Skip to content


Massive US bank breaches, and Europe

Security: Adam Shostack has been tracking the immense volume of recent bank disclosures of compromised customer data. Bruce Schneier has also commented, and an interesting question arose in his posting’s comments — why are there seemingly no similar problems with European banks?

One responder points to a WSJ article which broadly misses the point. It discusses the additional layers of security imposed by European banks above the usual username/password combo. This is true — Eurobanks generally have higher security at the ‘front gate’; for example, I recall Bank of Ireland even issued SecurID-type tokens in its earliest online banking system. However, that misses the ‘insider’ attack, as in the most recent case of these 676,000 accounts, so I think it misses the point.

Bruce Schneier’s take:

Personal data is 1) not collected as widely, and 2) much less valuable as a tool to commit fraud. The second reason is far more important.

I think he’s partially right. Access to new and existing accounts in the US often requires little more than an SSN or similar trivial, easily-discoverable, data which is used in common across multiple institutions, and can be performed online; whereas in Europe, one requires documentary proof of address, ID, and the act must be performed in person at a bank branch. (This is often exceedingly annoying, of course. ;) In general, identity theft seems to be at a greater level in the US, and this is one reason why, I’d guess.

Adam Shostack has another take: these disclosures have all arrived on the heels of California’s SB 1386. It’s very unlikely that these kind of breaches never occurred before this, and suddenly began recently — it’s more likely that they’ve always gone on, but are unreported in Europe (and of course were unreported in the US, pre-SB 1386).

I’d add another point — the US has a large population of targets, with banks sharing financial systems across the entire country. Europe, by contrast, has many individual countries which each have their own set of banks and banking systems, and less interoperability and cross-state data flow. The potential return from ID theft fraud is increased by the larger pool of candidate victims in the US, compared to what an attacker could achieve in each individual European country. This means both that (a) an attack will affect a smaller number of victims in Europe than the US, and (b) widening the scale of an attack becomes significantly harder when the attacker must deal with new systems. It’s the ‘security monoculture’ issue again, applied to banking instead of operating systems.