Banks losing $1 million to hackers are not exactly science fiction. Typical outcomes including authorities not catching the thief, insurance paying out or the bank self-insuring, reiterating NDAs to employees who became aware of the theft, and absolutely no media coverage.

[Edit to add: For avoidance of ambiguity, I'm really, really, REALLY not suggesting that "Since banks are equally insecure, bitcoins are a great idea." Of greatest interest to HN readers, if your bank has a security fumble and your account is debited $25,000 as a result of this, you will almost certainly be reimbursed for every penny of that post-haste.]

> I'm really, really, REALLY not suggesting that "Since banks are equally insecure

That's just as well, because otherwise I'd have to mock you. Banks are not equally insecure. I work for one, and we typically spend 10-20% of the cost of development for apps on security reviews and testing, and not from numptys from accounting firms, but actual, well-known, well-respected white hats who review our designs and run hacks against us.

We aren't perfect, of course. But these monkeys are barely on the same planet, never mind in the ballpark.

Serious question, not trying to be rude.

If banks are full of competent programmers, why are their customer-facing online banking websites so utterly, utterly terrible?

I suspect this because, every time there is competition between innovative features that are nice for users, and ensuring security/limiting exposure and attack surface, the latter concern wins with little discussion.

What I mean is, if they implement a new whiz-bang feature, the best case is that people complain a bit less. But if their new feature opens up an attack vector or social engineering opportunity, they may suffer serious financial loss and very bad press.

I'm not asking for whizz-bang features, just a lack of the busy, overengineered sort we tend to see.

Heck, First Direct is one of the better banks in this country, but their website popups deliberately hide browser chrome including the address bar, which is just obviously terrible for security. But that's something that must have been deliberately added.

I have had poo-flinging contests (in banking) with external "security experts" (i.e. grads with a 3 ring binder from accountancy firms) who think ripping out the chrome is a todo on the required security checklist.

Programmers don't decide the UX. And any decent-sized bank will be pulled in different directions by:

1. The standard "enterprise problems": strategic partnerships dictating toolsets and so on.

2. The standard "big company problems": many business units acting as fiefdoms who will be arguing over how much real estate they need on customer-facing channels.

3. Tensions between customers who are scared of "money" and "online" and want everything locked down vs customers who want the latest whizz-bang everything.

4. Regulations.

5. Customers spanning a range from high-value rural farmers with vast sums of agribusiness who are stranded on dialup (yes, they exist), customers who do their banking on whatever their work PC is (XP and IE6 is still a thing - out biggest surge of the day is the 9 am rush when people log in from work to do their banking), through to customers who want the latest and greatest HTML5 webbery.

Saying, "fuck it we only support WebKit and high speed internet" is not really an option.

Usually because they have to support IE6

The BBC, Ars Technica, and others covered a theft one year ago of about one-quarter this much value (when converted to USD at the time). And the FBI was involved (not that they recovered the funds or anything): http://www.bbc.co.uk/news/technology-19633980

Not sure about that. Also, I read somewhere that the going rate of solving bank robberies is around 75-80% and many robbers are only caught because a) they do something stupid like not wear a mask or do anything to conceal their identity, or b) continuing robbing banks until their caught.

Considering hacks like this take time and a fairly high level of sophistication, not sure the FBI would want to employ the amount of long term resources needed to hunt these guys down.

The inputs.io hack required zero sophistication. Did you read TradeFortress' explanation? The hacker merely used the password reset feature on an email account, and then reset the Linode Manager password from the email.

They had to get access to the email account first though; I thought it was a Google mail account with 2FA [can't be bothered checking back].

I don't think it is the FBI a BitCoin thief needs to fear.

That said, it is fascinating to watch people getting caught out when they have a "few dollars" in BitCoin and now its "a few hundred thousand dollars" suddenly the security requirements change dramatically. One would hope that would be bitcoin wallet holders are taking notes and things like daily security audits are the new normal.