Slashdot Mirror
Citi Bank Reveals Attack... One Month Late
An anonymous reader writes "Is account security a thing of the past? Quote: 'We're talking a fairly serious hack, too. The personal and account information of some 200,000 Citibank card holders in North America was breached, reports Reuters, including contact specifics like names and email addresses. The solitary bit of good news? Citibank claims far more sensitive info like social security numbers, birth dates, card expiry dates and CVV card security codes was not compromised.'"
social security numbers, birth dates, card expiry dates and CVV card security codes was not compromised.'"
Nothing here... So... SHOOO!!!
That's because they're going to wait a few weeks and admit that everything really was.
It should be criminal to employ this tactic, but we see it again and again. These companies have a responsibility to be good stewards of the information we have granted them. When they hide these breaches, they are not acting in good faith.
and if google wallet and its competitors are smart, they'll start with better security from the ground up, and use that as a selling point. consumer awareness of credit card insecurity is high
replacing all our credit cards with our cell phones is a natural evolution, regardless. but at this stage, in the beginning of the evolution, now is the time to address security robustly, before weaknesses get baked in
and for the lunatic paranoid fringe who thinks their own democratically elected government is an evil alien entity out to butt rape you: i said replace CREDIT CARDS, not replace cash
intellectual property law is philosophically incoherent. it is your moral duty to ignore it or sabotage it
Companies really need to start getting slapped with very large fines for stuff like this.
Being incompetent to actually protect the data of your clients doesn't mean you simply get to say "oops" and act like nothing happened.
Someone needs to start holding these companies accountable for stuff like this. You're a bank (albeit a sketchy, annoying one who keeps sending me offers for cards and a bunch of other crap I don't want) ... you're supposed to have a legal obligation to protect this information.
From the annoying telemarketing and other crap they send me in the mail, I already can't stand Citibank. An inability to actually protect data is just further proof of why I'd never actually deal with Citibank. They just don't give off the feel of actually being a reputable organization to me.
Lost at C:>. Found at C.
Don't take them seriously. Find a real bank to do business with.
Welcome to Shitty Bank! You want shitty bank account? How about shitty credit card? I can get you a shitty mortgage!
Oh god damn it! How come every time a hard working Chinese man starts a bank, some JAPANESE DOG open one right next door?!
I'm trying to teach myself to set people on fire with my mind... Is it hot in here?
Did the systems that had the data stolen meet PCI compliance guidelines? If not, can I levy non-compliance fines on the bank for not following their own standards for protection of cardholder data?
find a good sized but stressed bank and then just go ahead and BUY IT.
advantages for Google
1 no need to burn time/money on building the "stuff" needed for a bank
2 instant access to millions of new customers (have as part of the deal that the bank hosts email on google servers)
3 this would be a real established bank
advantages for the Bank
1 tens of millions new customers (they would logically be the default bank for GWallet)
2 point and click dibs on the GProfiles of everybody with a Google Account
3 "native" access to the google server farm network
Any person using FTFY or editing my postings agrees to a US$50.00 charge
My bank recently started doing the "security question" thing. Just think of the potential. "Was the name of your first childhood pet really Spotty '); DROP TABLE accounts;--?" "Oh yes, spotty tables we called him."
Visit http://ringbreak.dnd.utwente.nl/~mrjb/growingbettersoftware to download your free copy of the book
Um, of COURSE CVV data wasn't compromised... What nimrod would store CVV in the same system as PAN? (That's Primary Account Number, for those of you who don't play with credit card data enough to stop using 'card number' as the term).
In fact, just stating that CVV wasn't compromised bugs me. That should NEVER be exposed to anything that returns data. Heres how it should work:
1. Merchant swipes your card into terminal (or keys it into whatever).
2. Merchant reads and enters your CVV (or CVC or CVV2 or CID) into whatever.
3. Authorization request is sent to the processor.
4. Processor compares PAN and CVV to their records.
5. Processor makes a decision.
6. Processor responds to request.
7. Merchant's system discards CVV if it didn't already.
The CVV may not be saved by the merchant per PCI specs, and also per every processor spec that I'm aware of. If someone is able to get and match CVV etc with PAN, they do it by either intercepting authorization data or reching in and compromising processor and/or issuer databases that should not be connected to any external network. These should only be accessible by the 'inside' or secure side of trusted platforms, never externally.
So you should hear of CVV-type data being disclosed only by terminals or POS software being compromised, or by someone carrying the data out of a building.
And that Citi actually said this worries me just a little. Like hearing your 3rd grader's teacher telling you they always wear a condom to work. Um, why? that should NEVER be an issue, sirs.
Of course, Citi might just be covering their bases, claming that no other data, even the stuff that should not even be connected, was taken. Again, doing it wrong, guys.
ps - as an aside, there is a good chance that up to 30% of all cards in use have been compromised somehow, and no one bothers to replace them. Too expensive, they will run out of numbers faster than IPv4, and they handle the ongoing threat of fraud with existing fraud systems. No problem. Well, not much of a problem. I bet Citi doesn't even bother to replace these cards.
Second aside, while waiting a month sounds bad, perhaps Citi was gathering history and understanding how these details would be used, to both crack the fraud rings and maybe connect them to the infiltrators. This will happen more and more as the banks especially decide to fight back and make an effort to find the perps of the intrusions. And about time.
deleting the extra space after periods so i can stay relevant, yeah.
They log every access. It's not hard to implement, and many systems do it by default.
Best Slashdot Co
My sister was affected by this a few weeks ago, and I wondered that there was nothing on the news about it at the time.
She got a call saying that her account might have been compromised, and that a new card was on the way. Early on the day after she received the replacement card, and before she had even activated it, there was another call telling her that the new account number had already been used to make several purchases.
Clearly this was a serious breach that continued over at least several days, and was not the fault of a merchant, as they tried to claim.
"Is account security a thing of the past?"
Well, back in the early 90s, Citibank sent a bunch of 3.5" floppies to our school for students to use. Those floppies all had account information and spreadsheets on them. My job was to format them for use by the kids. Since I didn't relish the thought of formatting 50 of these fuckers on one computer, I just brought in a box of blank disks of my own the next day and kept the ShitiBank ones, formatting them for my own use as needed. Shiti is extremely lucky I had no plans to use the information for personal gain, but really, they had absolutely zero way to verify where those disks ended up.
So to answer your question, I don't think account security has ever realistically been on Citibank's mind.