It’s a scenario that’s played out on movie and TV screens countless times—a guy that walks into a bank, wearing a ski mask, demanding money. What seems almost humdrum entertainment is actually a rare, but still terrifying, event at NH’s banks. That exact scenario occurred at St. Mary’s Bank at 14 Spruce St. in Nashua in the late afternoon on Dec. 17, 2014. The bank robber, wearing a neoprene ski mask and hood, demanded money from a teller and warned not to give him any dye packs that would mark the money as stolen. However, he fled the bank before taking anything.
Shirley Bhutto, director of enterprise risk management and compliance at St. Mary’s Bank, says the credit union has faced six bank robberies since 2003. Except for this most recent case, “every single one of them got caught,” she says.
In March alone, news headlines like these appeared across the state: “Overdose Leads to Bank Robbery Arrest in Manchester;” “Man Arrested After Allegedly Robbing Manchester Bank;” “Second Citizens Bank Robbery Suspect Arrested;” and “Bank Robbery Suspect Captured at Store.” Those robberies involved Members First Credit Union in Manchester, two Citizens Bank branches in Milford and Stratham, and a TD Bank branch in Manchester. The past year saw a Somersworth man pleading guilty to being the getaway driver in three armed bank robberies in Maine and NH; a man in a zebra print dress robbing a Bank of NH branch in Rochester; as well as other robberies of TD Bank in Manchester and at Members First Credit Union.
Those are just a few examples of bank robberies that have occurred recently in the state. While such splashy headlines may give the appearance that bank robberies are more commonplace, statistics paint a different picture. FBI bank crime reports show there were 7,556 robberies of financial institutions in the United States in 2004. A decade later, that number plummeted to 3,879 robberies. Even during the depths of the Great Recession, bank robberies saw a steady decline nationally. In NH, they remain unusual, with just 23 bank robberies in the Granite State in 2014. However, while robberies nationally have declined, NH’s figures have held fairly steady, with 26 bank robberies in 2004, 19 in 2008 (in the depths of the recession), and rising back up to 23 in 2011 (well into the economic recovery).
While bank robberies are dramatic and capture public attention, the truth is banks have security procedures and systems in place that either thwart such robbery attempts or make it easier to catch perpetrators. In fact, the FBI’s 2014 Bank Crime Statistics Report shows to date 55 percent of the 4,778 people involved in bank robberies last year were identified.
The real threat to banks is cybercriminals. In 2009, losses from cybercrime in the U.S. reached about $100 million. Just five years later, reported losses ran about $1 billion, according to Bill Nelson, CEO of FS-ISAC, a nonprofit membership organization that helps financial institutions worldwide stay current on the latest threats and counter measures. By contrast, FBI statistics show that in 2011, physical robberies resulted in $38 million stolen from financial institutions nationally. (2014 totals were not available.)
The first recognized online bank robbery took place 20 years ago when hackers broke into a bank’s computer system and started moving money out of several corporate accounts into their own accounts elsewhere, according to the FBI. Since then, confronting cyberthreats is a leading expense, a top priority for banks and a growing cost of doing business.
Heists are so 20th Century
Bank lobbies are emptier these days as more people choose the convenience of banking online. Banking by phone, computer and other remote devices, though, creates a need for increased security. At many banks, customers who sign into their accounts remotely from a new device, or keep switching devices, will be asked a security question before being granted access. At Bank of NH, any customer who tries online banking from a new phone or tablet will receive a special log-in code from the bank that allows the system to recognize that device going forward. These kinds of double authentication systems, known as out-of-band authentication, create overlapping layers of security. That takes knowledge and money, and that is only a small part of cybersecurity.
“The last several years have become much more intense,” says Mark Primeau, president and CEO of Bank of NH. He estimates his bank’s investment in cyber security to run in the seven figures. “It’s a major cost of doing business.”
Bill McIver, COO at Lake Sunapee Bank, agrees. “The entire compliance, crime-fighting piece becomes bigger and bigger every year,” he says. According to a 2014 study by the Ponemon Institute, which provides independent research on privacy, data protection and information security, the average cost of dealing with a data breach went up by 8 percent last year from $188 to $201 per incident.
Among the most common controls banks use to prevent fraud are highly advanced firewalls and systems for detecting anomalies in transactions, such as someone using his debit card in Nashua and then a half-hour later is apparently at an ATM in California. A bank can freeze the account to protect from further losses, and generally the cardholder is protected if any charges or withdrawals are fraudulent.
Banks absorb the losses in all but catastrophic cases that exceed the deductibles on their insurance. Inga Beale, the CEO of Lloyd’s, which manages a clearinghouse for insurance policies, told Fortune magazine in January, that last year, the insurance industry took in $2.5 billion in premiums on policies to protect companies from losses resulting from hacks. That was up from around $2 billion a year before, and less than $1 billion two years before that, Beale stated. “These types of fraud activity do have a cost, and ultimately they have an impact on what the cost of certain products and services will be,” says Christiana Thornton, president and CEO of the NH Bankers Association.
Debit card fraud is among the most common, but systems are in place so that the loss in each instance is generally relatively small. But fraudulent wire transfers can cost banks much larger sums, and banks set higher hurdles to guard against their misuse, for example by providing businesses with small electronic devices—fobs—that issue constantly changing codes so that a precise code has to be entered in a specific time frame to conduct a transaction.
But while cybercrime is on the rise, traditional bank robberies are on the decline, and old-fashioned robbers are increasingly likely to get caught. “Nationally, 70 percent of robberies end in arrest thanks to well-trained tellers, wanted posters and Internet sites, alarm systems, cameras and other tracking devices,” Thornton says. Even the recent recession did nothing to change the general downward trend in traditional bank robberies, she says.
High Tech Stakes
Cybercrime draws from a more sophisticated and global demographic. In fact, the FBI’s most wanted list for cyber crimes include a melting pot of Russian, Vietnamese, Chinese and Swedish names.
“You have to be pretty fast to stay ahead of the fraudsters,” McIver says. Part of how banks do this is by sharing information. FS-ISAC sends out regular alerts to members when a new threat surfaces. Most NH banks are members. In addition, most banks convene regular meetings of high-level staff across departments to discuss data security.
Monitoring and updating computer banking systems means banks must hire highly- trained staff to manage their online security. Where banks use vendors, they need to ensure vendors have sufficient safeguards to protect customer data as well.
“You can’t rely on one control. You can’t rely on two controls; you need four or five controls. It’s very important to have these layered controls,” Bhutto says.
Bank security is something that is updated continually. Updates or “patches” to security software can total 100 or more in just a month, according to Primeau. And cybersecurity must be tested regularly. Banks hire companies to try to break through their security, known as penetration testing.
Matt Putvinski, director of IT Assurance Services for Wolf and Company in Boston, is one of the specialists who advises banks and conducts penetration tests for several NH financial institutions. “It’s definitely getting harder because the threats are changing, getting more creative,” he says.
Despite that, it is now rare for a bank’s computer systems to be successfully hacked into, with money transferred, as it was in the 1994 breach mentioned by the FBI.
Avoid Phishing
The greater vulnerability lies in human error. Phishing is a technique that involves getting people to reveal information that hackers can use to access accounts. According to the American Banking Association, phishing is behind more than two-thirds of cybercrime.
Phishing is typically done by sending emails to solicit information, such as claiming a customer’s information needs to be updated. But some of the activity is person-to-person, known as “social engineering,” and can involve calls that manipulate the customer into giving out personal information. At the bank level, fraudsters can claim to be a customer, trying to leverage a bank employee’s goodwill to get information by claiming to be in a bind and needing help.
In fact, it is dealing with the human element that may be the biggest challenge. Banks and the NH Bankers Association say they are trying to educate customers and to engage them in monitoring their accounts and guarding against scams. “It’s a shared responsibility,” McIver says.
Even though banks accept losses to protect their customers, the expense does get passed on in other ways. “You’re seeing banks and credit unions upping some fees or not providing free checking,” Bhutto says. St. Mary’s is automating more of its administrative work to find efficiencies, including shifting to online statements and asking members in the coming months to pay if they want to continue to receive paper statements by mail. Citizens Bank has already instituted this practice.
Multiple federal agencies, as well as the NH Banking Department, are involved in making sure customer information at banks and credit unions is protected via periodic audits or reviews. Regulators include the Office of the Comptroller of the Currency, the Federal Reserve and the Federal Deposit Insurance Corporation (FDIC), which insures against bank failure but not losses from cybercrime.
With cybercrime losses continuing to grow (globally estimates run as high as $334 billion to $400 billion a year), bankers say other entities need to do more. Most of the major data breaches in recent years have involved the retail sector. Bankers say they’d like to see retailers required to provide a similar level of protection for customer information as is required of banks. In addition, they are advocating for a nationwide standard to be adopted around handling data breaches rather that leaving regulations to each state to determine.
“There needs to be a more level playing field where merchants are subject to the same requirements,” says Thornton. She organized a group of about 20 NH bankers, including Primeau, who traveled to Washington, D.C. in late March to meet with NH’s Congressional delegation about this and other issues.
While many retailers and banks will start issuing and accepting new credit cards this fall with an embedded electronic chip instead of the more easily copied magnetic strip, Thornton and others say that’s not enough. Among other things, it won’t protect in cases of fraudulent online purchases. But the technology to combat cybertheft continues to evolve.
Up and coming technologies include biometrics, which use a fingerprint or retina scan to identify customers, and wider use of tokenization, which works a bit like encryption. It substitutes a random token, like a random set of numbers and letters, for a specific transaction. Used by Apple Pay and Google Wallet, this process is described in more detail in this month’s Tech Report on page 20.
Primeau and others are excited about the potential for new systems to protect customers, but Putvinski says hackers will also evolve because their lifestyles depend on it. They will continue to seek out and exploit new vulnerabilities, he says.
“This business has always been about being one step ahead,” Bhutto says.