Slashdot Mirror

← Back to Stories (view on slashdot.org)

Citi Hackers Got Away With $2.7 Million

Posted by timothy on from the us-dollars-even dept.

angry tapir writes "Citigroup suffered about US$2.7 million in losses after hackers found a way to steal credit card numbers from its website and post fraudulent charges. Citi acknowledged the breach earlier this month, saying hackers had accessed more than 360,000 Citi credit card accounts of U.S. customers. The hackers didn't get into Citi's main credit card processing system, but were reportedly able to obtain the numbers, along with the customers' names and contact information, by logging into the Citi Account Online website and guessing account numbers."

4 of 126 comments (clear)

  1. Amateur by Anonymous Coward · · Score: 4, Informative

    Let's not forget that the account numbers were passed with no security in the URL. I think I'll be canceling my Citi card (when I pay it off...).

    1. Re:Amateur by chill · · Score: 4, Informative

      Credit Unions are non-profit organizations, with totally different goals. It is possible, and not uncommon, to have smaller credit unions that are just a few dozen to a few hundred people.

      They are much, much more transparent than banks and frequently totally transparent in both their books and operations.

      For example, I found that my place of work has a credit union. Its sole purpose is basically to make affordable car loans to employees. There is no online banking, no ATMs, and just one office open 3 hours a day, 4 days a week. Almost no one has a "checking" account there, because they offer only the barest minimum of service.

      What they do offer is savings accounts and auto loans and very reasonable rates. No, they don't offer mortgages.

      They're chartered, insured and totally transparent to members -- 95% of which see each other on an almost daily basis.

      --
      Learning HOW to think is more important than learning WHAT to think.
    2. Re:Amateur by unkiereamus · · Score: 3, Informative

      A credit union that I used to belong to offers true credit cards: https://www.sccfcu.org/asp/products/product_2_3.asp

      --
      I needed a sig so people would know who I am, but I was too drunk to make something witty, so you get this instead.
  2. Re:PCI compliant? by shoehornjob · · Score: 5, Informative

    About 5 years ago I worked for a compliance unit in the brokerage section of Citi. Prior to the creation of this unit managers in different departmets were responsible for making sure their employees were in compliance. When I started there we found that the firewall guys were granting access to whole segments of ip addresses instead of just the 7 or 8 that were needed. We also found the Unix guys were not deleting access to highly sensative databases after employees left the company. Something tells me that the culture of ignorance in that place isn't going to stop any time soon. About 2 years after our group was formed they sent our jobs over to India. We were only there to develop the process and iron out the kinks. They gave the crew in India a month to learn our process manual and 8-9 months later they still didn't get it. Lets add greed to a culture of incompetance. BTW that's where the name shoehornjob comes from. For a while there the manager would come to us and shoehorn in new processes without review or vetting them.

    --
    "We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine