, just consider the delay scam you discovered. Do you think for a moment that anybody would have paid much attention to that if it weren’t for the high level of overall panic right now?
“Hell,” he said as tossed his pencil on the desk and leaned back in the chair. “Even I would have shrugged it off as another example of tricks of the trade and let the banks deal with it themselves.
“Or take the Argenina heist as another example — twelve million dollars stolen by a couple of hackers, and scarcely a murmer in the press. If it had been an armed robbery it would have been all over the news.”