Slashdot Mirror
Citi Hackers Got Away With $2.7 Million
angry tapir writes "Citigroup suffered about US$2.7 million in losses after hackers found a way to steal credit card numbers from its website and post fraudulent charges. Citi acknowledged the breach earlier this month, saying hackers had accessed more than 360,000 Citi credit card accounts of U.S. customers. The hackers didn't get into Citi's main credit card processing system, but were reportedly able to obtain the numbers, along with the customers' names and contact information, by logging into the Citi Account Online website and guessing account numbers."
Let's not forget that the account numbers were passed with no security in the URL. I think I'll be canceling my Citi card (when I pay it off...).
CSO: Sir, we had a security breach! Credit card data was stolen and we lost money. We should up our security budget and improve our security standards!
CEO: This ... is bad, right? But ... no, I'll just tell finance to add the damage to our next bailout request. How much is it?
CSO: 2.7 millions.
CEO (enraged): 2.7 millions? You waste my time for that? I make more than that in bonuses every year, even when we lose money. Get the hell out of my office and come back when something serious happens!
Fixed that for you
The only thing necessary for evil to triumph is for it to be pitted against a slightly greater evil
Compliance auditing is a circle jerk business. It's like peer review, just worse, insofar that there are no "honest" people in the game that could debunk the scheme. They're all in for the money.
One thing you learn quickly as a young, aspiring and motivated auditor is that your job is not to test whether the company you audit is compliant. Your job is to make sure they are. Why? Because we want to be rehired for the checkup in a year, DUH! And because your first audit in a company is your foot in the door for other audits, and especially with BIG companies, there's a lot of things you can audit and certify, and all means moolah. Being "stubborn" means that your company will not be rehired and you will be fired.
Quick question for 100 (or, in auditor's terms, 5 minutes of work): What's your goal when auditing?
So I don't fear for their PCI cert. They will certainly be audited, this hole will be sealed, a lot of checkboxes will be ticked off (btw, transfer security is a very minor point in PCI-DSS compliance. Don't ask me why, I didn't make the cert requirements, I just have to endure them) and they will pass.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
Several things went wrong here:
- "Developers" without a clue about web-application kept critical state client-side. An absolute Noob-mistake. They must not have had any clue what they were doing.
- The security evaluation was either done by people without basic knowledge of web application security as well, or not done at all. This is one of the first things anybody with at least a bit of knowledge (as in understanding web-mechanisms and having researched on the web for, say, 1/2 day about web application security).
- Incompetent and greedy management selected / signed off on the development team and the evaluation team (or did without evaluation), without any regard for their actual skills.
The developers and evaluators should be forbidden to work in IT for the rest of their lives or until they demonstrate strong skills. The managers responsible, however should go to prison, pay for the damage out of their own pockets and should be banned for life from working in management or any other place where they have the power to make decisions for an organization.
Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
What's needed here is strict liability. If your company performs an audit and declares that a company is in compliance and it is later determined that they were not at the time of your audit, your auditing firm and its employees should be held liable for any damages.
That one small change to the legal code would end the practices you describe in a heartbeat.
Check out my sci-fi/humor trilogy at PatriotsBooks.
Aside from this not happening, it's also not feasible. And, bluntly, it wouldn't increase security one bit.
I gave it in detail in a similar topic, compliance with security laws has nothing to do with security as the average IT person sees it. Consider this: It takes months (sometimes years) from detecting a security problem, formulating a law/compliance test around it, implement the test, implement the checkbox-ticker-form, get companies compliant and finally tack a "audited and passed" sticker to it. ISO27001 is currently current in the 2005 version. 2005. I think nobody here would consider himself secure if he is secure against everything known by 2005.
To counter this, the requirements to pass the test are usually very broadly defined and in a quite unspecific way. There's a lot of talk about "reasonable security" and "state of the art/best practice", as well as securing "against current threats". There is a lot of talk about what has to be done, leaving the how completely open. Or, to give an example, you have to have a firewall that protects against current threats. It says nowhere what this may be. Or how "current" is defined. And here's where the whole mess starts to hit the fan.
What is a "current threat"? What is "reasonably well secured"? What is "state of the art"? And most of all, what would happen if you make us circle jerks liable for our blunders? Well, we'd define what a current threat is, what reasonably good security is and also what's state of the art is. Who else could? The (snicker) government? If that's the case, I have no worries that I'll ALWAYS be auditing by best practice standards, they'd probably be from 1980something. And rest assured that we'll always cover our respective backs when it comes to the question whether one of us audited perfectly. You don't piss off the people you work with in this trade, it comes back so terribly quickly, and there ain't that many companies that can actually do an ITSEC audit, so there is no heated competition. Hell, we hire each other to reaudit our own certs, take a wild guess how much we hate each other...
The solution is much simpler. First of all, get rid of all those fancy security stickers that get so much credibility but actually mean jack when it comes to security. Second, make companies care about security, and tack a fine on it that actually HURTS. As a neat side effect, it might reduce the data hunger some companies started to develop, since every bit they store might come back to bite them in their ass. In today's economy, it might actually already be sufficient to say that a company that can't get its act together is banned from bailouts. The rest will fall into place by itself.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
They need a way to fine the auditor to the point of bankrupting them for effectively "lying"
About 5 years ago I worked for a compliance unit in the brokerage section of Citi. Prior to the creation of this unit managers in different departmets were responsible for making sure their employees were in compliance. When I started there we found that the firewall guys were granting access to whole segments of ip addresses instead of just the 7 or 8 that were needed. We also found the Unix guys were not deleting access to highly sensative databases after employees left the company. Something tells me that the culture of ignorance in that place isn't going to stop any time soon. About 2 years after our group was formed they sent our jobs over to India. We were only there to develop the process and iron out the kinks. They gave the crew in India a month to learn our process manual and 8-9 months later they still didn't get it. Lets add greed to a culture of incompetance. BTW that's where the name shoehornjob comes from. For a while there the manager would come to us and shoehorn in new processes without review or vetting them.
"We are just a war away from Amerikastan. When god vs god the undoing of man." Dave Mustaine
They seem to have stolen less than the bankers themselves.
Does this