When asked why he always went after banks, the famed Depression-era robber Willie Sutton once explained that he picked them because "that's where the money is."

Nowadays, with more banking transactions performed over electronic networks than teller windows, a federal agency believes the same logic might appeal to cyberterrorists.

In a report released this week on "Efforts of the Financial Services Sector to Assess Cyber Threats," the U.S. General Accounting Office concluded that entities handling monetary transactions face a particularly high risk of attack by criminals or terrorist organizations.

The GAO, the investigative arm of Congress, included financial services in a list of industries that provide so-called "critical infrastructure," such as telecommunications or electrical power.

In the case of financial services, the GAO found that "the potential for monetary gains and economic disruptions may increase its attractiveness as a target."

In the online context, however, Sutton's logic plays out on a bigger scale. As of mid-2002, the report estimates, financial services providers in the United States, including commercial banks, insurance companies, mutual funds, pension funds and securities brokers, among others, held more than $23.5 trillion in assets.

Increasingly, assets are changing hands over computer networks, for purposes ranging from Internet banking to electronic stock trading to the backend operations required for settling transactions. But the growth of these services, the GAO found, "has also increased the degree of access to the systems used to support these services." As access grows, so does the risk of criminal intrusions.

The GAO's concerns dovetail findings in a biannual report on Internet security threats published by Symantec in February. The security firm found that the overall volume of cyberattacks in the second half of 2002 declined by about 6 percent from the first half of the year. Symantec said it was the first time it had recorded such a decline.

But while overall cyberattacks were down, the financial services industry was not spared. According to Symantec, the financial services industry "experienced a sharp rise in attack volume and relative attack severity."

Vincent Weafer, director of Symantec Security Response, said some of the rise in reported attacks can be attributed to the usual suspects: cybercriminals on the prowl for credit card numbers and bank account records. Weafer said that banks are better at detecting intrusion attempts, so more attacks are being counted.

Like the GAO, however, Weafer sees online banking and other applications in which customers access financial institutions from their personal computers as particularly risky.

"Where we really need to focus attention is on the home users," he said. "They're being used by criminals as launch pads to attack critical infrastructure."

But while cyberattack risks remain high for financial services firms, the GAO acknowledged that a number of industry groups and regulatory agencies are actively working to boost security.

Private-sector efforts include a plan by the Securities Industry Association for a virtual command center that will be activated when a significant disaster occurs. Another group, the Financial Services Technology Consortium, developed a database through which financial institutions could find space to get their operations back up and running in the event of a disaster.

Meanwhile, federal regulators, such as the Federal Reserve and the Securities and Exchange Commission, are increasing scrutiny of information security risks among the financial institutions they oversee.