US banks not reporting intrusions

[Ross Anderson]

> "Bank Regulators Puzzled by Lack of Reporting on Hacker Attacks
> Bank regulators are expressing puzzlement at the small number of banks
> reporting hacker intrusions.

Been there, done that!

WHen I was working in bank infosec in the late 80's there were many
salesmen from security vendors who talked up the risks, and claimed
that banks were losing tens of millions a year and keeping quiet
about it.

Now I was the chap in the computer department who got the loss reports
across his desk every Friday morning to check whether any of them were
relevant to what we were doing. I also went for a boozy lunch with the
internal auditors once a month, and the bank's physical security guy
(who had a cubicle ten yeards from mine) used to join us for drinks
every Friday after work. I do believe I knew what was going on.

There were none of the huge, covered-up computer frauds that the
salesmen used as their stock scare tactic.

WHen I occasionally said this, they got extremely angry and accused me
of lying. SO after a while, I just shut up and let them get on with
their job of ripping off the less clueful.

I don't see that much has changed in the last fifteen years

Ross