Banks Reluctant To Use 'White Hat' Hackers To Spot Security Flaws : All Tech Considered High-tech firms have been offering bounties to security researchers to find holes and bugs in their software, but these reward programs haven't drawn much interest from major banks.
NPR logo

Banks Reluctant To Use 'White Hat' Hackers To Spot Security Flaws

  • Download
  • <iframe src="https://www.npr.org/player/embed/361812463/361820868" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Banks Reluctant To Use 'White Hat' Hackers To Spot Security Flaws

Banks Reluctant To Use 'White Hat' Hackers To Spot Security Flaws

  • Download
  • <iframe src="https://www.npr.org/player/embed/361812463/361820868" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

ROBERT SIEGEL, HOST:

Somewhere around the world, someone is trying to breach the security system of a large company. These attempted intrusions happen all the time. Some experts say that to defeat the bad hackers, you've got to partner with good hackers. Recruit and reward the good ones for finding holes and bugs in software. So-called bug bounty programs are becoming the new normal in Silicon Valley's high-tech sector. But as NPR's Aarti Shahani reports, the financial industry is leery.

AARTI SHAHANI, BYLINE: At Yahoo's headquarters in Sunnyvale, California, dozens of people are listening to a panel of experts - security experts from Google, Twitter, Yahoo and PayPal explain why they're inviting hackers to attack their corporate networks.

DEAN TURNER: If you care about the product and you care about your customers - if you care about your customer's security, this is what you have to do.

SHAHANI: Dean Turner is director of security intelligence at PayPal. This last year alone, they invited thousands of hackers to attack them and payed about a thousand of them for confidentially reporting big security holes. These do-gooder hackers called white hats come from over 66 countries and all walks of life - teenagers, tech workers, unemployed geeks. Turner admits it's a tricky relationship.

TURNER: You have to be reasonable. You have to be fair. And you've got to be very clear about what your expectations are in terms of the exchange of information.

SHAHANI: PayPal expects these self-appointed researchers to only hack their own customer accounts - not others in the research process. The hackers, in turn, expect the price to be right - say a few hundred dollars for a small bug and tens of thousands for a big one.

TURNER: If you try to shortchange the researchers, you're going to find out pretty quickly that you're going to be in trouble.

SHAHANI: Sitting in the audience, Robert Auger asks about extortion. He's from the online file storage company, Box.

ROBERT AUGER: Have you bumped into situations where people have tried to get more money out of you than you agreed to?

SHAHANI: Turner responds matter-of-factly.

TURNER: Does it happen? Sure. Do you modify the rules? No.

SHAHANI: Paying outsiders to attack you was a radical idea just years ago. But the online world has grown so quickly and cyber attacks against consumers have been so aggressive, Silicon Valley has changed its mind. Yahoo Chief Security Officer Alex Stamos states the new conventional wisdom.

ALEX STAMOS: There's thousands or tens of thousands of people out there with the skill sets that could help us find these bugs and get them fixed faster. There's nothing lost by bringing them kind of into the fold and giving them an opportunity to participate.

SHAHANI: The biggest banks in the United States do not agree. NPR contacted a dozen financial institutions. Like high-tech firms, they're under constant attack. But only one of them, GE, says it has a method for outsiders - customers or researchers - to even report a security issue to them. Citibank and Wells Fargo say they do not discuss cyber security matters with the public. Stamos has heard this before.

STAMOS: For most companies, they don't want to ever talk about security unless it's an absolute emergency and they've had a breach. And I think that's a mistake .

SHAHANI: In a statement to NPR, the Financial Services Roundtable says the banks and insurers that are its members have not traditionally paid bug bounties. Such security programs are usually for technology companies that make software, like Microsoft. Stamos doesn't buy that statement.

STAMOS: Several of the large banks have more tech employees than we have employees overall. So hopefully they're able to adapt what we've done for themselves.

SHAHANI: A few Silicon Valley startups are trying to help banks and others adapt and pay bug bounties. Katie Moussouris, policy director for HackerOne, set up a program for prescreened hackers to attack and improve a specific products - say, a new online payment system. But just a handful of financial institutions signed up.

KATIE MOUSSOURIS: A lot of these organizations confuse having a clear way to report vulnerabilities to them with an open invitation to hack their systems. And those are two very different things.

SHAHANI: Moussouris says banks are missing an opportunity to protect their customers. Aarti Shahani, NPR News, San Francisco.

Copyright © 2014 NPR. All rights reserved. Visit our website terms of use and permissions pages at www.npr.org for further information.

NPR transcripts are created on a rush deadline by Verb8tm, Inc., an NPR contractor, and produced using a proprietary transcription process developed with NPR. This text may not be in its final form and may be updated or revised in the future. Accuracy and availability may vary. The authoritative record of NPR’s programming is the audio record.