Banks Reluctant To Use 'White Hat' Hackers To Spot Security Flaws | KERA News

Banks Reluctant To Use 'White Hat' Hackers To Spot Security Flaws

Nov 5, 2014
Originally published on November 23, 2014 7:17 pm

Somewhere around the world, someone is trying to breach the security system of a large company. These attempted intrusions happen all the time.

Some experts say that to defeat the bad hackers, you've got to partner with the good ones. Recruit them to find holes and bugs in software and, when they do, pay them for it.

So-called bug bounty programs are becoming the new normal in Silicon Valley's high-tech sector. But another heavily hacked sector — the financial industry — isn't biting on the idea.

Risky Business?

At Yahoo's headquarters in Sunnyvale, Calif., dozens of people are listening to security experts from Google, Twitter, Yahoo and PayPal explain why they're inviting hackers to attack their corporate networks.

"If you care about the product [and] you care about your customers, you care about your customers' security — this is what you have to do," says Dean Turner, director of security intelligence at PayPal.

The online world is full of risk — and that risk is not going away. PayPal has responded by calling out to hackers with an open invite. This past year alone, the company says it has paid about 1,000 of them for confidentially reporting big security holes. These do-gooder hackers, called "white hats," come from over 66 countries and all walks of life — teenagers, tech workers, unemployed geeks.

Turner admits it's a tricky relationship. "You have to be reasonable," he says. "You have to be fair and you've got to be very clear about what your expectations are in terms of the exchange of information."

Like other tech companies, PayPal expects these self-appointed researchers to only hack their own personal customer accounts — not others — in the research process.

The hackers in turn expect the price to be right — say a few hundred dollars for a small bug, and tens of thousands for a big one. This isn't charity work, and they can always sell their findings to the black market.

"If you try to shortchange the researchers," Turner warns, "you're going to find out pretty quickly that you're going to be in trouble."

Sitting in the audience, Robert Auger, from the online file storage company Box, wonders about extortion. "Have you bumped into situations where people have tried to get more money out of you than you agreed to?" he asks.

Turner responds matter-of-factly. "Does it happen? Sure. Do you modify the rules? No."

New Conventional Wisdom

Paying outsiders to attack you was a radical idea just years ago. But the online world has grown so quickly and the cyberattacks against consumers have been so aggressive, Silicon Valley has changed its mind.

"There's thousands or tens of thousands of people out there with the skill sets that could help us find these bugs and get them fixed faster," Yahoo Chief Security Officer Alex Stamos says. "And there's nothing lost by bringing them kind of into the fold and giving them an opportunity to participate."

The biggest banks in the United States do not agree.

NPR contacted a dozen financial institutions. Like high-tech firms, they're under constant attack. But only one of them, GE, says it has a method for outsiders (customers or researchers) to report a security issue to the company. Citibank and Wells Fargo declined to even state whether they have such a method because, they explain, they don't discuss cybersecurity matters with the public.

Stamos has heard this before. "For most companies, they don't want to ever talk about security unless it's an absolute emergency and they've had a breach," he says. "And I think that's a mistake."

In a statement to NPR, the Financial Services Roundtable says the banks and insurers that are its member have not "traditionally" paid bug bounties. Such security programs are "usually" for technology companies that make software, like Microsoft, the group says.

Stamos doesn't buy that statement.

"Several of the large banks have more tech employees than we have employees overall," he says. "So hopefully they're able to adapt what we've done for themselves."

New Programs Court Banks

A few Silicon Valley startups are trying to help banks and companies outside the high-tech sector adapt systems to disclose vulnerabilities and pay bug bounties.

Katie Moussouris, policy director for HackerOne, set up a program for pre-screened hackers to attack (and improve) specific products — say a new online payments system. But just a handful of financial institutions signed up.

"A lot of these organizations confuse having a clear way to report vulnerabilities to them with an open invitation to hack their systems," she says. "And those are two very different things."

Moussouris says banks are missing an opportunity to protect their customers.

Copyright 2017 NPR. To see more, visit http://www.npr.org/.

ROBERT SIEGEL, HOST:

Somewhere around the world, someone is trying to breach the security system of a large company. These attempted intrusions happen all the time. Some experts say that to defeat the bad hackers, you've got to partner with good hackers. Recruit and reward the good ones for finding holes and bugs in software. So-called bug bounty programs are becoming the new normal in Silicon Valley's high-tech sector. But as NPR's Aarti Shahani reports, the financial industry is leery.

AARTI SHAHANI, BYLINE: At Yahoo's headquarters in Sunnyvale, California, dozens of people are listening to a panel of experts - security experts from Google, Twitter, Yahoo and PayPal explain why they're inviting hackers to attack their corporate networks.

DEAN TURNER: If you care about the product and you care about your customers - if you care about your customer's security, this is what you have to do.

SHAHANI: Dean Turner is director of security intelligence at PayPal. This last year alone, they invited thousands of hackers to attack them and payed about a thousand of them for confidentially reporting big security holes. These do-gooder hackers called white hats come from over 66 countries and all walks of life - teenagers, tech workers, unemployed geeks. Turner admits it's a tricky relationship.

TURNER: You have to be reasonable. You have to be fair. And you've got to be very clear about what your expectations are in terms of the exchange of information.

SHAHANI: PayPal expects these self-appointed researchers to only hack their own customer accounts - not others in the research process. The hackers, in turn, expect the price to be right - say a few hundred dollars for a small bug and tens of thousands for a big one.

TURNER: If you try to shortchange the researchers, you're going to find out pretty quickly that you're going to be in trouble.

SHAHANI: Sitting in the audience, Robert Auger asks about extortion. He's from the online file storage company, Box.

ROBERT AUGER: Have you bumped into situations where people have tried to get more money out of you than you agreed to?

SHAHANI: Turner responds matter-of-factly.

TURNER: Does it happen? Sure. Do you modify the rules? No.

SHAHANI: Paying outsiders to attack you was a radical idea just years ago. But the online world has grown so quickly and cyber attacks against consumers have been so aggressive, Silicon Valley has changed its mind. Yahoo Chief Security Officer Alex Stamos states the new conventional wisdom.

ALEX STAMOS: There's thousands or tens of thousands of people out there with the skill sets that could help us find these bugs and get them fixed faster. There's nothing lost by bringing them kind of into the fold and giving them an opportunity to participate.

SHAHANI: The biggest banks in the United States do not agree. NPR contacted a dozen financial institutions. Like high-tech firms, they're under constant attack. But only one of them, GE, says it has a method for outsiders - customers or researchers - to even report a security issue to them. Citibank and Wells Fargo say they do not discuss cyber security matters with the public. Stamos has heard this before.

STAMOS: For most companies, they don't want to ever talk about security unless it's an absolute emergency and they've had a breach. And I think that's a mistake .

SHAHANI: In a statement to NPR, the Financial Services Roundtable says the banks and insurers that are its members have not traditionally paid bug bounties. Such security programs are usually for technology companies that make software, like Microsoft. Stamos doesn't buy that statement.

STAMOS: Several of the large banks have more tech employees than we have employees overall. So hopefully they're able to adapt what we've done for themselves.

SHAHANI: A few Silicon Valley startups are trying to help banks and others adapt and pay bug bounties. Katie Moussouris, policy director for HackerOne, set up a program for prescreened hackers to attack and improve a specific products - say, a new online payment system. But just a handful of financial institutions signed up.

KATIE MOUSSOURIS: A lot of these organizations confuse having a clear way to report vulnerabilities to them with an open invitation to hack their systems. And those are two very different things.

SHAHANI: Moussouris says banks are missing an opportunity to protect their customers. Aarti Shahani, NPR News, San Francisco. Transcript provided by NPR, Copyright NPR.