Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Citi Hackers Got Away With $2.7 Million

timothy posted more than 3 years ago | from the us-dollars-even dept.

Crime 126

angry tapir writes "Citigroup suffered about US$2.7 million in losses after hackers found a way to steal credit card numbers from its website and post fraudulent charges. Citi acknowledged the breach earlier this month, saying hackers had accessed more than 360,000 Citi credit card accounts of U.S. customers. The hackers didn't get into Citi's main credit card processing system, but were reportedly able to obtain the numbers, along with the customers' names and contact information, by logging into the Citi Account Online website and guessing account numbers."

cancel ×

126 comments

Sorry! There are no comments related to the filter you selected.

Amateur (4, Informative)

Anonymous Coward | more than 3 years ago | (#36576098)

Let's not forget that the account numbers were passed with no security in the URL. I think I'll be canceling my Citi card (when I pay it off...).

Re:Amateur (2, Insightful)

rbarreira (836272) | more than 3 years ago | (#36576134)

I think I'll be canceling my Citi card (when I pay it off...).

You should do that even if it wasn't for this security breach. Big banks like Citi have been defrauding everyone including sucking money off the taxpayer teat courtesy of its puppet politicians.

Why anyone knowing that would want to continue being their customer is beyond me. Use a local credit union instead.

Re:Amateur (2)

rubycodez (864176) | more than 3 years ago | (#36576338)

the banking cartel does the defrauding, and why do you imagine your credit union is independent of it?

Re:Amateur (4, Informative)

chill (34294) | more than 3 years ago | (#36576430)

Credit Unions are non-profit organizations, with totally different goals. It is possible, and not uncommon, to have smaller credit unions that are just a few dozen to a few hundred people.

They are much, much more transparent than banks and frequently totally transparent in both their books and operations.

For example, I found that my place of work has a credit union. Its sole purpose is basically to make affordable car loans to employees. There is no online banking, no ATMs, and just one office open 3 hours a day, 4 days a week. Almost no one has a "checking" account there, because they offer only the barest minimum of service.

What they do offer is savings accounts and auto loans and very reasonable rates. No, they don't offer mortgages.

They're chartered, insured and totally transparent to members -- 95% of which see each other on an almost daily basis.

Re:Amateur (2)

pongo000 (97357) | more than 3 years ago | (#36576632)

Credit Unions are non-profit organizations, with totally different goals. It is possible, and not uncommon, to have smaller credit unions that are just a few dozen to a few hundred people.

They are much, much more transparent than banks and frequently totally transparent in both their books and operations.

Apparently, Texans CU didn't get the memo:

http://www.cutimes.com/2009/12/23/management-shakeup-lawsuits-cuso-bankruptcy-plagued-texans-cu [cutimes.com]
http://www.cutimes.com/2011/04/27/credit-union-industry-reacts-to-failure-of-big-tex [cutimes.com]

Funny thing is that members were *never* notified that Texans had its board removed. So much for credit union transparency.

Re:Amateur (2)

chill (34294) | more than 3 years ago | (#36576714)

Yes. Right now, I take size into account when I consider the trustworthiness of a credit union. Texans, with their 16 physical locations in over a dozen different cities and even more ATMs, would be "too big" in my estimation.

Smaller isn't always better, because it is quite possible to be "too small". I can't give you a hard number, but and more than 5 branches and I'd be thinking of them as a normal "bank".

being not-for-profit... (2)

brokeninside (34168) | more than 3 years ago | (#36578534)

... while it means that they don't have the goal of maximizing shareholder's equity, doesn't meant that they don't exhibit profit-seeking behavior. It just means that the profit isn't paid out in the form of dividends. It could, as one example, be paid out in the form of executive compensation.

Moreover, many credit unions are for-profit concerns. But the dividends go to account holders rather than third-party investors that don't deposit money into the credit union. And the money that is deposited is used by members rather than non-members. Rather than your deposits going towards providing the backing for third-parties to get loans, etc., they go towards loans, etc., for members of the credit union. This distinction starts to break down, however, when the credit union decides to invest the money in instruments to increase dividends to the members.

Re:Amateur (1)

dgatwood (11270) | more than 3 years ago | (#36576374)

Two words: cash back. Also, I've never seen a credit union that offered true credit cards. Debit cards, sure, but I'm not comfortable using a debit card anywhere unless I've been shopping there for years, because all it takes is one sleazy employee cloning your stripe, and somebody can then guess your PIN numbers and clear out your account without actually stealing your card. And because it is a debit card, your liability when this happens is unlimited.

Re:Amateur (1)

rbarreira (836272) | more than 3 years ago | (#36576404)

Read my post again, I wasn't criticizing credit cards.

Re:Amateur (0)

Anonymous Coward | more than 3 years ago | (#36576748)

I encourage you to check again? I've only ever...used...three credit unions since the late 90's...and all of them offered real credit cards (in addition to debit).

Now-- 2/3 of them, their credit cards were locally branded VISA which were actually owned by the same 'branding company'. They had shoddy integration with their website, and the support number would immediately transfer you to some mega-conglomerate... But it was nonetheless a credit card.

Re:Amateur (0)

Anonymous Coward | more than 3 years ago | (#36577678)

From my credit union I have both a Visa debit card and an ordinary Visa credit card. The debit card has all the normal protection when used as credit; they even advised me to just not set a PIN and always use it as credit.

Re:Amateur (1)

MacGyver2210 (1053110) | more than 3 years ago | (#36576502)

Yeah, but if all their customers leave it will just lead to another bailout by the government.

Look at the airlines: many of them lost their asses when air travel became so much of a hassle and fee-minefield that people stopped flying and started driving/riding the train/bus. Of course, the government was like "No! We're a rich successful country, and we can't let a big industry fail even if they're morons! That makes our country look weak. Cash! Throw it at them hard and quick!"

Welcome to the 21st century, when a company is no longer allowed to fail because of its own shitty service.

Re:Amateur (1)

frank_adrian314159 (469671) | more than 3 years ago | (#36577472)

Small regional banks are pretty good, too. Just watch for signs of being overextended and/or being gobbled up by one of the big boys.

Re:Amateur (0)

Anonymous Coward | more than 3 years ago | (#36578344)

Yes, use a local credit union. My local credit union outsourced their Visa card 2 years ago. The new company handling Visa service for the credit union (who I have been with for 30+ years) does not accept electronic payments. Which means the credit union has to actually cut a check and mail it to pay their own credit card. Not only that, the time to process a payment has increased from 6-8 days to 12-14 days.

Re:Amateur (1)

rrohbeck (944847) | more than 3 years ago | (#36577292)

Citibank is the worst. They needed to be bailed out after taking on too much risk every few decades. Read up on their history.

Re:Amateur (1)

jroysdon (201893) | more than 3 years ago | (#36577934)

You can cancel your account while still paying it off. It's actually a good thing to do, as it will keep you from charging any more (and prevent fraud charges).

Just make sure you switch to paper statements first, as once you cancel/close your account, you can't access statements online anymore.

I had my CitiBank card compromised twice in one month. The first time I called and told them, and they canceled the account number and overnighted me a replacement card. It sat in the overnight envelope on my coffee table for 3 weeks until I activated it, and within a week I had more fraud charges.

As I never take the physical CitiBank card from home, and only used their Virtual credit card (where you generate a new number each time to use for online purchases), I knew there was something fishy going on. They wouldn't/couldn't tell me which place I'd used my card at had been compromised. I was very clear with them that this was unacceptable, and if I didn't get answers, I was going close my account (which I've had for most of my credit history). They couldn't do anything, and wanted to send me another card. I told them what is the point because in a week, before I even use it, it'll be compromised again. I closed my account after this in April, 2011. Now we find all this out a month or so later.

As much as I don't like BankAmerica, I have switched back to them for their Shop Safe virtual credit cards for all my online purchases. Again, my BankAmerica card never leaves my physical filing cabinet and is never used online. The BofA Shop Safe is a great system in that you can not only set the card to expire in 2 months (minimum requirement), but you can set a limit. I just round up to the nearest dollar, so each purchase "maxes out" the amount available for each Shop Safe virtual card.

I wish more places offered this sort of virtual card (even some method for your physical card to generate a virtual card so a skimmer can be traced and also limited). I wish all banks and credit cards had to offer two-channel authentication for purchases over a customer-set limit (see ING.nl's TAN codes via mobile phone [www.ing.nl] ). I wish I could set some cards to not be allowed without physically being present (in other words, block some cards from being able to be used over the phone or online, and require it to be in person and require ID checking), and some cards only allowed to be used online with temporary/virtual card numbers (and never allow the real/physical account number to be used).

These security protections seem so basic, and so easy to implement, and they'd totally knock out the majority of fraud.

The best card companies offer now is an email/SMS message when a purchase over a limit I set is done. That's fine for a credit card, as I'm not liable if I report it as fraud, but it's a pain for a Debit Card as I'm out that money. For that reason I canceled my Debit Cards and have ATM-only cards.

Re:Amateur (1)

brokeninside (34168) | more than 3 years ago | (#36578400)

You can cancel before you pay off.

Either phone them and tell them that you want to close the account or next time they try to change the terms, send them a letter that you don't accept. In either case, the account will be closed with regards to new transactions but you'll be able to continue to pay off the balance at the current rate.

2.7million USD (2, Funny)

Anonymous Coward | more than 3 years ago | (#36576110)

Citigroup suffered about US$2.7 million in losses

- dollars?

Nothing of value was lost.

Re:2.7million USD (2)

Opportunist (166417) | more than 3 years ago | (#36576136)

I guess when you're used to getting billions in bailouts, millions don't really register as an amount anymore.

Re:2.7million USD (2)

interval1066 (668936) | more than 3 years ago | (#36576282)

Why was this comment modded down? Its the most enlightened comment in the lot.

Re:2.7million USD (2)

arunce (1934350) | more than 3 years ago | (#36576472)

this is funny. really, mod this up.

Ooooh, a couple mill (0)

GrumblyStuff (870046) | more than 3 years ago | (#36576124)

Call me when there's news of the billions in cash that mysteriously was lost in Iraq.

Re:Ooooh, a couple mill (2)

shentino (1139071) | more than 3 years ago | (#36576168)

I got a slice of it after receiving an offer in my email yesterday.

Re:Ooooh, a couple mill (1)

MacGyver2210 (1053110) | more than 3 years ago | (#36576510)

All you have to do is send a blank check to this Nigerian prince...

Re:Ooooh, a couple mill (1)

Nov8tr (2007392) | more than 3 years ago | (#36577650)

He's not a Prince silly. He's a attorney for a client who died. pfffftttt

Re:Ooooh, a couple mill (1)

dkf (304284) | more than 3 years ago | (#36578074)

All you have to do is send a blank check to this Nigerian prince...

When you do send it, don't forget to sign it "Bernie Madoff".

Re:Ooooh, a couple mill (0)

Anonymous Coward | more than 3 years ago | (#36576244)

Suddenly Paraguay has a lot of assets for infrastructure and modernization. They say it's from a boost in ranching profits and soybean production. (But notice that many other areas in the world with similar production don't see that kind of available funding.)

Guess who has a nice big ranch there?

Anyone notice more than half of the big banks there are also foreign owned? Why such interesting timing in the investment there?

I think the money trail in that country and some other areas of South America need further investigation, as that's where almost everyone involved in the big rip-off is bugging out to.

PCI compliant? (2)

Virtucon (127420) | more than 3 years ago | (#36576152)

I find this funny and sad at the same time. Their PCI certification needs to be revoked. Besides it has been done before to Citi. http://redmondmag.com/articles/2008/07/02/citibank-hack-shines-light-on-pci-compliance.aspx [redmondmag.com] . if a bank can't be compliant then the PCI needs to be abolished because it appears to mean nothing to large financial institutions.

Re:PCI compliant? (1)

shentino (1139071) | more than 3 years ago | (#36576196)

Any regulation that depends on enforcement from someone whose congressional superiors you can simply bribe away with campaign contributions will fail.

Re:PCI compliant? (5, Insightful)

Opportunist (166417) | more than 3 years ago | (#36576230)

Compliance auditing is a circle jerk business. It's like peer review, just worse, insofar that there are no "honest" people in the game that could debunk the scheme. They're all in for the money.

One thing you learn quickly as a young, aspiring and motivated auditor is that your job is not to test whether the company you audit is compliant. Your job is to make sure they are. Why? Because we want to be rehired for the checkup in a year, DUH! And because your first audit in a company is your foot in the door for other audits, and especially with BIG companies, there's a lot of things you can audit and certify, and all means moolah. Being "stubborn" means that your company will not be rehired and you will be fired.

Quick question for 100 (or, in auditor's terms, 5 minutes of work): What's your goal when auditing?

So I don't fear for their PCI cert. They will certainly be audited, this hole will be sealed, a lot of checkboxes will be ticked off (btw, transfer security is a very minor point in PCI-DSS compliance. Don't ask me why, I didn't make the cert requirements, I just have to endure them) and they will pass.

Re:PCI compliant? (3, Insightful)

dgatwood (11270) | more than 3 years ago | (#36576398)

What's needed here is strict liability. If your company performs an audit and declares that a company is in compliance and it is later determined that they were not at the time of your audit, your auditing firm and its employees should be held liable for any damages.

That one small change to the legal code would end the practices you describe in a heartbeat.

Re:PCI compliant? (2)

the eric conspiracy (20178) | more than 3 years ago | (#36576558)

What's needed here is strict liability. If your company performs an audit and declares that a company is in compliance and it is later determined that they were not at the time of your audit, your auditing firm and its corporate officers should be held liable for any damages.

FTFY.

For all you know the people performing the audit are contractors or employees under orders from their management to certify the audit no matter what they actually find.

Re:PCI compliant? (1)

jroysdon (201893) | more than 3 years ago | (#36578034)

Right, so management needs to be financially and criminally held liable for this sort of thing. If it affects their pocket book and they might face jail time for not following the rules, perhaps they'll be something done differently?

Re:PCI compliant? (3, Interesting)

Opportunist (166417) | more than 3 years ago | (#36576604)

Aside from this not happening, it's also not feasible. And, bluntly, it wouldn't increase security one bit.

I gave it in detail in a similar topic, compliance with security laws has nothing to do with security as the average IT person sees it. Consider this: It takes months (sometimes years) from detecting a security problem, formulating a law/compliance test around it, implement the test, implement the checkbox-ticker-form, get companies compliant and finally tack a "audited and passed" sticker to it. ISO27001 is currently current in the 2005 version. 2005. I think nobody here would consider himself secure if he is secure against everything known by 2005.

To counter this, the requirements to pass the test are usually very broadly defined and in a quite unspecific way. There's a lot of talk about "reasonable security" and "state of the art/best practice", as well as securing "against current threats". There is a lot of talk about what has to be done, leaving the how completely open. Or, to give an example, you have to have a firewall that protects against current threats. It says nowhere what this may be. Or how "current" is defined. And here's where the whole mess starts to hit the fan.

What is a "current threat"? What is "reasonably well secured"? What is "state of the art"? And most of all, what would happen if you make us circle jerks liable for our blunders? Well, we'd define what a current threat is, what reasonably good security is and also what's state of the art is. Who else could? The (snicker) government? If that's the case, I have no worries that I'll ALWAYS be auditing by best practice standards, they'd probably be from 1980something. And rest assured that we'll always cover our respective backs when it comes to the question whether one of us audited perfectly. You don't piss off the people you work with in this trade, it comes back so terribly quickly, and there ain't that many companies that can actually do an ITSEC audit, so there is no heated competition. Hell, we hire each other to reaudit our own certs, take a wild guess how much we hate each other...

The solution is much simpler. First of all, get rid of all those fancy security stickers that get so much credibility but actually mean jack when it comes to security. Second, make companies care about security, and tack a fine on it that actually HURTS. As a neat side effect, it might reduce the data hunger some companies started to develop, since every bit they store might come back to bite them in their ass. In today's economy, it might actually already be sufficient to say that a company that can't get its act together is banned from bailouts. The rest will fall into place by itself.

Re:PCI compliant? (1)

Bert64 (520050) | more than 3 years ago | (#36578260)

You make some good points, and it's not just PCI, but various government security standards too...

You have a list of "approved products", a list which is very expensive and time consuming to get on to. As a result, the approved products tend to be several releases behind and often have known vulnerabilities.. You also ensure that only a few vendors will bother to go through the process thus creating a cartel and forcing smaller players or open source out of the market. Few of those vendors will bother certifying all versions of their products either.

As for what the certification entails, the process is as expected, utterly flawed... The vendor supplies a list of features and an auditor verifies that those features exist.... No checking is done as to the actual security of the product, no audit is done of the source code, no check is done to see if those features are easily circumvented etc... For instance, various versions of Windows got through some of these evaluation criteria, despite gaping security holes such as effectively storing user passwords in plain text.

As for bailouts, there is a simple answer to that... If a company is "too big to fail" then that company is simply "too big"... The government should investigate any company of substantial size and determine the potential economic impact should they collapse... If that impact is too damaging, then the company should be split up into smaller competing parts. This would also break up monopolies and increase competition, a big win for everyone else.
The idea of bailouts is ridiculous, since it effectively eliminates any risk... These companies are now free to take any gamble they want, safe in the knowledge that the government will bail them out if they fail, while letting them keep the profits if they win.

Re:PCI compliant? (3, Insightful)

Bengie (1121981) | more than 3 years ago | (#36576788)

They need a way to fine the auditor to the point of bankrupting them for effectively "lying"

Re:PCI compliant? (1)

Opportunist (166417) | more than 3 years ago | (#36577716)

The employee of the auditing corp? Be reasonable, he was probably facing the decision of signing a cert or being fired.

That won't change jack. Now, if his CEO would have to face personal responsibility... but then, could you see a mere auditor holding the CEO of a huge international auditing co at his balls? Be nice or I sign this bogus cert?

Give companies an incentive to be secure besides getting useless certificates that certify nothing and you'll see change. Nothing else will.

Re:PCI compliant? (1)

jroysdon (201893) | more than 3 years ago | (#36578066)

This is where whistle-blower laws need to be improved. Should a CEO or management do this, they should be financially penalized and face jail time, and the whistle blower should be financially well taken care of.

Basically, and auditor should be untouchable. They should be able to follow the rules, and if not, huge fines should face the management and a large portion of that should go to the auditor.

Auditor's personal financial records need to be an open book, otherwise this would set them up to be able to be black mailers and/or accept bribes.

Re:PCI compliant? (1)

Opportunist (166417) | more than 3 years ago | (#36578518)

Heh, while I like the idea of being untouchable, I doubt it's a good idea either. You could easily hold whole corporations ransom or, in case you don't like them, keep failing them. There needn't be even any monetary incentives to do so if the auditor in question has a personal grunge against a certain company.

In other words, don't send me to audit Sony.

The whole process needs an overhaul. And I don't think creating overly complicated rules or regulations is going to do it, neither is sending CEOs to prison. It can be summed up simply with one statement: Give companies a good reason to WANT to be secure. Create stiff fines for the loss of data and if someone wants to store financial or personal data, he gets audited by a government mandated audit. No checkboxes, no spreadsheets, no tick-this-off-to-pass test. A bunch of auditors get sent into the company with one order: Hack 'em. No rules of engagement (aside of "no deliberate damage") and pay them on a per-incident base, you get 20% of the fine they'll have to pay.

Rest assured, all sides will be VERY well motivated to perform at peak levels!

Re:PCI compliant? (5, Informative)

shoehornjob (1632387) | more than 3 years ago | (#36576860)

About 5 years ago I worked for a compliance unit in the brokerage section of Citi. Prior to the creation of this unit managers in different departmets were responsible for making sure their employees were in compliance. When I started there we found that the firewall guys were granting access to whole segments of ip addresses instead of just the 7 or 8 that were needed. We also found the Unix guys were not deleting access to highly sensative databases after employees left the company. Something tells me that the culture of ignorance in that place isn't going to stop any time soon. About 2 years after our group was formed they sent our jobs over to India. We were only there to develop the process and iron out the kinks. They gave the crew in India a month to learn our process manual and 8-9 months later they still didn't get it. Lets add greed to a culture of incompetance. BTW that's where the name shoehornjob comes from. For a while there the manager would come to us and shoehorn in new processes without review or vetting them.

Re:PCI compliant? (1)

snowgirl (978879) | more than 3 years ago | (#36578992)

Compliance auditing is a circle jerk business. It's like peer review, just worse...

God, this reminds me of code reviews. I would send them out, and get back a "Looks good!" email... to which I would note that in the time between me sending them the code review and me receiving their "looks good!" I found two bugs and one of them was a flagrant syntax error.

I tried to reform the process, but imagine how well that went over? If you said that I got the response "looks good!" and then it was never touched again, you'd be right.

Re:PCI compliant? (1)

sgt scrub (869860) | more than 3 years ago | (#36579414)

Ah the beauty of just providing the tools for the people doing the "tests". I feel for you. The part where a client gets pwnd and you were the one confirming their compliance rocks. I've had more than one call that start, "I'm the new guy" because of it. Anyway, money. Sure wish I was the guy with lots of it.

Re:PCI compliant? (0)

Anonymous Coward | more than 3 years ago | (#36576270)

Scrap the law instead of fining those who violate the law, sounds like a plan.

Re:PCI compliant? (1)

Hazel Bergeron (2015538) | more than 3 years ago | (#36576372)

I say we return to VLB. When the central processors and the peripheries are forced to work at the same pace, there is less opportunity for corruption. Sure, it might mean the former needs to slow down a bit, but that's essential in dealing with any sleight of hand issues.

what PCI compliant means (0)

Anonymous Coward | more than 3 years ago | (#36576852)

All PCI compliance means is the finance house filling in a bunch of forms and posting them back to some authority with a big cheque :)

Re:PCI compliant? (1)

1s44c (552956) | more than 3 years ago | (#36577318)

PCI isn't security. No set of rules mandated by people that don't understand IT could be. PCI, SOx, and all the other government mandated rules are just well intentioned attempts to tell people how to get security. It can't cover every aspect needed so it's doomed to failure.

Re:PCI compliant? (1)

Firehed (942385) | more than 3 years ago | (#36577742)

PCI needs to be clarified and enforced properly. If you've read the spec (I have), you'd realize how utterly vague parts of it are, and pointless other parts are. There are some perfectly valid things in there that should be second nature to anyone but never hurts to have on a checklist (run firewalls, do not use default passwords on your software, etc.), some things that are good to have (unless there's a business requirement to do so such as in an admin panel, do not display more than bin+last4 of card), and other parts that are so unclear as to be completely pointless - namely almost everything regarding actual data storage.

Obviously Citi screwed up here, since even the PCI non-spec around access controls covers altering the querystring to get different account info and performing no checks based on the authenticated user's ability to view that card data.

The real issue is that even the spirit (never mind the letter) of the PCI spec is almost pointless. It's something that's part of working with the credit card networks, not any sort of federal mandate. Basically if you're out of spec, it gives Visa and Mastercard valid grounds to cut off your ability to issue and/or process payments over their network. So if Citi fails an audit, it just means they must take a badge off their site. There's no requirement that they get shut off, and given the amount of volume they do it's a certainty that they would not.

Re:PCI compliant? (1)

Virtucon (127420) | more than 3 years ago | (#36577856)

Well I also wonder if Visa and MC would actually fine Citibank considering how much revenue they derive from their card holders. PCI was supposed to help reduce the amount of fraud by enforcing minimum security standards on people accepting payments and dealing in the transaction stream. It remains to be seen if now a large financial institution will be held accountable by the PCI consortium for these actions. I definitely know the FTC would be involved but again, they'll get a slap on the wrist because that's what happens. It's all very sad and hypocritical for one of the biggest banks in the world to be guilty of letting this kind of information get out of their control. Yes, their liability in this would probably not even show up on the RADAR and would probably just be a footnote in the quarterly earnings reports but still, how can you hold retailers accountable when the banks aren't even doing the right thing?

Re:PCI compliant? (0)

Anonymous Coward | more than 3 years ago | (#36578268)

Getting your PCI certification has nothing to do with being secure. PCI is a great start but not the end all to security nirvana.We all know that security is a full time job and it's 24x7. people need to be reveiwing logs by the minute if you are in any business that takes in credit card numbers.
So we need to ask the question

1. Who was reveiwing the logs?
2. Who is monitoring the network 24x7?

From what I understand someone was doing multiple login's using different CC number's. Why didn't that raise a flag with network security. i.e. multiple log-ins from the same IP with different credit card numbers?

What I see here is programmers not utilizing OWASP standards, and this is the case 99% of the time, whenver I call this out programmers get defensive, I don't blame them but if you don't call it out when does it become a priority that programmers need to take security into consideration when setting up these portals.
Also third party companies hire outside contractors and all they care about is getting the project done and on time. Security is not even on the forefront.
But then security is a technical escalation of exploits so what passes vulnerability assesment today may not pass tomorrow.

Re:PCI compliant? (2)

John3 (85454) | more than 3 years ago | (#36578496)

I wish I still had mod points to bump up your comment. The whole PCI compliance scam is a pet peeve of mine. I own a hardware store and we're fully compliant, but it cost a bunch and is a real pain considering that we're trying to protect credit cards and a system that is essentially poorly secured in the first place. There are thousands and thousands of independent business owners that are not anywhere near compliant, and they have no clue how to get in compliance. They are just scared that when a breach happens they will lose their merchant privileges and maybe be held liable for the losses. Meanwhile, Citi and other large targets get broken into regularly for millions and millions in losses.

I certainly don't think that small merchants can be lax in their security procedures, but I think the bankcard industry needs to subsidize the security updates and do a much better job of educating and assisting the retail store owners. These are restaurant owners, deli owners, clothing stores, hardware stores, and other businesses where the owner is not real tech or security savvy. They know how to cook a meal, slice ham on a machine, measure an inseam, or cut a key. These folks take credit cards (and pay the insane fees) because the must to stay in business. They are saddled with bankcards that are inherently insecure (seriously, check the signature on the back of the card?).

Sorry, I'm ranting...but I still wish I had the mod points I had yesterday.

Can you see the dialogue happen at citi? (2)

Opportunist (166417) | more than 3 years ago | (#36576178)

CSO: Sir, we had a security breach! Credit card data was stolen and we lost money. We should up our security budget and improve our security standards!
CEO: This ... is bad, right? But ... no, I'll just tell finance to add the damage to our next bailout request. How much is it?
CSO: 2.7 millions.
CEO (enraged): 2.7 millions? You waste my time for that? Get the hell out of my office and come back when something serious happens!

Re:Can you see the dialogue happen at citi? (5, Funny)

Nidi62 (1525137) | more than 3 years ago | (#36576206)

CSO: Sir, we had a security breach! Credit card data was stolen and we lost money. We should up our security budget and improve our security standards!

CEO: This ... is bad, right? But ... no, I'll just tell finance to add the damage to our next bailout request. How much is it?

CSO: 2.7 millions.

CEO (enraged): 2.7 millions? You waste my time for that? I make more than that in bonuses every year, even when we lose money. Get the hell out of my office and come back when something serious happens!

Fixed that for you

Re:Can you see the dialogue happen at citi? (1)

Opportunist (166417) | more than 3 years ago | (#36576246)

I doubt the CEO would tell the CSO that he makes more in bonuses than what the CSO thinks is money. He might get a wee bit pissed at the CEO, and you do NOT want a pissed off CSO as a CEO. He can make your life pretty miserable if he doesn't care about his own.

Re:Can you see the dialogue happen at citi? (0)

Anonymous Coward | more than 3 years ago | (#36576920)

The CSO is probably making 2.7M in bonuses himself.

Re:Can you see the dialogue happen at citi? (1)

Opportunist (166417) | more than 3 years ago | (#36576984)

In this case, are they hiring?

I'm not for sale, but nobody said anything about renting. ;)

Re:Can you see the dialogue happen at citi? (1)

phantomfive (622387) | more than 3 years ago | (#36577422)

He won't care as long as he's getting paid a lot too.

Bad year for Bin Laden Group... (0)

Anonymous Coward | more than 3 years ago | (#36576268)

:)

This problem just cannot be solved (2)

osgeek (239988) | more than 3 years ago | (#36576276)

If only there was a way to have credit card owners approve each charge through the entering of some kind of a pin.

If only credit card numbers weren't special since what really mattered was signed transactions.

If only every consumer had a personal device capable of signing transactions in his pocket at almost all times.

Call me a dreamer, but someday in the next hundred years, I think that all those "huge" technological problems could be solved and we could end this problem of having our credit card and social security numbers being exposed.

Re:This problem just cannot be solved (1)

gweihir (88907) | more than 3 years ago | (#36576302)

Wrong. The simple, easy and obvious solutions is known to anybody that knows the first thing web application security:

DO NOT KEEP CRITICAL STATE CLIENT_SIDE.

I do not know what cretins designed this solutions. But the violated very basic principles. If it took the attackers longer than half a day to find this vulnerability, then they are also exceedingly incompetent. It is one of the first things checked in a security evaluation (or hacking attempt).

Re:This problem just cannot be solved (0)

Anonymous Coward | more than 3 years ago | (#36577302)

That's the solution to this particular incident, and we've all acknowledged that Citi was beyond incompetent in this case. But the poster was referring to the problem of credit card numbers in general and was likely referring to the situation in other countries where credit cards are smart cards that enable real cryptography in credit card transactions which would make the credit card number alone almost worthless.

Missing the point. (0)

Anonymous Coward | more than 3 years ago | (#36579324)

You're focussing on the incredibly weak security of their web site. Even if it was a lot, lot better, there would still no doubt be exploitable vulnerabilities. Parent is making the point that if the information stored in the web site did not need to be secret in the first place - because you can't do anything with it - then who cares about the security of the web application.

I've just been employed to design products which encrypt cardholder data at rest and in transit... and none of this would be necessary if the U.S. just started using EMV like everyone else in the world. No mag stripe, chips on the cards which can sign transactions, etc. The cardholder number should not need to be secret in the first place.

Re:This problem just cannot be solved (1)

kamukwam (652361) | more than 3 years ago | (#36576322)

If only there was a way to have credit card owners approve each charge through the entering of some kind of a pin.

In Europe it is often already required to enter a PIN when paying something with a credit card. I am wondering why they didn't introduce it in the USA yet...

Re:This problem just cannot be solved (2)

Hazel Bergeron (2015538) | more than 3 years ago | (#36576406)

Because the merchant is liable for fraudulent transactions when no PIN is entered. Liable plus a fine on chargeback. Liable plus a fine plus a threat of increased discount percentage.

Small businesses are the backbone of modern America: if you want to conquer America you have to break its backbone.

Re:This problem just cannot be solved (2)

kamukwam (652361) | more than 3 years ago | (#36576416)

Well, then they should simply make it impossible to pay without a PIN. Actually it should've been like that from the start and there wouldn't have been so much problems with stolen credit card numbers.

Re:This problem just cannot be solved (1)

Hazel Bergeron (2015538) | more than 3 years ago | (#36576468)

You mean the government, right? The bank has little incentive because it profits from the fraudulent transaction (as long as there's not so much fraud that the banks actually get negative publicity and lose customers to all the great alternatives for online payment).

Re:This problem just cannot be solved (2)

NJRoadfan (1254248) | more than 3 years ago | (#36576456)

Actually its simple, banks in the US are cheap. Chip and PIN costs money to implement. American Express rolled out chips in their first issue Blue credit card, but later phased it out... cost more then a regular credit card and nobody used the feature (lack of infrastructure in the US, hardly anyone has a chip and PIN terminal here). Same goes for things like implementing two factor authentication for online banking. Its likely the only way a US based bank will improve security is if they are forced to through legislation.

Re:This problem just cannot be solved (0)

Anonymous Coward | more than 3 years ago | (#36576532)

One of the local fast food chains started offering those locally. Except they are broken most of the time (I've seen it work once in the last year). Not something to build confidence in the public here.

Re:This problem just cannot be solved (1)

NJRoadfan (1254248) | more than 3 years ago | (#36577276)

The only place I have seen a chip and PIN terminal here is at one local CVS. Its likely a universal model because it has RFID for contactless card transactions too. Those RFID terminals are catching on, but only really at retailers that have their own branded credit card with a big bank like Chase. Its part of their agreement with the bank to install the RFID terminals because all the cards they issue have the chips.

Re:This problem just cannot be solved (1)

Hazel Bergeron (2015538) | more than 3 years ago | (#36576538)

Makes sense. FWIW I have a UK Amex Blue card, all recent issues of which have been chip/PIN. It was launched with the simple benefit of straight cashback on all purchases, which is far too generous and lacking in leeching middle men, so I don't think it's offered any more to new customers. Now Amex UK is all "Nectar points" and "BA miles" and other such barrel-scraping bullshit.

Re:This problem just cannot be solved (1)

misexistentialist (1537887) | more than 3 years ago | (#36576638)

The cost of the terminal would be paid by the retailers, and they are cheap too. If the card companies and retailers who take the losses don't care why should the government? Europeans like chip-and-pin because they like living in a locked-down society.

Re:This problem just cannot be solved (2)

Nick Ives (317) | more than 3 years ago | (#36578356)

This is beyond silly. The reason Chip & Pin happened in Europe is because payment card operators in Europe got together and decided to do it. They told retailers they didn't have to use it if they didn't want to, but they would be more liable for fraudulent transactions if they didn't.

Given that the increased liability would cost more than the chip & pin terminals, everyone moved over.

Re:This problem just cannot be solved (0)

Anonymous Coward | more than 3 years ago | (#36576702)

In Europe it is often already required to enter a PIN when paying something with a credit card.

This is also a bad design. You have to trust the hardware you're entering your pin into.

The GP's idea would authenticate the merchant's device, and provide a way to ensure you're authorizing that specific vendor for that specific item, and only for that specific amount.

For example, when the person brings out the "enter your PIN" device, it would instead just broadcast something to your phone which has their PKI-signed merchant ID and the amount they're requesting (maybe even include information on the item/service you're paying for). Your phone would prompt for a password to unlock a certificate which is then used to sign the response.

At no point do you have to trust the vendor, nor does the vendor have to trust you.

Re:This problem just cannot be solved (1)

Hazel Bergeron (2015538) | more than 3 years ago | (#36577474)

So now my mobile 'phone is the device which gets cracked and keylogged for access to the signing certificates which approve dozens of credit card transactions?

I understand your proposal but I hear it as, "Now, rather than only keeping it in your head and typing it on dedicated terminals, you enter your PIN-substitute on a computer you use for general Internet access etc."

Re:This problem just cannot be solved (0)

Anonymous Coward | more than 3 years ago | (#36579600)

It'd be better with a dedicated device sure... but who would want to carry an additional pager-sized device as well as another service contract?

Of course, I guess my view of mobile phone security has been skewed by my selection of Blackberry.
Sure they're outdated compared to other smartphones, but they do take security seriously :)
(and believe me, that's the only think keeping me with this horribly outdated platform)

Re:This problem just cannot be solved (1)

shoehornjob (1632387) | more than 3 years ago | (#36576904)

The credit card companies would have to overhaul the entire infrastructure and that would cost money. The goverment could stop giving them tax writeoff's for business losses. That might jump start the process a bit.

Re:This problem just cannot be solved (1)

gl4ss (559668) | more than 3 years ago | (#36576652)

if they had done the system like that, no pin would help them. the cc number itself was a 'pin' in this context, their billing address being another pin. sms confimations? yeah, that would have helped a bit.

Re:This problem just cannot be solved (0)

Anonymous Coward | more than 3 years ago | (#36578136)

If only there was a way to have credit card owners approve each charge through the entering of some kind of a pin.

If only credit card numbers weren't special since what really mattered was signed transactions.

If only every consumer had a personal device capable of signing transactions in his pocket at almost all times.

http://www.google.com/wallet/

Could have been stopped and will be in the future (0)

Anonymous Coward | more than 3 years ago | (#36576304)

Banks across the US are weak in a lot of online security, but I know for a fact that most of them are actively engaged in making it better and are spending a lot of money to do so. Even this problem with Citi would have been easily caught and mitigated if they had Silver Tail Systems installed, for example. Most of the large banks in the US are moving in this direction of behavioral analytics instead of purely transactional.

Hacking (0)

Anonymous Coward | more than 3 years ago | (#36576358)

I do my hacking with a machete. Hack into a bank and cause problems for 360k people, you had better fear my hack.

Most insecure ebanking ever. (3, Insightful)

gweihir (88907) | more than 3 years ago | (#36576360)

Several things went wrong here:

- "Developers" without a clue about web-application kept critical state client-side. An absolute Noob-mistake. They must not have had any clue what they were doing.

- The security evaluation was either done by people without basic knowledge of web application security as well, or not done at all. This is one of the first things anybody with at least a bit of knowledge (as in understanding web-mechanisms and having researched on the web for, say, 1/2 day about web application security).

- Incompetent and greedy management selected / signed off on the development team and the evaluation team (or did without evaluation), without any regard for their actual skills.

The developers and evaluators should be forbidden to work in IT for the rest of their lives or until they demonstrate strong skills. The managers responsible, however should go to prison, pay for the damage out of their own pockets and should be banned for life from working in management or any other place where they have the power to make decisions for an organization.

Re:Most insecure ebanking ever. (1)

MacGyver2210 (1053110) | more than 3 years ago | (#36576542)

The managers responsible, however should go to prison, pay for the damage out of their own pockets and should be banned for life from working in management or any other place where they have the power to make decisions for an organization.

This. For everyone on Wall Street with a title of VP or higher. Now.

Re:Most insecure ebanking ever. (1)

Anonymous Coward | more than 3 years ago | (#36579258)

This is about incompetent techies. You can blame the company if you want, but it was the techies that did it. Period.

The tech world gets off on blaming management a lot and never takes any responsibility themselves.

Yes, I'm a techie. I don't expect a manager to know technical issues. That's my job.

Re:Most insecure ebanking ever. (1)

Adambomb (118938) | more than 3 years ago | (#36579620)

Many companies refuse to approve implementing costly security, and will fire techies who raise concerns about that too often and then hire incompetent techies who don't think to question the lack of security.

Who is really at fault in this case, the fool or the fool who hired him.

Re:Most insecure ebanking ever. (0)

Anonymous Coward | more than 3 years ago | (#36576616)

The developers and evaluators should be forbidden to work. The managers responsible, however should go to prison, pay for the damage out of their own pockets and should be banned for life from working in any place where they have the power to make decisions of any kind.

There, fixed that for you.

Can you tell I'm a web developer that's fed up with guys like these making me look bad just because I happen to be in the same field? End users can't tell the difference between my code and there's because when mine doesn't do this, there's no way for them to understand it couldn't do this (encrypt, and even then don't trust client information). Most end users don't understand anything about this problem, no matter how it is described to them. They just see some overpaid programmer who screwed up.

Re:Most insecure ebanking ever. (1)

gweihir (88907) | more than 3 years ago | (#36577282)

The developers and evaluators should be forbidden to work. The managers responsible, however should go to prison, pay for the damage out of their own pockets and should be banned for life from working in any place where they have the power to make decisions of any kind.

There, fixed that for you.

Well, a bit harsh, but I cannot say I fundamentally disagree.

Can you tell I'm a web developer that's fed up with guys like these making me look bad just because I happen to be in the same field? End users can't tell the difference between my code and there's because when mine doesn't do this, there's no way for them to understand it couldn't do this (encrypt, and even then don't trust client information). Most end users don't understand anything about this problem, no matter how it is described to them. They just see some overpaid programmer who screwed up.

That is why you need to have competent (and preferably outside) evaluation for anything that has security functionality. Of course, that is expensive and does not add to the functionality. Even worse, if the security folks say, "this is not secure", or even worse, "no way can this be made secure, you project failed" the manager in question is exposed as incompetent (as he/she should be). So the people that would need to get the security evaluation done have the most to lose. On the other hand, that is possibly the only way to weed out the elCheapo developers that have no clue. Meaningful certifications do not exist. Creating something like a "licensed software security engineer" or "licensed security programmer" may help a bit, but that would cause high demand for these people and you might have to treat and pay them well. Which is something the management layer definitely does not want to do. Also, there is a high risk of these certifications being meaningless.

The only option I see is to a) make it a legal requirement to have a high security level on anything storing customer data and connected to the web and b) if things like security evaluation are not done competently or not done at all, make the managers responsible personally liable.

Re:Most insecure ebanking ever. (1)

Anonymous Coward | more than 3 years ago | (#36576690)

Developer skills? What are you talking about? I'm sure the low bidder won the contract to develop the site, then outsourced it to someone even cheaper so they could get a cut, and the CxO overseeing this sewage system got a nice, fat bonus for coming in under budget. Developer skills were never part of the equation.

Re:Most insecure ebanking ever. (1)

nomadic (141991) | more than 3 years ago | (#36577286)

Developer skills were never part of the equation.

They never are on Slashdot, where all programmers are brilliant, handsome, and competent.

Re:Most insecure ebanking ever. (1)

gweihir (88907) | more than 3 years ago | (#36577294)

Developer skills? What are you talking about? I'm sure the low bidder won the contract to develop the site, then outsourced it to someone even cheaper so they could get a cut, and the CxO overseeing this sewage system got a nice, fat bonus for coming in under budget. Developer skills were never part of the equation.

Unfortunately, you are perfectly right. I have seen this several times now. The way to deal with it is make the people getting the bonus personally liable (civilly and criminally) if it goes wrong.

Re:Most insecure ebanking ever. (0)

Anonymous Coward | more than 3 years ago | (#36578440)

Get real, the development was outsourced to someone in a foreign country that doesn't give a crap.

Re:Oh the irony... (0)

Anonymous Coward | more than 3 years ago | (#36576740)

lulz, i guess you missed the article about how their system was hacked. It was not because of SQL but due to how they built their system. Also, during that magic timeline you posted I bet Citi put more of their services online which exposed them more. I would first question their ability to build secure software. From what i have heard their goals in getting things done do not always match up to getting things done the way it should be done.

sigh! (1)

kyuubi1 (1874338) | more than 3 years ago | (#36576760)

.. and yes, my money is safe under the pillow than in a electrified, triple encrypted, titanium vault.

They did it using URL stuffing (1)

Anonymous Coward | more than 3 years ago | (#36576794)

As in running a perl script that generated a randomly changing URL string and WGETing on it - such sophistication - must be the Chinese again .. :)

"Citigroup suffered about US$2.7 million in losses after hackers found a way to steal credit card numbers from its website and post fraudulent charges. Citi acknowledged the breach earlier this month, saying hackers had accessed more than 360,000 Citi credit card accounts of U.S. customers. The hackers didn't get into Citi's main credit card processing system, but were reportedly able to obtain the numbers, along with the customers' names and contact information, by logging into the Citi Account Online website and guessing account numbers."

this is the fault of ... (1)

Anonymous Coward | more than 3 years ago | (#36577046)

Visa and MasterCard, which allow middle-man entities to process charges without requiring tertiary security information

That's all? (1)

hamburgler007 (1420537) | more than 3 years ago | (#36577306)

If only 2.7 million was lost, something seriously fucked up is going on. They should be spending more than that just for a 3rd party to audit their security.

Re:That's all? (1)

tom229 (1640685) | more than 3 years ago | (#36577622)

That's kinda what I was thinking. Smells a little conspiracy...ey.. to me. We're seeing so much of this lately it almost seems like it's a reason being engineered to squash net neutrality/freedom.

Wisconsin Pensions (0)

hackus (159037) | more than 3 years ago | (#36577588)

Maybe we could use the same technique and recover all of the pension funds looted by Wall Street for the State of Wisconsin?

-Hack

Couldn't happen to nicer people. (0)

Anonymous Coward | more than 3 years ago | (#36579688)

My finances are a mess. Entirely my own fault. But there's only one financial organization I've ever regretted getting involved with. Given the option, I'd pay them back in nickels, after I'd rubbed every one of those nickels on my balls.

Numbers (2)

G4Cube (863788) | more than 3 years ago | (#36579898)

For 10 years when you lost a # to fraud the next card was different by only the last 4 numbers.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>