Banks Reluctant To Use 'White Hat' Hackers To Spot Security Flaws

Enlarge this image toggle caption Salvatore Di Nolfi/EPA/Landov Salvatore Di Nolfi/EPA/Landov

Somewhere around the world, someone is trying to breach the security system of a large company. These attempted intrusions happen all the time.

Some experts say that to defeat the bad hackers, you've got to partner with the good ones. Recruit them to find holes and bugs in software and, when they do, pay them for it.

So-called bug bounty programs are becoming the new normal in Silicon Valley's high-tech sector. But another heavily hacked sector — the financial industry — isn't biting on the idea.

Risky Business?

At Yahoo's headquarters in Sunnyvale, Calif., dozens of people are listening to security experts from Google, Twitter, Yahoo and PayPal explain why they're inviting hackers to attack their corporate networks.

"If you care about the product [and] you care about your customers, you care about your customers' security — this is what you have to do," says Dean Turner, director of security intelligence at PayPal.

The online world is full of risk — and that risk is not going away. PayPal has responded by calling out to hackers with an open invite. This past year alone, the company says it has paid about 1,000 of them for confidentially reporting big security holes. These do-gooder hackers, called "white hats," come from over 66 countries and all walks of life — teenagers, tech workers, unemployed geeks.

Turner admits it's a tricky relationship. "You have to be reasonable," he says. "You have to be fair and you've got to be very clear about what your expectations are in terms of the exchange of information."

Like other tech companies, PayPal expects these self-appointed researchers to only hack their own personal customer accounts — not others — in the research process.

The hackers in turn expect the price to be right — say a few hundred dollars for a small bug, and tens of thousands for a big one. This isn't charity work, and they can always sell their findings to the black market.

"If you try to shortchange the researchers," Turner warns, "you're going to find out pretty quickly that you're going to be in trouble."

Sitting in the audience, Robert Auger, from the online file storage company Box, wonders about extortion. "Have you bumped into situations where people have tried to get more money out of you than you agreed to?" he asks.

Turner responds matter-of-factly. "Does it happen? Sure. Do you modify the rules? No."

New Conventional Wisdom

Paying outsiders to attack you was a radical idea just years ago. But the online world has grown so quickly and the cyberattacks against consumers have been so aggressive, Silicon Valley has changed its mind.

"There's thousands or tens of thousands of people out there with the skill sets that could help us find these bugs and get them fixed faster," Yahoo Chief Security Officer Alex Stamos says. "And there's nothing lost by bringing them kind of into the fold and giving them an opportunity to participate."

The biggest banks in the United States do not agree.

NPR contacted a dozen financial institutions. Like high-tech firms, they're under constant attack. But only one of them, GE, says it has a method for outsiders (customers or researchers) to report a security issue to the company. Citibank and Wells Fargo declined to even state whether they have such a method because, they explain, they don't discuss cybersecurity matters with the public.

Stamos has heard this before. "For most companies, they don't want to ever talk about security unless it's an absolute emergency and they've had a breach," he says. "And I think that's a mistake."

In a statement to NPR, the Financial Services Roundtable says the banks and insurers that are its member have not "traditionally" paid bug bounties. Such security programs are "usually" for technology companies that make software, like Microsoft, the group says.

Stamos doesn't buy that statement.

"Several of the large banks have more tech employees than we have employees overall," he says. "So hopefully they're able to adapt what we've done for themselves."

New Programs Court Banks

A few Silicon Valley startups are trying to help banks and companies outside the high-tech sector adapt systems to disclose vulnerabilities and pay bug bounties.

Katie Moussouris, policy director for HackerOne, set up a program for pre-screened hackers to attack (and improve) specific products — say a new online payments system. But just a handful of financial institutions signed up.

"A lot of these organizations confuse having a clear way to report vulnerabilities to them with an open invitation to hack their systems," she says. "And those are two very different things."

Moussouris says banks are missing an opportunity to protect their customers.