Judging by the media headlines, it's a golden age for bank robberies. The names of criminal gangs are often known to every security specialist, and some of these thieves have made off with millions on multiple occasions. High payoffs and the relatively low risk of detection are inspiring criminals to "go online." Some groups break up or are caught by law enforcement, but newer groups pop up with more sophisticated attack techniques and take their place. Criminals quickly adapt to the changing environment; they constantly monitor newly published vulnerabilities and manage to exploit them much faster than bank security services are able to install updates. So what is the actual situation with IT security at banks? How do hackers bypass their security systems? What are the security flaws that allow hackers to entrench themselves in bank infrastructure and commit fraud, remaining unnoticed up to the very last moment? This reporting draws upon security analysis of information systems performed by Positive Technologies for specific banks for the past three years.