Slashdot Mirror
Citi Bank Reveals Attack... One Month Late
An anonymous reader writes "Is account security a thing of the past? Quote: 'We're talking a fairly serious hack, too. The personal and account information of some 200,000 Citibank card holders in North America was breached, reports Reuters, including contact specifics like names and email addresses. The solitary bit of good news? Citibank claims far more sensitive info like social security numbers, birth dates, card expiry dates and CVV card security codes was not compromised.'"
social security numbers, birth dates, card expiry dates and CVV card security codes was not compromised.'"
Nothing here... So... SHOOO!!!
That's because they're going to wait a few weeks and admit that everything really was.
It should be criminal to employ this tactic, but we see it again and again. These companies have a responsibility to be good stewards of the information we have granted them. When they hide these breaches, they are not acting in good faith.
and if google wallet and its competitors are smart, they'll start with better security from the ground up, and use that as a selling point. consumer awareness of credit card insecurity is high
replacing all our credit cards with our cell phones is a natural evolution, regardless. but at this stage, in the beginning of the evolution, now is the time to address security robustly, before weaknesses get baked in
and for the lunatic paranoid fringe who thinks their own democratically elected government is an evil alien entity out to butt rape you: i said replace CREDIT CARDS, not replace cash
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Companies really need to start getting slapped with very large fines for stuff like this.
Being incompetent to actually protect the data of your clients doesn't mean you simply get to say "oops" and act like nothing happened.
Someone needs to start holding these companies accountable for stuff like this. You're a bank (albeit a sketchy, annoying one who keeps sending me offers for cards and a bunch of other crap I don't want) ... you're supposed to have a legal obligation to protect this information.
From the annoying telemarketing and other crap they send me in the mail, I already can't stand Citibank. An inability to actually protect data is just further proof of why I'd never actually deal with Citibank. They just don't give off the feel of actually being a reputable organization to me.
Lost at C:>. Found at C.
Don't take them seriously. Find a real bank to do business with.
Did it take them that long to figure out there was a breech? Infrequently reviewing logs instead of real time monitoring, perhaps?
A Human Right
I have a feeling my account was one of the compromised.
They forced me to change my CC# for no reason, and no fraud was present I was aware of or they admitted to.
I have been getting a lot of 409 scams and viagra emails lately. They seem to have started a month or so ago. Never got them before.
For forcing me to change my CC#, they lost a customer.
However, I had has zero unauthorized charges. So they my be telling the truth about the info compromised.
Hell, maybe it's time to embrace these types of breaches. The more frequently this happens and the greater population it impacts, the less accountable people will have to be. I mean, if everyone has every piece of your data that is used for anything that you do, then there will never be any way to reasonably affix responsibility to you.
On the other hand, they'll just solve it by finally cracking down and imposing some sort of draconian National ID stuff both on and offline and these activities will just serve as justification for finally sweeping the land with the new "solution".
Welcome to Shitty Bank! You want shitty bank account? How about shitty credit card? I can get you a shitty mortgage!
Oh god damn it! How come every time a hard working Chinese man starts a bank, some JAPANESE DOG open one right next door?!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
The article title is "... One Month Late". I ask though: "late" by what standard? By what time, legally, does citibank need to disclose such a breach? Because that is, unfortunately, the only standard that they'd care about. And as long as the penalties for permitting this kind of breach and not disclosing it quickly are laughably small, then there really is no "late".
I raise this semantic quibble not to take potshots at the submitter and editors, nor to let citibank off the hook for such lax practices, but rather to reinforce the message that until regulations regarding these kinds of breaches are tightened and actually have some teeth to them, banks simply aren't going to change their practices. Remember: Citibank is a business whose job is to look after itself - not necessarily its customers. One would think that those interests would tend to align with the customers'. But since this kind of crap keeps happening, that clearly is not the case. While having 200,000 breached sounds like a big number, it's only 1% of citibank's total.
I'm sure the month was enough time for them to scrub the breach, such that it wouldn't look like SSNs and the like were compromised. If this were a physical breach of their building and they waited a month, we would know they were duplicitous. For some reason they think (and are probably right) that the public will believe them.
Simply put, physical breaches and digital breaches of security protocols (and data) should be treated the same. The law prosecutes criminals the same (though success of prosecution is largely varied due to evidence differences).
Did the systems that had the data stolen meet PCI compliance guidelines? If not, can I levy non-compliance fines on the bank for not following their own standards for protection of cardholder data?
Dropbox? If a company can conceal/lie about compromises of sensitive information, it can lie about its security.
People also forget that, as much as this sucks, it's worth it to not cause a panic too early when maybe they don't have all the details themselves. I would rather hear the solid facts in a calm manner a little later than a panicked "um, some of your information was stolen, we're still figuring out the scope of this..." on zero day.
10 FILL MUG WITH COFFEE
20 DRINK COFFEE
30 GOTO 10
It is time to hold banks civilly liable for behavior like this! Banks over the last decade have behaved recklessly and it is time for them to face the consequences.
find a good sized but stressed bank and then just go ahead and BUY IT.
advantages for Google
1 no need to burn time/money on building the "stuff" needed for a bank
2 instant access to millions of new customers (have as part of the deal that the bank hosts email on google servers)
3 this would be a real established bank
advantages for the Bank
1 tens of millions new customers (they would logically be the default bank for GWallet)
2 point and click dibs on the GProfiles of everybody with a Google Account
3 "native" access to the google server farm network
Any person using FTFY or editing my postings agrees to a US$50.00 charge
My bank recently started doing the "security question" thing. Just think of the potential. "Was the name of your first childhood pet really Spotty '); DROP TABLE accounts;--?" "Oh yes, spotty tables we called him."
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
Can we as the public charge them a late fee? They certainly have a lot of them from me that I'd like to get back! :)
Um, of COURSE CVV data wasn't compromised... What nimrod would store CVV in the same system as PAN? (That's Primary Account Number, for those of you who don't play with credit card data enough to stop using 'card number' as the term).
In fact, just stating that CVV wasn't compromised bugs me. That should NEVER be exposed to anything that returns data. Heres how it should work:
1. Merchant swipes your card into terminal (or keys it into whatever).
2. Merchant reads and enters your CVV (or CVC or CVV2 or CID) into whatever.
3. Authorization request is sent to the processor.
4. Processor compares PAN and CVV to their records.
5. Processor makes a decision.
6. Processor responds to request.
7. Merchant's system discards CVV if it didn't already.
The CVV may not be saved by the merchant per PCI specs, and also per every processor spec that I'm aware of. If someone is able to get and match CVV etc with PAN, they do it by either intercepting authorization data or reching in and compromising processor and/or issuer databases that should not be connected to any external network. These should only be accessible by the 'inside' or secure side of trusted platforms, never externally.
So you should hear of CVV-type data being disclosed only by terminals or POS software being compromised, or by someone carrying the data out of a building.
And that Citi actually said this worries me just a little. Like hearing your 3rd grader's teacher telling you they always wear a condom to work. Um, why? that should NEVER be an issue, sirs.
Of course, Citi might just be covering their bases, claming that no other data, even the stuff that should not even be connected, was taken. Again, doing it wrong, guys.
ps - as an aside, there is a good chance that up to 30% of all cards in use have been compromised somehow, and no one bothers to replace them. Too expensive, they will run out of numbers faster than IPv4, and they handle the ongoing threat of fraud with existing fraud systems. No problem. Well, not much of a problem. I bet Citi doesn't even bother to replace these cards.
Second aside, while waiting a month sounds bad, perhaps Citi was gathering history and understanding how these details would be used, to both crack the fraud rings and maybe connect them to the infiltrators. This will happen more and more as the banks especially decide to fight back and make an effort to find the perps of the intrusions. And about time.
deleting the extra space after periods so i can stay relevant, yeah.
If we want to get the attention of the banks, the fine for compromised credit card accounts should be equal 10% of the credit limit for the cardholder. So if my card has a $10,000 limit and my personal information is compromised, I get a *CHECK* from Citi in the amount of $1,000, not a credit to my account I get real money.
This way all banks now start to take things very seriously, and I'm sure we'll see appropirate security measures start to be used.
If the average credit limit for the 200,000 users who had their accounts compromised was $7,500 Citi would be faced with a fine of $150M paid to the victims.
In America? Where those same companies own the regulators? Unlikely. Token fines perhaps... someday.
They log every access. It's not hard to implement, and many systems do it by default.
Best Slashdot Co
I have a Citi card and found out about this (though not the scale of it) a few days ago when I received a letter with a new card saying my data had been compromised. The irony of this is that while I stopped using the physical card a few years ago, I've kept my Citi account open solely for purpose of using their Virtual Account Numbers service. I've been going through all this extra trouble to protect myself using disposable card numbers only to have the "real" account number compromised at the source.
My story about the matter here.
My only question now is whether I close my account to send them a message, yet at the loss of a useful service which may protect me elsewhere online. Fortunately, I do have a Discover card which also has a virtual account number service, but Discover isn't always accepted where Visa and MasterCard are.
www.gaiageek.com
My sister was affected by this a few weeks ago, and I wondered that there was nothing on the news about it at the time.
She got a call saying that her account might have been compromised, and that a new card was on the way. Early on the day after she received the replacement card, and before she had even activated it, there was another call telling her that the new account number had already been used to make several purchases.
Clearly this was a serious breach that continued over at least several days, and was not the fault of a merchant, as they tried to claim.
"Is account security a thing of the past?"
Well, back in the early 90s, Citibank sent a bunch of 3.5" floppies to our school for students to use. Those floppies all had account information and spreadsheets on them. My job was to format them for use by the kids. Since I didn't relish the thought of formatting 50 of these fuckers on one computer, I just brought in a box of blank disks of my own the next day and kept the ShitiBank ones, formatting them for my own use as needed. Shiti is extremely lucky I had no plans to use the information for personal gain, but really, they had absolutely zero way to verify where those disks ended up.
So to answer your question, I don't think account security has ever realistically been on Citibank's mind.
One one hand we have the constant news of yet another security breech where an unknown amount of data is stolen, the time lapse of the disclosure, and another breech breaking the news later the same day. On the other hand we have every financial company up-selling a service they've rolled out to monitor credit scores, credit inquires, and social security numbers. At what point are people going to clasp those hands together and just stop caring? Between social networking sites and the new lack of financial / gaming network security, most of “you” is digitized and already out there. Are these breeches just becoming another marginalized city hazard like Jay walking on a boulevard?
Let's keep in mind that patents are in place to keep lawyers employed and keep them litigating. -CatGrep
Because it's "all about share price" kids & "market capitalization" (ENRON ideals are EVERYWHERE)!
I.E. -> Sure, they hide it so the share price doesn't drop & everyone doesn't "dump" them like a hot potato... all the while? They're selling THEIR shares @ phenomenal rates before they drop to rock-bottom penny stock crap levels!
(Don't try to even BEGIN to tell me that doesn't happen guys... too many of these crooks of this "ilk" have been caught @ it!)
This is why I dislike the stock market, and boards of directors... private ownership, companies like Ford or MS!
(Where, last I knew of @ least, the owners/founders/families that started them STILL retain majority stock %-ages? They actually GIVE A DAMN because they still own it, and have their names/reps tied up into it as well as pride of ownership, rather than just "shares of stock" b.s.).
APK
P.S.=> The world's "F'd-UP", & imo @ least? The stockmarket's the ROOT of it all (because as we all know, money makes people do "phunny things", doesn't it??)
... apk
Where is the hate for them because they got hacked like you had for sony?
Citi bank, foriegn governments, hb gary, mastercard, paypal, square enix all get hacked and you dont get upset? But when sony gets hacked you all act like idiots and want to complain about them and take any chance you can to put them down.
Maybe your idea would work for cell phone addicts, those who can't be without one.
As for me, I can't conveniently carry a cellphone in my wallet (too large and fragile), I don't want to pay a monthly fee for one just to use it as plastic, and Murphy's Law says that the battery would run out just as I had to pay my bill at a restaurant feeding a few tables of attendees of a State Police convention.
Has any publicly-traded company had their stock down graded by stock analysts? Dropping from an AA rating to a B because you kept sensitve data on a digital equivalent of a post-it note would get their attention far more than any 'cost of doing business' fine by the Federales.
Damned Mongolians breaking down my firewall!!
How about Sony? They stored everything including the CVV2 code in a single plain text file despite the fact that they are not supposed to store the CVV2 code at all. Not surprisingly, Visa hasn't done anything about it, despite the fact that Sony violated every PCI rule in the book.
This will become more and more common place. Banks, healthcare, government. It's all ripe for the taking.
People are bored, talented, out of work, and/or simply don't care anymore.
When talented people are no longer interested in money as the endgame, destruction and lulz gets rolling.
Next up, groups competing for the most destruction and lulz with government, corporations, and the end user in the cross hairs.
Following that, users are no longer surprised or upset when their personal information and data is compromised.
One month ago my brand new Citibank card which was never used (only activated the week or so before and kept at home) started having fraud charges. I don't think there is any coincidence here.
I cancelled my account as they could not (or would not) explain this behavior.
I suspect Citi is not telling the full trurth, or that they are not aware of the full truth.
We need two-channel authorinization method now. Many Dutch banks have this feature. Watch the demo here.
Basically someone would have to have your account info and your cell phone. For computer-based transactions a TAN + payee and charge amount can be sent to your phone to verify, and then you enter the TAN code into the computer to verify it is legit. This could even be done at PoS terminals. The other option would be an automated voice system which would call and tell you the payee, charge amount, and then you can OK the charge (perhaps after entering a PIN, so even if someone had your card and phone they'd still have to know your PIN).
We're still in the dark ages when it comes to verifying credit card charges and bank transfers.
http://tech.slashdot.org/comments.pl?sid=2225174&cid=36390518 So why did you run away from a very simple non-technical question, troll?
*cough*, *splutter*, *back fire* *All your base belong to us*