Citi Hackers Got Away With $2.7 Million

← Back to Stories (view on slashdot.org)

Citi Hackers Got Away With $2.7 Million

Posted by timothy on Sunday June 26, 2011 @02:26AM from the us-dollars-even dept.

angry tapir writes "Citigroup suffered about US$2.7 million in losses after hackers found a way to steal credit card numbers from its website and post fraudulent charges. Citi acknowledged the breach earlier this month, saying hackers had accessed more than 360,000 Citi credit card accounts of U.S. customers. The hackers didn't get into Citi's main credit card processing system, but were reportedly able to obtain the numbers, along with the customers' names and contact information, by logging into the Citi Account Online website and guessing account numbers."

32 of 126 comments (clear)

Min score:

Reason:

Sort:

Amateur by Anonymous Coward · 2011-06-26 02:30 · Score: 4, Informative

Let's not forget that the account numbers were passed with no security in the URL. I think I'll be canceling my Citi card (when I pay it off...).
1. Re:Amateur by rbarreira · 2011-06-26 02:36 · Score: 2, Insightful
  
  I think I'll be canceling my Citi card (when I pay it off...).
  You should do that even if it wasn't for this security breach. Big banks like Citi have been defrauding everyone including sucking money off the taxpayer teat courtesy of its puppet politicians.
  Why anyone knowing that would want to continue being their customer is beyond me. Use a local credit union instead.
  
  --
  
  The AACS key is NOT 0xF606EEFD628B1CA427BEA93A9CA9773F
2. Re:Amateur by rubycodez · 2011-06-26 03:13 · Score: 2
  
  the banking cartel does the defrauding, and why do you imagine your credit union is independent of it?
3. Re:Amateur by chill · 2011-06-26 03:28 · Score: 4, Informative
  
  Credit Unions are non-profit organizations, with totally different goals. It is possible, and not uncommon, to have smaller credit unions that are just a few dozen to a few hundred people.
  They are much, much more transparent than banks and frequently totally transparent in both their books and operations.
  For example, I found that my place of work has a credit union. Its sole purpose is basically to make affordable car loans to employees. There is no online banking, no ATMs, and just one office open 3 hours a day, 4 days a week. Almost no one has a "checking" account there, because they offer only the barest minimum of service.
  What they do offer is savings accounts and auto loans and very reasonable rates. No, they don't offer mortgages.
  They're chartered, insured and totally transparent to members -- 95% of which see each other on an almost daily basis.
  
  --
  Learning HOW to think is more important than learning WHAT to think.
4. Re:Amateur by pongo000 · 2011-06-26 04:04 · Score: 2
  
  Credit Unions are non-profit organizations, with totally different goals. It is possible, and not uncommon, to have smaller credit unions that are just a few dozen to a few hundred people.
  They are much, much more transparent than banks and frequently totally transparent in both their books and operations.
  Apparently, Texans CU didn't get the memo:
  http://www.cutimes.com/2009/12/23/management-shakeup-lawsuits-cuso-bankruptcy-plagued-texans-cu
  http://www.cutimes.com/2011/04/27/credit-union-industry-reacts-to-failure-of-big-tex
  Funny thing is that members were *never* notified that Texans had its board removed. So much for credit union transparency.
5. Re:Amateur by chill · 2011-06-26 04:18 · Score: 2
  
  Yes. Right now, I take size into account when I consider the trustworthiness of a credit union. Texans, with their 16 physical locations in over a dozen different cities and even more ATMs, would be "too big" in my estimation.
  Smaller isn't always better, because it is quite possible to be "too small". I can't give you a hard number, but and more than 5 branches and I'd be thinking of them as a normal "bank".
  
  --
  Learning HOW to think is more important than learning WHAT to think.
6. Re:Amateur by unkiereamus · 2011-06-26 11:39 · Score: 3, Informative
  
  A credit union that I used to belong to offers true credit cards: https://www.sccfcu.org/asp/products/product_2_3.asp
  
  --
  I needed a sig so people would know who I am, but I was too drunk to make something witty, so you get this instead.
2.7million USD by Anonymous Coward · 2011-06-26 02:32 · Score: 2, Funny

Citigroup suffered about US$2.7 million in losses
- dollars?
Nothing of value was lost.
1. Re:2.7million USD by Opportunist · 2011-06-26 02:36 · Score: 2
  
  I guess when you're used to getting billions in bailouts, millions don't really register as an amount anymore.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:2.7million USD by interval1066 · 2011-06-26 03:03 · Score: 2
  
  Why was this comment modded down? Its the most enlightened comment in the lot.
  
  --
  Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
3. Re:2.7million USD by arunce · 2011-06-26 03:34 · Score: 2
  
  this is funny. really, mod this up.
PCI compliant? by Virtucon · 2011-06-26 02:39 · Score: 2

I find this funny and sad at the same time. Their PCI certification needs to be revoked. Besides it has been done before to Citi. http://redmondmag.com/articles/2008/07/02/citibank-hack-shines-light-on-pci-compliance.aspx . if a bank can't be compliant then the PCI needs to be abolished because it appears to mean nothing to large financial institutions.

--
Harrison's Postulate - "For every action there is an equal and opposite criticism"
1. Re:PCI compliant? by Opportunist · 2011-06-26 02:54 · Score: 5, Insightful
  
  Compliance auditing is a circle jerk business. It's like peer review, just worse, insofar that there are no "honest" people in the game that could debunk the scheme. They're all in for the money.
  One thing you learn quickly as a young, aspiring and motivated auditor is that your job is not to test whether the company you audit is compliant. Your job is to make sure they are. Why? Because we want to be rehired for the checkup in a year, DUH! And because your first audit in a company is your foot in the door for other audits, and especially with BIG companies, there's a lot of things you can audit and certify, and all means moolah. Being "stubborn" means that your company will not be rehired and you will be fired.
  Quick question for 100 (or, in auditor's terms, 5 minutes of work): What's your goal when auditing?
  So I don't fear for their PCI cert. They will certainly be audited, this hole will be sealed, a lot of checkboxes will be ticked off (btw, transfer security is a very minor point in PCI-DSS compliance. Don't ask me why, I didn't make the cert requirements, I just have to endure them) and they will pass.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
2. Re:PCI compliant? by dgatwood · 2011-06-26 03:22 · Score: 3, Insightful
  
  What's needed here is strict liability. If your company performs an audit and declares that a company is in compliance and it is later determined that they were not at the time of your audit, your auditing firm and its employees should be held liable for any damages.
  That one small change to the legal code would end the practices you describe in a heartbeat.
  
  --
  Check out my sci-fi/humor trilogy at PatriotsBooks.
3. Re:PCI compliant? by the+eric+conspiracy · 2011-06-26 03:51 · Score: 2
  
  What's needed here is strict liability. If your company performs an audit and declares that a company is in compliance and it is later determined that they were not at the time of your audit, your auditing firm and its corporate officers should be held liable for any damages.
  FTFY.
  For all you know the people performing the audit are contractors or employees under orders from their management to certify the audit no matter what they actually find.
4. Re:PCI compliant? by Opportunist · 2011-06-26 04:01 · Score: 3, Interesting
  
  Aside from this not happening, it's also not feasible. And, bluntly, it wouldn't increase security one bit.
  I gave it in detail in a similar topic, compliance with security laws has nothing to do with security as the average IT person sees it. Consider this: It takes months (sometimes years) from detecting a security problem, formulating a law/compliance test around it, implement the test, implement the checkbox-ticker-form, get companies compliant and finally tack a "audited and passed" sticker to it. ISO27001 is currently current in the 2005 version. 2005. I think nobody here would consider himself secure if he is secure against everything known by 2005.
  To counter this, the requirements to pass the test are usually very broadly defined and in a quite unspecific way. There's a lot of talk about "reasonable security" and "state of the art/best practice", as well as securing "against current threats". There is a lot of talk about what has to be done, leaving the how completely open. Or, to give an example, you have to have a firewall that protects against current threats. It says nowhere what this may be. Or how "current" is defined. And here's where the whole mess starts to hit the fan.
  What is a "current threat"? What is "reasonably well secured"? What is "state of the art"? And most of all, what would happen if you make us circle jerks liable for our blunders? Well, we'd define what a current threat is, what reasonably good security is and also what's state of the art is. Who else could? The (snicker) government? If that's the case, I have no worries that I'll ALWAYS be auditing by best practice standards, they'd probably be from 1980something. And rest assured that we'll always cover our respective backs when it comes to the question whether one of us audited perfectly. You don't piss off the people you work with in this trade, it comes back so terribly quickly, and there ain't that many companies that can actually do an ITSEC audit, so there is no heated competition. Hell, we hire each other to reaudit our own certs, take a wild guess how much we hate each other...
  The solution is much simpler. First of all, get rid of all those fancy security stickers that get so much credibility but actually mean jack when it comes to security. Second, make companies care about security, and tack a fine on it that actually HURTS. As a neat side effect, it might reduce the data hunger some companies started to develop, since every bit they store might come back to bite them in their ass. In today's economy, it might actually already be sufficient to say that a company that can't get its act together is banned from bailouts. The rest will fall into place by itself.
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
5. Re:PCI compliant? by Bengie · 2011-06-26 04:30 · Score: 3, Insightful
  
  They need a way to fine the auditor to the point of bankrupting them for effectively "lying"
6. Re:PCI compliant? by shoehornjob · 2011-06-26 04:41 · Score: 5, Informative
  
  About 5 years ago I worked for a compliance unit in the brokerage section of Citi. Prior to the creation of this unit managers in different departmets were responsible for making sure their employees were in compliance. When I started there we found that the firewall guys were granting access to whole segments of ip addresses instead of just the 7 or 8 that were needed. We also found the Unix guys were not deleting access to highly sensative databases after employees left the company. Something tells me that the culture of ignorance in that place isn't going to stop any time soon. About 2 years after our group was formed they sent our jobs over to India. We were only there to develop the process and iron out the kinks. They gave the crew in India a month to learn our process manual and 8-9 months later they still didn't get it. Lets add greed to a culture of incompetance. BTW that's where the name shoehornjob comes from. For a while there the manager would come to us and shoehorn in new processes without review or vetting them.
  
  --
  "We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
7. Re:PCI compliant? by John3 · 2011-06-26 09:25 · Score: 2
  
  I wish I still had mod points to bump up your comment. The whole PCI compliance scam is a pet peeve of mine. I own a hardware store and we're fully compliant, but it cost a bunch and is a real pain considering that we're trying to protect credit cards and a system that is essentially poorly secured in the first place. There are thousands and thousands of independent business owners that are not anywhere near compliant, and they have no clue how to get in compliance. They are just scared that when a breach happens they will lose their merchant privileges and maybe be held liable for the losses. Meanwhile, Citi and other large targets get broken into regularly for millions and millions in losses.
  I certainly don't think that small merchants can be lax in their security procedures, but I think the bankcard industry needs to subsidize the security updates and do a much better job of educating and assisting the retail store owners. These are restaurant owners, deli owners, clothing stores, hardware stores, and other businesses where the owner is not real tech or security savvy. They know how to cook a meal, slice ham on a machine, measure an inseam, or cut a key. These folks take credit cards (and pay the insane fees) because the must to stay in business. They are saddled with bankcards that are inherently insecure (seriously, check the signature on the back of the card?).
  Sorry, I'm ranting...but I still wish I had the mod points I had yesterday.
  
  --
  "We make our world significant by the courage of our questions and by the depth of our answers." Carl Sagan
Re:Ooooh, a couple mill by shentino · 2011-06-26 02:43 · Score: 2

I got a slice of it after receiving an offer in my email yesterday.
Can you see the dialogue happen at citi? by Opportunist · 2011-06-26 02:44 · Score: 2

CSO: Sir, we had a security breach! Credit card data was stolen and we lost money. We should up our security budget and improve our security standards!
CEO: This ... is bad, right? But ... no, I'll just tell finance to add the damage to our next bailout request. How much is it?
CSO: 2.7 millions.
CEO (enraged): 2.7 millions? You waste my time for that? Get the hell out of my office and come back when something serious happens!

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:Can you see the dialogue happen at citi? by Nidi62 · 2011-06-26 02:48 · Score: 5, Funny
  
  CSO: Sir, we had a security breach! Credit card data was stolen and we lost money. We should up our security budget and improve our security standards!
  CEO: This ... is bad, right? But ... no, I'll just tell finance to add the damage to our next bailout request. How much is it?
  CSO: 2.7 millions.
  CEO (enraged): 2.7 millions? You waste my time for that? I make more than that in bonuses every year, even when we lose money. Get the hell out of my office and come back when something serious happens!
  Fixed that for you
  
  --
  The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
This problem just cannot be solved by osgeek · 2011-06-26 03:03 · Score: 2

If only there was a way to have credit card owners approve each charge through the entering of some kind of a pin.
If only credit card numbers weren't special since what really mattered was signed transactions.
If only every consumer had a personal device capable of signing transactions in his pocket at almost all times.
Call me a dreamer, but someday in the next hundred years, I think that all those "huge" technological problems could be solved and we could end this problem of having our credit card and social security numbers being exposed.

--
Why are you letting these clowns ruin our country?
1. Re:This problem just cannot be solved by Hazel+Bergeron · 2011-06-26 03:23 · Score: 2
  
  Because the merchant is liable for fraudulent transactions when no PIN is entered. Liable plus a fine on chargeback. Liable plus a fine plus a threat of increased discount percentage.
  Small businesses are the backbone of modern America: if you want to conquer America you have to break its backbone.
2. Re:This problem just cannot be solved by kamukwam · 2011-06-26 03:26 · Score: 2
  
  Well, then they should simply make it impossible to pay without a PIN. Actually it should've been like that from the start and there wouldn't have been so much problems with stolen credit card numbers.
3. Re:This problem just cannot be solved by NJRoadfan · 2011-06-26 03:32 · Score: 2
  
  Actually its simple, banks in the US are cheap. Chip and PIN costs money to implement. American Express rolled out chips in their first issue Blue credit card, but later phased it out... cost more then a regular credit card and nobody used the feature (lack of infrastructure in the US, hardly anyone has a chip and PIN terminal here). Same goes for things like implementing two factor authentication for online banking. Its likely the only way a US based bank will improve security is if they are forced to through legislation.
4. Re:This problem just cannot be solved by Nick+Ives · 2011-06-26 09:06 · Score: 2
  
  This is beyond silly. The reason Chip & Pin happened in Europe is because payment card operators in Europe got together and decided to do it. They told retailers they didn't have to use it if they didn't want to, but they would be more liable for fraudulent transactions if they didn't.
  Given that the increased liability would cost more than the chip & pin terminals, everyone moved over.
  
  --
  Nick
Most insecure ebanking ever. by gweihir · 2011-06-26 03:18 · Score: 3, Insightful

Several things went wrong here:
- "Developers" without a clue about web-application kept critical state client-side. An absolute Noob-mistake. They must not have had any clue what they were doing.
- The security evaluation was either done by people without basic knowledge of web application security as well, or not done at all. This is one of the first things anybody with at least a bit of knowledge (as in understanding web-mechanisms and having researched on the web for, say, 1/2 day about web application security).
- Incompetent and greedy management selected / signed off on the development team and the evaluation team (or did without evaluation), without any regard for their actual skills.
The developers and evaluators should be forbidden to work in IT for the rest of their lives or until they demonstrate strong skills. The managers responsible, however should go to prison, pay for the damage out of their own pockets and should be banned for life from working in management or any other place where they have the power to make decisions for an organization.

--
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
Oh the irony... by ilguido · 2011-06-26 03:59 · Score: 2

-2006: Citigroup and M$ Develop a New Digital Identity Solution

-2008: Citi's Market Montage Solution Supports 200,000 Updates per Second with SQL Server 2005

- june 2011: Citigroup hacker attack affected more customers than first thought

-a week later, in the neighborhood of Redmont (about the PSN outage): "As a company, you can look back 8, 9 years ago, when Bill Gates wrote his Trustworthy Computing Memo that basically said, 'We need to change the way we architect our products and it has to be designed into the way we architect our products and services.' So it’s in our DNA, across the company. This is not just an IEB thing. So this has really been a multi-year effort for us as a company and it’ll continue to be one because this future, which we think is very much about services and very much cloud based - whether it be entertainment consumption or productivity - in order to do that, you have to have a secure environment. So we’re going to continue to do that and we don’t want to see any of our competitors hurt along the way. We think that’s bad for consumers."
being not-for-profit... by brokeninside · 2011-06-26 09:30 · Score: 2

... while it means that they don't have the goal of maximizing shareholder's equity, doesn't meant that they don't exhibit profit-seeking behavior. It just means that the profit isn't paid out in the form of dividends. It could, as one example, be paid out in the form of executive compensation.
Moreover, many credit unions are for-profit concerns. But the dividends go to account holders rather than third-party investors that don't deposit money into the credit union. And the money that is deposited is used by members rather than non-members. Rather than your deposits going towards providing the backing for third-parties to get loans, etc., they go towards loans, etc., for members of the credit union. This distinction starts to break down, however, when the credit union decides to invest the money in instruments to increase dividends to the members.
Numbers by G4Cube · 2011-06-26 13:11 · Score: 2

For 10 years when you lost a # to fraud the next card was different by only the last 4 numbers.
Find them and put them in charge by IHateEverybody · 2011-06-26 20:29 · Score: 4, Funny

They seem to have stolen less than the bankers themselves.

--
Does this .sig make my butt look big?