Beta

Slashdot: News for Nerds

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Citi Bank Reveals Attack... One Month Late

CmdrTaco posted more than 3 years ago | from the yeah-sorry-about-that dept.

Security 111

An anonymous reader writes "Is account security a thing of the past? Quote: 'We're talking a fairly serious hack, too. The personal and account information of some 200,000 Citibank card holders in North America was breached, reports Reuters, including contact specifics like names and email addresses. The solitary bit of good news? Citibank claims far more sensitive info like social security numbers, birth dates, card expiry dates and CVV card security codes was not compromised.'"

cancel ×

111 comments

How do they know?? (5, Interesting)

jmd_akbar (1777312) | more than 3 years ago | (#36388034)

that

social security numbers, birth dates, card expiry dates and CVV card security codes was not compromised.'"

Re:How do they know?? (2)

jmd_akbar (1777312) | more than 3 years ago | (#36388046)

This is actually my honest doubt..

Re:How do they know?? (2)

Anonymous Coward | more than 3 years ago | (#36388092)

Even if they were, it's likely that we wouldn't find out about it for at least another month or two.

Re:How do they know?? (3)

Anonymous Coward | more than 3 years ago | (#36388106)

The article is very light on details but it could be an online profile system rather than the actual credit system of record. There would be an internal token that would associate one with the other, but no direct way to connect between those systems. It's definitely possible to build a system that is segregated in such a manner, and such an architecture is recommended (and to some extent dictated) by many of the financial security rules.

Or they could be lying.

Re:How do they know?? (1)

WrongSizeGlass (838941) | more than 3 years ago | (#36388142)

Citi Bank: Your deposits are federally insured but your personal information isn't. Want to upgrade your personal information to a secure account? Just sign up for one of our Duke Nukem Forever accounts, coming soon to a Citi Bank near you - we promise.

Re:How do they know?? (2)

somersault (912633) | more than 3 years ago | (#36388260)

My copy of DNF was dispatched earlier today ;)

Re:How do they know?? (1)

slick7 (1703596) | more than 3 years ago | (#36388480)

Citi Bank: Your deposits are federally insured but your personal information isn't.

After the bailout fiasco, this does not instill confidence.

Re:How do they know?? (2, Insightful)

Anonymous Coward | more than 3 years ago | (#36389456)

Your deposits are federally insured but your personal information isn't

The heart of the problem:

-Hi, I'm John Smith and I want a credit card.
>OK...there are a lot of John Smiths. I need to identify you. Which John Smith are you?
-How do I do that?
>Is there some token of information that everybody has agreed upon to uniquely identify you?
-Oh, yeah. I'm John Smith, SSN 123-45-6789
>OK...now, just to make sure everything is on the up-and-up, we need to authenticate you. Can you prove you are who you claim to be?
-How do I do that?
>Is there some token of information that only John Smith, SSN 123-45-6789 could ever possibly know, and would never divulge to anyone else?
-Oh, yeah. I know that my SSN is 123-45-6789
>Meh, that's good enough. Here's your new credit card.

Imagine signing up for some web account and receiving the error: "Your password must be the same as your username. Please try again." That, in a nutshell, is what the entire financial industry is doing, and we're somehow okay with that. SSNs should never have been treated as private information. Impersonating someone by knowing their SSN should be as successful as impersonating the President by knowing the address of the White House.

Re:How do they know?? (2)

Richard_at_work (517087) | more than 3 years ago | (#36388158)

Held on a different server that has no relation with the server or server pool that was compromised (in other words, compartmentalised data storage)? No evidence of non-legitimate access to that server?

Re:How do they know?? (0)

Anonymous Coward | more than 3 years ago | (#36388890)

No, even so, it's no proof that it didn't happen, finding out you've been hacked is a problem, and hard to find evidence it actually happened. Finding out exactly what was copied is even harder.

So, it's been a month since they discovered the breach or since it happened? it's a small play on words, but seriously affects their credibility.

Re:How do they know?? (1)

ObsessiveMathsFreak (773371) | more than 3 years ago | (#36388230)

Well, if they didn't store those, then they could be sure. As it happens, they can just lie instead.

Re:How do they know?? (1)

kelemvor4 (1980226) | more than 3 years ago | (#36388822)

It's a bank, they ISSUE those things. How could they run the business without storing them?

Re:How do they know?? (1)

CODiNE (27417) | more than 3 years ago | (#36388864)

Because (quoting citicards.com)

Forgot your User ID or password?
No problem - you can reset your information at Sign On Help. Please have your Credit or ATM/Debit card handy. You may also need your PIN, account number, CVV, Security Word, or ABA number on hand to complete the process.

If those WERE hacked then it would mean citi has no way of verifying any of it's customers online and would be completely vulnerable.

That just can't be allowed to happen so... no.

Log files (2)

wiredog (43288) | more than 3 years ago | (#36388868)

They log every access. It's not hard to implement, and many systems do it by default.

Re:Log files (2)

sjames (1099) | more than 3 years ago | (#36391060)

Because even the most despicable blackhat would never alter, delete, or bypass log files!

Re:Log files (1)

hawkinspeter (831501) | more than 3 years ago | (#36392024)

They wouldn't if the log files are on paper!

There's other ways of ensuring that log files aren't altered - it's trivial to set up a syslog server that accepts logs from other machines but can be hardened (only have local console logons enabled) to ensure that the logs arent altered.

It's also pretty easy to put a copy of logs onto a multi-session dvd that's effectively write only.

What "wasn't" compromised... (4, Insightful)

Ferzerp (83619) | more than 3 years ago | (#36388056)

That's because they're going to wait a few weeks and admit that everything really was.

It should be criminal to employ this tactic, but we see it again and again. These companies have a responsibility to be good stewards of the information we have granted them. When they hide these breaches, they are not acting in good faith.

Re:What "wasn't" compromised... (0)

Anonymous Coward | more than 3 years ago | (#36388584)

Ah that explains the mysterious 'you need a new card RIGHT NOW' I just got from them.

EXACTLY, & they're DUMPING SHARES FAST! (0)

Anonymous Coward | more than 3 years ago | (#36389698)

Because it's "all about share price" kids & "market capitalization" (ENRON ideals are EVERYWHERE)!

I.E. -> Sure, they hide it so the share price doesn't drop & everyone doesn't "dump" them like a hot potato... all the while? They're selling THEIR shares @ phenomenal rates before they drop to rock-bottom penny stock crap levels!

(Don't try to even BEGIN to tell me that doesn't happen guys... too many of these crooks of this "ilk" have been caught @ it!)

This is why I dislike the stock market, and boards of directors... private ownership, companies like Ford or MS!

(Where, last I knew of @ least, the owners/founders/families that started them STILL retain majority stock %-ages? They actually GIVE A DAMN because they still own it, and have their names/reps tied up into it as well as pride of ownership, rather than just "shares of stock" b.s.).

APK

P.S.=> The world's "F'd-UP", & imo @ least? The stockmarket's the ROOT of it all (because as we all know, money makes people do "phunny things", doesn't it??)

... apk

paying by cellphone is coming (4, Informative)

circletimessquare (444983) | more than 3 years ago | (#36388070)

and if google wallet and its competitors are smart, they'll start with better security from the ground up, and use that as a selling point. consumer awareness of credit card insecurity is high

replacing all our credit cards with our cell phones is a natural evolution, regardless. but at this stage, in the beginning of the evolution, now is the time to address security robustly, before weaknesses get baked in

and for the lunatic paranoid fringe who thinks their own democratically elected government is an evil alien entity out to butt rape you: i said replace CREDIT CARDS, not replace cash

Re:paying by cellphone is coming (1)

Anonymous Coward | more than 3 years ago | (#36388188)

It's not wise to call out the lunatic paranoid fringists on a website dominated by lunatic paranoid fringists.

Re:paying by cellphone is coming (1)

circletimessquare (444983) | more than 3 years ago | (#36389148)

true

but i'm amused by their desperation

i call them out for my entertainment purposes

Re:paying by cellphone is coming (2)

Penguinisto (415985) | more than 3 years ago | (#36388270)

One would hope that better security is already a given in a new from-scratch system... especially one that you want people to have trust in, away from the existing banks. But... if someone were to want to compromise Google Wallet, the script kiddie's best bet is to not attack the servers, but the individual phones, where Google will lose a lot of the control.

Unless Google is working to get FDIC insured and become their own bank, they themselves will have to connect to the banks to access the money somehow. They can minimize it by using something like an ACH debit or merchant credit transaction (for each purchase, or, say, once a day with accumulated transactions lumped together, though the latter would make individual purchase tracking iffy from the bank POV).

But... there's still that link.

Google and the like have a harder row to hoe than a typical bank with web-based services will at this time.

The way Google could do it (4, Interesting)

RobertLTux (260313) | more than 3 years ago | (#36388462)

find a good sized but stressed bank and then just go ahead and BUY IT.

advantages for Google
1 no need to burn time/money on building the "stuff" needed for a bank
2 instant access to millions of new customers (have as part of the deal that the bank hosts email on google servers)
3 this would be a real established bank

advantages for the Bank
1 tens of millions new customers (they would logically be the default bank for GWallet)
2 point and click dibs on the GProfiles of everybody with a Google Account
3 "native" access to the google server farm network

Re:The way Google could do it (1)

circletimessquare (444983) | more than 3 years ago | (#36389210)

there might be regulations about that

and if not, if you are part of the oligopoly of large banks worried about competition that works for the consumer (but not for you), then there is a congressional whore in your employ holding a chair on a finance committee who can "raise serious objections" about some sort of "regulations" for you

Advertising superior security..... (1)

curio_city (1972556) | more than 3 years ago | (#36388328)

Dropbox? If a company can conceal/lie about compromises of sensitive information, it can lie about its security.

Re:paying by cellphone is coming (0)

Anonymous Coward | more than 3 years ago | (#36388418)

As a member of the Evil-Alien-Entity-Out-to-Butt-Rape-You Party, I resent being called lunatic paranoid fringe.

Re:paying by cellphone is coming (0)

Anonymous Coward | more than 3 years ago | (#36388724)

and for the lunatic paranoid fringe who thinks their own democratically elected government is an evil alien entity out to butt rape you

I'm submissive xenophile who enjoys being watched by chain-smoking men in black, you insensitive clod!

Re:paying by cellphone is coming (1)

circletimessquare (444983) | more than 3 years ago | (#36390342)

i'm a man in black who enjoys watching interplanetary sex acts, but i don't smoke. i resent the stereotyping, you insensitive clod!

us men in black are unique and special individuals, to be valued and judged independently on the merits of our unique journey in life, not to be thought of as a monolithic force bent on galactic domination!

paying by cellphone (only) == epic FAIL (1)

Anonymous Coward | more than 3 years ago | (#36390360)

Maybe your idea would work for cell phone addicts, those who can't be without one.

As for me, I can't conveniently carry a cellphone in my wallet (too large and fragile), I don't want to pay a monthly fee for one just to use it as plastic, and Murphy's Law says that the battery would run out just as I had to pay my bill at a restaurant feeding a few tables of attendees of a State Police convention.

Re:paying by cellphone (only) == epic FAIL (1)

circletimessquare (444983) | more than 3 years ago | (#36390870)

the same could be said for credit cards. think of all points on the chain that could fail but have to work for credit cards to work

but that doesn't seem to bother you

there are indeed more points of failure with cellphones

and also increases in convenience

and that latter point outweighs any argument you could make

Re:paying by cellphone is coming (1)

sjames (1099) | more than 3 years ago | (#36391116)

Well, I must admit, ALIEN might be going too far... We just wish we could disown them from our species.

Re:paying by cellphone is coming (3, Insightful)

dkleinsc (563838) | more than 3 years ago | (#36391912)

Actually, the basic problem with the security of payment systems is that there's money involved. If there's money involved, there will be fraud and theft.

There was fraud when the standard money was gold or silver coin (as minters would substitute in other metals). There's fraud with cash by counterfeiters today. There's fraud with checks. There's fraud at ATMs. There's fraud with credit cards and electronic check payments. There's rampant fraud with PayPal.

So there's no reason to think that cell phone payments (which wouldn't even be available to large segments of the world population) would be immune to fraud.

Re:paying by cellphone is coming (2)

circletimessquare (444983) | more than 3 years ago | (#36392112)

well yeah, but just because fraud will always exist doesn't mean you stop trying to minimize it

altering security protocols to prevent frequent and common means of exploitation is worthwhile, even though someone somewhere will still get ripped off

Great big huge fines ... (4, Insightful)

gstoddart (321705) | more than 3 years ago | (#36388096)

Companies really need to start getting slapped with very large fines for stuff like this.

Being incompetent to actually protect the data of your clients doesn't mean you simply get to say "oops" and act like nothing happened.

Someone needs to start holding these companies accountable for stuff like this. You're a bank (albeit a sketchy, annoying one who keeps sending me offers for cards and a bunch of other crap I don't want) ... you're supposed to have a legal obligation to protect this information.

From the annoying telemarketing and other crap they send me in the mail, I already can't stand Citibank. An inability to actually protect data is just further proof of why I'd never actually deal with Citibank. They just don't give off the feel of actually being a reputable organization to me.

Re:Great big huge fines ... (1)

Penguinisto (415985) | more than 3 years ago | (#36388330)

Most companies that hold credit-affecting data (SSNs, names, addys, etc) are actually obligated in some (but not nearly enough) states to provide anti- ID theft protection/correction at their expense, and to eat any additional costs associated with that.

One would hope that it would become federal law, but good luck with that one...

Agreed but ... (1)

schlameel (1017070) | more than 3 years ago | (#36388866)

In America? Where those same companies own the regulators? Unlikely. Token fines perhaps... someday.

Re:Great big huge fines ... (0)

Anonymous Coward | more than 3 years ago | (#36389228)

Add to that list the fact that Citibank in particular received a considerable portion of the TARP money.

Re:Great big huge fines ... (1)

TheGratefulNet (143330) | more than 3 years ago | (#36389774)

Companies really need to start getting slapped with very large fines for stuff like this.

lets examine this idea of yours.

who runs the world? who watches the corporations? who watches those who are in bed with corporations?

you know the answers to all those questions. you were not born yesterday.

if individuals get any justice today, its by accident. corps own the world after only a brief interlude that we had a few decades ago. its basically back to barons and serfs again, just without the drab clothing we used to have to wear.

Re:Great big huge fines ... (1)

gstoddart (321705) | more than 3 years ago | (#36390640)

you know the answers to all those questions. you were not born yesterday.

if individuals get any justice today, its by accident. corps own the world after only a brief interlude that we had a few decades ago. its basically back to barons and serfs again, just without the drab clothing we used to have to wear.

So, America has jumped the shark, and finally become the oligarchy I've been saying they would for years, then?

Re:Great big huge fines ... (1)

sjames (1099) | more than 3 years ago | (#36391264)

And that's why I personally reserve judgement on vigilante groups that attack the corporations.

Re:Great big huge fines ... (1)

Hatta (162192) | more than 3 years ago | (#36390840)

Companies really need to start getting slapped with very large fines for stuff like this.

CxOs need to start going to jail for stuff like this.

If they don't take this seriously (5, Insightful)

rebelwarlock (1319465) | more than 3 years ago | (#36388110)

Don't take them seriously. Find a real bank to do business with.

Re:If they don't take this seriously (2)

slick7 (1703596) | more than 3 years ago | (#36388518)

Don't take them seriously. Find a real bank to do business with.

That's what mattresses are for. Yeah, mattresses and guns.

Re:If they don't take this seriously (1)

Anonymous Coward | more than 3 years ago | (#36388528)

Don't take them seriously. Find a real bank to do business with.

In the US? That would be which bank?

Re:If they don't take this seriously (0)

Anonymous Coward | more than 3 years ago | (#36390074)

USAA

Re:If they don't take this seriously (0)

Anonymous Coward | more than 3 years ago | (#36388936)

Eh, I think you're talking about all banks, none of them take it seriously. And besides, even if they did, trust me, they can only do so much. For example, banks are HEAVILY regulated right... so you have to be GLB certified and a few other things to work there. Then you're trained, for instance, to not plug in external devices such as hard drives or usb 'flash drives.' Do you think people don't? That's enough of an attack vector! But, they can only do so much on the security side!

Re:If they don't take this seriously (1)

drinkypoo (153816) | more than 3 years ago | (#36390232)

Don't take them seriously. Find a real bank to do business with.

I took that attitude so I went with WAMU. Then they were eaten by Chase with the assistance of the federal government in spite of the fact that other banks were in even worse financial straits and got bailouts instead.

I bank with a local credit union but they're pretty incompetent so I'm not really happy with them either.

If I were rich I could bank with someone out of the country, but I don't really have enough money for that. So I'm stuck with the shit we have available here.

One month? (1)

grassy_knoll (412409) | more than 3 years ago | (#36388128)

Did it take them that long to figure out there was a breech? Infrequently reviewing logs instead of real time monitoring, perhaps?

I MAY believe them... (1)

Anonymous Coward | more than 3 years ago | (#36388136)

I have a feeling my account was one of the compromised.

They forced me to change my CC# for no reason, and no fraud was present I was aware of or they admitted to.

I have been getting a lot of 409 scams and viagra emails lately. They seem to have started a month or so ago. Never got them before.

For forcing me to change my CC#, they lost a customer.

However, I had has zero unauthorized charges. So they my be telling the truth about the info compromised.

Re:I MAY believe them... (1)

himself (66589) | more than 3 years ago | (#36388478)

Well, I didn't get a new number, but my wife got a pretty convincing phish about ten days ago. *sigh* Citi, I hates you.

Re:I MAY believe them... (1)

tibit (1762298) | more than 3 years ago | (#36389008)

I agree that the data breach is inexcusable, but wait a minute -- you claim it's somehow their problem that you are apparently emotionally attached to a 16 digit number?! WTF? I wouldn't mind not having a fixed CC number period. For all online transactions I'm using their single-use number generator (virtual account number), and for brick-and-mortar stores I try to use cash whenever possible.

Re:I MAY believe them... (1)

hawguy (1600213) | more than 3 years ago | (#36389822)

I agree that the data breach is inexcusable, but wait a minute -- you claim it's somehow their problem that you are apparently emotionally attached to a 16 digit number?! WTF? I wouldn't mind not having a fixed CC number period. For all online transactions I'm using their single-use number generator (virtual account number), and for brick-and-mortar stores I try to use cash whenever possible.

I've memorized my account number and use it nearly everywhere. Over the years I've had it compromised twice, but fortunately they've only changed the last 4 digits (plus the CID) so it's easy to remember the new one.

Since I have it memorized and it's quick and easy to type for a new purchase, I never check the box "Remember this credit card for your next purchase" to help limit the chance of someone getting the card number, though I don't know if merchants really prevent it from being stored if I check that box.

I do use a virtual account number when dealing with a shady merchant.

Maybe it's time to cheer for breaches. (1)

Seumas (6865) | more than 3 years ago | (#36388146)

Hell, maybe it's time to embrace these types of breaches. The more frequently this happens and the greater population it impacts, the less accountable people will have to be. I mean, if everyone has every piece of your data that is used for anything that you do, then there will never be any way to reasonably affix responsibility to you.

On the other hand, they'll just solve it by finally cracking down and imposing some sort of draconian National ID stuff both on and offline and these activities will just serve as justification for finally sweeping the land with the new "solution".

Re:Maybe it's time to cheer for breaches. (1)

sjames (1099) | more than 3 years ago | (#36391434)

Sadly, it's already rampant but they have somehow successfully re-defined acts of fraud against them (aided and abetted by their own crappy security) as acts of "identity theft" against consumers, and so have shifted the burden of cleaning it up onto individuals with limited resources and no ability to prevent the crime.

It's NOT identity theft. I am still me. If the justice system was vaguely functional for individuals, it would not be MY problem if THEY chose to hand scads of cash to a stranger using my name without doing even a cursory verification. That means any efforts to collect it from ME after I have informed them that they've been had is pure harassment and extortion. Any "credit report" that claims *I* am a bad risk as a result is libel.

What puts it over the top is that the various companies responsible for the mess then have the nerve to suggest that I should pay them an additional annual fee to make even a token effort to not libel, harass, and extort me.

Every Time I See "Citi Bank"... (5, Funny)

Greyfox (87712) | more than 3 years ago | (#36388258)

I hear the "City Wok" guy from South Park screaming "Shitty Bank!"

Welcome to Shitty Bank! You want shitty bank account? How about shitty credit card? I can get you a shitty mortgage!

Oh god damn it! How come every time a hard working Chinese man starts a bank, some JAPANESE DOG open one right next door?!

Re:Every Time I See "Citi Bank"... (1)

Nidi62 (1525137) | more than 3 years ago | (#36388572)

Oh god damn it! How come every time a hard working Chinese man starts a bank, some JAPANESE DOG open one right next door?!

And some damn Mongolians have to come and break down their wall

Re:Every Time I See "Citi Bank"... (0)

Anonymous Coward | more than 3 years ago | (#36389384)

I hear the "City Wok" guy from South Park screaming "Shitty Bank!"

Welcome to Shitty Bank! You want shitty bank account? How about shitty credit card? I can get you a shitty mortgage!

Oh god damn it! How come every time a hard working Chinese man starts a bank, some JAPANESE DOG open one right next door?!

F--- you dolphin and whale!

One month Late? Or just later? (1)

necro81 (917438) | more than 3 years ago | (#36388272)

The article title is "... One Month Late". I ask though: "late" by what standard? By what time, legally, does citibank need to disclose such a breach? Because that is, unfortunately, the only standard that they'd care about. And as long as the penalties for permitting this kind of breach and not disclosing it quickly are laughably small, then there really is no "late".

I raise this semantic quibble not to take potshots at the submitter and editors, nor to let citibank off the hook for such lax practices, but rather to reinforce the message that until regulations regarding these kinds of breaches are tightened and actually have some teeth to them, banks simply aren't going to change their practices. Remember: Citibank is a business whose job is to look after itself - not necessarily its customers. One would think that those interests would tend to align with the customers'. But since this kind of crap keeps happening, that clearly is not the case. While having 200,000 breached sounds like a big number, it's only 1% of citibank's total.

Re:One month Late? Or just later? (1)

that IT girl (864406) | more than 3 years ago | (#36388354)

People also forget that, as much as this sucks, it's worth it to not cause a panic too early when maybe they don't have all the details themselves. I would rather hear the solid facts in a calm manner a little later than a panicked "um, some of your information was stolen, we're still figuring out the scope of this..." on zero day.

One month, what it took to scrub the breach (0)

Anonymous Coward | more than 3 years ago | (#36388276)

I'm sure the month was enough time for them to scrub the breach, such that it wouldn't look like SSNs and the like were compromised. If this were a physical breach of their building and they waited a month, we would know they were duplicitous. For some reason they think (and are probably right) that the public will believe them.

Simply put, physical breaches and digital breaches of security protocols (and data) should be treated the same. The law prosecutes criminals the same (though success of prosecution is largely varied due to evidence differences).

Were they PCI compliant? (4, Interesting)

hawguy (1600213) | more than 3 years ago | (#36388306)

Did the systems that had the data stolen meet PCI compliance guidelines? If not, can I levy non-compliance fines on the bank for not following their own standards for protection of cardholder data?

Re:Were they PCI compliant? (1)

jedidiah (1196) | more than 3 years ago | (#36389100)

Are you a consumer, then probably not.

Many laws and regulations that are phrased in terms of consumer protection quite often deny standing to actual victims/consumers.

Re:Were they PCI compliant? (0)

Anonymous Coward | more than 3 years ago | (#36389578)

Simple answer: no, you have no recourse except to replace your Citi services with competitors' - that's the way the free market works - and you have the option of taking them to court for damages. (good luck with that!)

The PCI Council doesn't enforce the rules. In this case, because Citi is an issuing bank (and presumably an acquiring bank for some customers) it's probably the card brands that should handle enforcement. note: I said "should" not "will."

Re:Were they PCI compliant? (0)

Anonymous Coward | more than 3 years ago | (#36391238)

Ahhh! I would love to be a fly on the wall when VISA comes to lay the smack down on them. However it won't happen because of the number of creditcards issued to Citi bank. Can't punish the bank that creates transaction revenue in the tune of billions of dollars each year.

Liable (1)

DaMattster (977781) | more than 3 years ago | (#36388410)

It is time to hold banks civilly liable for behavior like this! Banks over the last decade have behaved recklessly and it is time for them to face the consequences.

Security question (2)

mrjb (547783) | more than 3 years ago | (#36388530)

My bank recently started doing the "security question" thing. Just think of the potential. "Was the name of your first childhood pet really Spotty '); DROP TABLE accounts;--?" "Oh yes, spotty tables we called him."

Re:Security question (0)

Anonymous Coward | more than 3 years ago | (#36389174)

How original: xkcd.com/327/

Re:Security question (0)

Anonymous Coward | more than 3 years ago | (#36389650)

Hey, look.... a fellow xkcd reader.

Can we? (1)

dcigary (221160) | more than 3 years ago | (#36388740)

Can we as the public charge them a late fee? They certainly have a lot of them from me that I'd like to get back! :)

CVV data? (2)

rickb928 (945187) | more than 3 years ago | (#36388750)

Um, of COURSE CVV data wasn't compromised... What nimrod would store CVV in the same system as PAN? (That's Primary Account Number, for those of you who don't play with credit card data enough to stop using 'card number' as the term).

In fact, just stating that CVV wasn't compromised bugs me. That should NEVER be exposed to anything that returns data. Heres how it should work:

1. Merchant swipes your card into terminal (or keys it into whatever).
2. Merchant reads and enters your CVV (or CVC or CVV2 or CID) into whatever.
3. Authorization request is sent to the processor.
4. Processor compares PAN and CVV to their records.
5. Processor makes a decision.
6. Processor responds to request.
7. Merchant's system discards CVV if it didn't already.

The CVV may not be saved by the merchant per PCI specs, and also per every processor spec that I'm aware of. If someone is able to get and match CVV etc with PAN, they do it by either intercepting authorization data or reching in and compromising processor and/or issuer databases that should not be connected to any external network. These should only be accessible by the 'inside' or secure side of trusted platforms, never externally.

So you should hear of CVV-type data being disclosed only by terminals or POS software being compromised, or by someone carrying the data out of a building.

And that Citi actually said this worries me just a little. Like hearing your 3rd grader's teacher telling you they always wear a condom to work. Um, why? that should NEVER be an issue, sirs.

Of course, Citi might just be covering their bases, claming that no other data, even the stuff that should not even be connected, was taken. Again, doing it wrong, guys.

ps - as an aside, there is a good chance that up to 30% of all cards in use have been compromised somehow, and no one bothers to replace them. Too expensive, they will run out of numbers faster than IPv4, and they handle the ongoing threat of fraud with existing fraud systems. No problem. Well, not much of a problem. I bet Citi doesn't even bother to replace these cards.

Second aside, while waiting a month sounds bad, perhaps Citi was gathering history and understanding how these details would be used, to both crack the fraud rings and maybe connect them to the infiltrators. This will happen more and more as the banks especially decide to fight back and make an effort to find the perps of the intrusions. And about time.

Re:CVV data? (1)

hawguy (1600213) | more than 3 years ago | (#36389744)

Um, of COURSE CVV data wasn't compromised... What nimrod would store CVV in the same system as PAN? (That's Primary Account Number, for those of you who don't play with credit card data enough to stop using 'card number' as the term).

I don't play with enough credit card data to call the card number a PAN, but Card issuers/processors are allowed to store the CVV (duh, otherwise they wouldn't be able to validate it) so it wouldn't be surprising if Citi lost the CVV too.

But since payment systems are often complex systems with software pieced together from multiple vendors, it's easy for a merchant to inadvertently store the CVV without even knowing it, I have an open bug request for a supposedly PCI compliant application (it's on the list of Validated Payment Applications) that drops the entire card number + CVV into a transaction log file under certain circumstances.

Re:CVV data? (1)

rickb928 (945187) | more than 3 years ago | (#36390290)

Yup, we encrypt our log file. we haven;t figured out how to scrub RAM, but it's being worked on.

Re:CVV data? (1)

TheGratefulNet (143330) | more than 3 years ago | (#36389846)

how does amazon get away with this, then? I'm curious. amazon has 'one click' and even if you don't use that, I've NEVER had to re-enter cvv strings to use my 'on file' CC with them.

newegg and all the rest - I have to re-enter the cvv. but not amazon. how did they pull this off?

(then again, I wonder how they can send me a box FROM calif TO calif and not charge me tax. amazon has some 'creative' accts, I would assume, but why don't other big names also use these loopholes?)

Re:CVV data? (1)

hawguy (1600213) | more than 3 years ago | (#36389974)

how does amazon get away with this, then? I'm curious. amazon has 'one click' and even if you don't use that, I've NEVER had to re-enter cvv strings to use my 'on file' CC with them.

I imagine that they just don't use the CVV for future transactions. They use it the first time to make sure that you have possession of the card, but after that first transaction, they just process transactions without the CVV. The CVV isn't required, though it reduces the merchant's chance of chargeback and often results in a lower transaction fee (though Amazon's negotiating power probably means that they don't pay a higher transaction fee for future non-CVV transactions).

On Amazon, if you ship a product to a new shipping address, they ask for the card number + CVV again (or maybe it's just the CVV?) to make sure that you're the one that authorized the new address.

Re:CVV data? (1)

rickb928 (945187) | more than 3 years ago | (#36390462)

Pretty much what hawguy said. Most major retailers have arrangements with the issuers to acceptvchargebacks for nonswiped transactions, and Amazon is in the nonswiped or 'card not present' model. So they tolerate the chargebacks.

Also, many processors allow a merchant (Amazon, perhaps) to process a card again if previously successful. Still subject to other fraud rules, but they can do it without the CVV etc.

The CVV is useful to merchants that are in the nonswipe model, and wish to have the extra authenticationm, as it proves that either they or the customer actually had the card, at some time, in their posession. If the 'customer' is a thief, well, then it's on to the other criteria, like did you get a signature, did the product get shipped elsewhere, etc.

Some terminals will prompt for CVV in response to a query from the processor. This usually indicates the card or transaction is suspicious.

CVV is not required. It is helpful.

Re:CVV data? (0)

Anonymous Coward | more than 3 years ago | (#36389852)

Citi is not a merchant. Depending upon transaction details, they play the role(s) of issuing bank, merchant bank, and processor. Everything they do happens between #5 and #6 in your outline.

In the case of card verification data, "someone" has to store it. Since Citi issues the cards and/or processes the transactions, they must store that verification number in some form, otherwise the verification can't be done.

Re:CVV data? (1)

rickb928 (945187) | more than 3 years ago | (#36390356)

Precisely. But it should be stored on systems so inaccessible to the outside, as to be impervious.

I know, that. sounds. naive. But it can be done.

A processor Or bank never needs to send CVV out at all, except as it is needed to load new accounts, and then of course encrypted for the exchange and over a secured link. I know, naive again.

Re:CVV data? (1)

hawguy (1600213) | more than 3 years ago | (#36390494)

Precisely. But it should be stored on systems so inaccessible to the outside, as to be impervious.

I know, that. sounds. naive. But it can be done.

Really? You should tell RSA and Lockheed how to make computer systems storing high value data impervious to the outside. I'm sure they could use the help.

Re:CVV data? (1)

rickb928 (945187) | more than 3 years ago | (#36390794)

Well, one way is to santitize input and discard anything not expected. Most processing platforms do this. Try FTPing into any major platform some time. Another way is to ensure that whatever the external platform gets, it is parsed and sent on. No, our platforms don't even recognize characters used in injection attacks etc, and those don;'t even get passed on.

It is possible. RSA and Lockheed got used because they failed. Not every other system is run by incompetents.

Re:CVV data? (1)

hawguy (1600213) | more than 3 years ago | (#36391098)

Well, one way is to santitize input and discard anything not expected. Most processing platforms do this. Try FTPing into any major platform some time. Another way is to ensure that whatever the external platform gets, it is parsed and sent on. No, our platforms don't even recognize characters used in injection attacks etc, and those don;'t even get passed on.

It is possible. RSA and Lockheed got used because they failed. Not every other system is run by incompetents.

That's why computer security is so hard - hackers rarely come in the way you expect them to. In RSA's case, they exploited a previously unknown Flash vulnerability - you can sanitize inputs all day long, but when the hacker takes over your workstation because they managed to get you to view an infected Flash ad, he suddenly gets the same access to your secret data that you have. (you may say "I'm safe because I don't run flash", it doesn't matter - exploits can live in any software or operating system, maybe the next hack will come from infected hard drive firmware)

At Lockheed, hackers (supposedly) compromised RSA tokens based on information from the RSA hack and used those tokens to hack into the network. The very same RSA tokens that many companies use to implement 2 factor authentication to make sure that hackers can't get in.

There is no absolute security for any computer connected to a network (or any exposure to computers that are connected to a network) - no security expert I know will guarantee security. It's all about mitigating risks to make a compromise less likely. I think it's unlikely that the people protecting top secret data at Lockheed are complete incompetents

Re:CVV data? (1)

rickb928 (945187) | more than 3 years ago | (#36391962)

You're not going to exploit a Flash vulnerability with any processor platform - they don't do any of that.

And if the workstation is able to view the data, well, yes, compromising the workstation gets you data. None of that has to do with processors.

You're assuming this incident was a workstation attack,which is not implausible.

Re:CVV data? (1)

hawguy (1600213) | more than 3 years ago | (#36392076)

I'm not saying anything about this incident, I'm disputing your statement that a network attached system can be rendered impervious from outside attack:

But it should be stored on systems so inaccessible to the outside, as to be impervious.

I know, that. sounds. naive. But it can be done.

I'm sure that RSA wasn't storing secret keys on a workstation running Flash, yet a Flash vulnerability gave hackers the stepping stone they needed to get into secure servers.

Re:CVV data? (1)

rickb928 (945187) | more than 3 years ago | (#36392558)

Around work, we sit inside multiple firewalls and run multiple methods of intrusion detection and anti-whatever stuff. So much so that I see scans multiple times a day, and other stuff monitoring communications and looking specifically for sensitive and encrypted data, and where it is going.

When I use my system outside of work, it goes through a VPN and always has. It's never seen the Internet without going through the corporate VPN and then the corporate security. So far, no hint of problems.

And when I do use removeable media, it is first scanned to see if it is secure, using the corporate encryption method. If not, access denied.

Citi may not be doing enough. That's a common story. I'm glad I don't do corporate security stuff for ANY size organization - it's just excruciating any more.

But if your question is if merchants can be compromised, well yes they can. Can processors be compromised? Yes. Can their platforms be compromised? Much more difficult. But not proven impossible.

And using valid PANs stolen elsewhere does not constitute compromising a platform.

Re:CVV data? (1)

MobyDisk (75490) | more than 3 years ago | (#36390670)

You are right, but the underlying hole is this:

The merchant voluntarily discards information

The reality is they don't discard information. They keep it, mine it, sell it, etc. It should be illegal to do so. But even more important, the system should never expose any information to the merchant: not the credit card number, expiration date, CVV code, cardholder name -- nothing. There are smart card systems that work this way but I've never seen one in practice.

Re:CVV data? (1)

rickb928 (945187) | more than 3 years ago | (#36390912)

That would be how EMV cards are supposed to work. The cryptogram can be shown to the merchant, but good luck using it without certificates. And if it gets out of synch, say after a man in the middle attack that forced an offline transaction, at least the cardholder is alerted and the card dies.

Yes, mag cards are insecure. Merchants that don't discard CVV (actually the spec says 'do not store') are in violation and risk all sorts of reprisals, though they are never harsh enough. Some merchants do engage in data mishandling, and that won't be solved until we get to fully encrypted models. like EMV and NFC/RFID, which can be very secure. EMV's offline mode is the weak point. Take a moment and check that the terminal you're using has one and only one cord to it, which rules out someone adding a shim or their own reader, which is about all you can do. Merchants need to make sure they are certain who is servicing their POS hardware, and avoid some nasties coming in with terminals with loggers in them, for instance.

Ultimately, though, if you have access to the hardware, you can break anything.

That nimrod would be Sony. (0)

Anonymous Coward | more than 3 years ago | (#36392176)

How about Sony? They stored everything including the CVV2 code in a single plain text file despite the fact that they are not supposed to store the CVV2 code at all. Not surprisingly, Visa hasn't done anything about it, despite the fact that Sony violated every PCI rule in the book.

Re:That nimrod would be Sony. (1)

rickb928 (945187) | more than 3 years ago | (#36392472)

Not yet, anyways. Visa certainly takes their time, and I suspect the PCI Council will act first and revoke the cert.

Then of course they will be paying for much fraudlent activity if any occurs.

How to get the attention of Banks (1)

Anonymous Coward | more than 3 years ago | (#36388844)

If we want to get the attention of the banks, the fine for compromised credit card accounts should be equal 10% of the credit limit for the cardholder. So if my card has a $10,000 limit and my personal information is compromised, I get a *CHECK* from Citi in the amount of $1,000, not a credit to my account I get real money.

This way all banks now start to take things very seriously, and I'm sure we'll see appropirate security measures start to be used.

If the average credit limit for the 200,000 users who had their accounts compromised was $7,500 Citi would be faced with a fine of $150M paid to the victims.

Re:How to get the attention of Banks (1)

hawguy (1600213) | more than 3 years ago | (#36390258)

If we want to get the attention of the banks, the fine for compromised credit card accounts should be equal 10% of the credit limit for the cardholder. So if my card has a $10,000 limit and my personal information is compromised, I get a *CHECK* from Citi in the amount of $1,000, not a credit to my account I get real money.

How would you justify this fine? What is the cost to you for a lost name and account number and a reissued credit card? The bank is already on the hook to eat unauthorized charges and reissue cards, but what are your real losses? And why is it based on your credit limit? Shouldn't it be more of a factor of your average activity? I have a $15,000 limit on a card that gets maybe $100 or less of use in a typical month.

Now if the SSN was released, that's a whole different scenario and the banks should pay dearly - not just some credit monitoring service.

Ironic (1)

gaiageek (1070870) | more than 3 years ago | (#36388908)

I have a Citi card and found out about this (though not the scale of it) a few days ago when I received a letter with a new card saying my data had been compromised. The irony of this is that while I stopped using the physical card a few years ago, I've kept my Citi account open solely for purpose of using their Virtual Account Numbers service. I've been going through all this extra trouble to protect myself using disposable card numbers only to have the "real" account number compromised at the source.

My story about the matter here [gaiageek.com] .

My only question now is whether I close my account to send them a message, yet at the loss of a useful service which may protect me elsewhere online. Fortunately, I do have a Discover card which also has a virtual account number service, but Discover isn't always accepted where Visa and MasterCard are.

Personal Experience (4, Interesting)

Lucidus (681639) | more than 3 years ago | (#36388960)

My sister was affected by this a few weeks ago, and I wondered that there was nothing on the news about it at the time.

She got a call saying that her account might have been compromised, and that a new card was on the way. Early on the day after she received the replacement card, and before she had even activated it, there was another call telling her that the new account number had already been used to make several purchases.

Clearly this was a serious breach that continued over at least several days, and was not the fault of a merchant, as they tried to claim.

subject (3, Interesting)

Legion303 (97901) | more than 3 years ago | (#36388980)

"Is account security a thing of the past?"

Well, back in the early 90s, Citibank sent a bunch of 3.5" floppies to our school for students to use. Those floppies all had account information and spreadsheets on them. My job was to format them for use by the kids. Since I didn't relish the thought of formatting 50 of these fuckers on one computer, I just brought in a box of blank disks of my own the next day and kept the ShitiBank ones, formatting them for my own use as needed. Shiti is extremely lucky I had no plans to use the information for personal gain, but really, they had absolutely zero way to verify where those disks ended up.

So to answer your question, I don't think account security has ever realistically been on Citibank's mind.

News or Normal? (1)

Clinoti (696723) | more than 3 years ago | (#36389336)

One one hand we have the constant news of yet another security breech where an unknown amount of data is stolen, the time lapse of the disclosure, and another breech breaking the news later the same day. On the other hand we have every financial company up-selling a service they've rolled out to monitor credit scores, credit inquires, and social security numbers. At what point are people going to clasp those hands together and just stop caring? Between social networking sites and the new lack of financial / gaming network security, most of “you” is digitized and already out there. Are these breeches just becoming another marginalized city hazard like Jay walking on a boulevard?

Come on everyone whats wrong with you? (1)

Anonymous Coward | more than 3 years ago | (#36389860)

Where is the hate for them because they got hacked like you had for sony?

Citi bank, foriegn governments, hb gary, mastercard, paypal, square enix all get hacked and you dont get upset? But when sony gets hacked you all act like idiots and want to complain about them and take any chance you can to put them down.

Re:Come on everyone whats wrong with you? (1)

HikingStick (878216) | more than 3 years ago | (#36390006)

Many still have a big chip on their collective shoulder regarding Sony's little DRM/spyware debacle. IMO, that's the source of the hate. It must be thrown into the fires of Mount Doom.

Re:Come on everyone whats wrong with you? (1)

FrellMeDead (1367815) | more than 3 years ago | (#36392756)

Citibank sucks completely and most people know/realize this over the years/decades of crappy customer service, overly high interest rates, and underhanded/illegal tactics that they use to change your account balance/interest rate/minimum payment/etc. As a result of the long term screw over I think most people just are fed up and don't even want to deal with another Citibank issue. As another commenter said the whole DRM and the multiple breaches are relatively fresh and as a result throws more fuel into the fire. I do think people should be madder at Citibank, but really what do you expect from a bank in the past decade other then throwing its' customers under the bus every chance it gets.

Two by Four Approach (1)

ThatsNotPudding (1045640) | more than 3 years ago | (#36390644)

Has any publicly-traded company had their stock down graded by stock analysts? Dropping from an AA rating to a B because you kept sensitve data on a digital equivalent of a post-it note would get their attention far more than any 'cost of doing business' fine by the Federales.

Mongolians? (1)

sjames (1099) | more than 3 years ago | (#36391532)

Damned Mongolians breaking down my firewall!!

Ugh (0)

Anonymous Coward | more than 3 years ago | (#36392506)

This will become more and more common place. Banks, healthcare, government. It's all ripe for the taking.

People are bored, talented, out of work, and/or simply don't care anymore.

When talented people are no longer interested in money as the endgame, destruction and lulz gets rolling.

Next up, groups competing for the most destruction and lulz with government, corporations, and the end user in the cross hairs.

Following that, users are no longer surprised or upset when their personal information and data is compromised.

Load More Comments
Slashdot Account

Need an Account?

Forgot your password?

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>
Create a Slashdot Account

Loading...