Why don't banks get hacked?

I think it's fair to say that the idea that any large organisation is entirely impervious to attack has been proven false over the last five years or so. Everyone from nation states through large corporations, security consultancies and other security minded companies have had breaches.

One reason that a bank hasn't been thrown into "complete chaos" as you put it is likely down to a combination of the security measures they have in place to react to attacks, the size and complexity of their systems and the motivations of people who have the resources to effectively attack them.

If you think about people who are most motivated to attack banking systems, it's criminals who want to steal money from them. From their perspective there's no reason to cause chaos, they want to get in, steal things and get away without being noticed, if possible.


To turn a quick profit, It is easier to go after end users. This is why there are so many phishing attacks and password stealing Trojans.

Banks internet-facing operations tend to be well secured. The internal office environments less so, although they tend to have good AV. This stops casual metasploit users, although an advanced attacker with zero day exploits could readily compromise an internal workstation through the browser, and proceed to a major attack.

I expect at the moment both the NSA and Chinese have large scale hacks at many banks around the world. But they wouldn't be so crass as to just wipe the bank. It's far more valuable to quietly sit and harvest data. If they did decide to wipe the bank, there would be backups, but it would be incredibly hard to resume day-to-day operations - your looking at weeks even with crack teams of contractors on it. The bank would be commercially destroyed.

I read that during the 2nd gulf war the US could have done this to Iraqi banks, but they made a strategic decision not to.

It's a scary world out there :)


When one secure a box, he puts several defenses layer so, would some "hacker" defeat a protection, the immediate consequences will be limited, and by the time a defeats the next following protection layers his action will hopefully be detected and neutralized.

This is for a simple box. Now with a bank which is one of the largest international institution, main body of the financial system, you just multiply these layers at the whole company level, and restrict at the minimum the interaction within them, and for each interaction you define very strict procedures imposing that, the most potential impact has this interaction, the most people must be involved (in such domains the four-eyes principle is widely applied).

By distributing widely the responsibilities and the data, you distribute the power, so when a part of the bank gets hacked (or if an employee turns against the system) it provides very little power so the few backup restoration and access cancellation would most likely annihilate the damages.

However, no system can never be taken as 100% safe, and that's why what you describe just happens from time to time. For instance, here in France, just a few years ago a trader defeated these protections and caused a loss of 4.9 billions of dollars to his bank (see Jérôme Kerviel ; interesting to note that the most critical danger are not external hackers as one may think, but internal employees...), and yes, as you said, it was a "gigantic chaos".

So, to answer your question, banks actually get hacked, as any other information systems, but hopefully due to their size this does not happens very often.