Citigroup has admitted that hackers could have grabbed thousands of account details for its credit card customers. The breach hit Citi Account Online systems and information potentially accessed was limited to names, email addresses and account numbers. Birth dates, PINs and other sensitive information is held elsewhere the bank …
Is it just me?
Or is there really no sensible reason why *any* of this information should be accessible online? Is it not technically possible to have data travel in one direction only? (I'm picturing a piece of wire connecting two machines here. From the POV of the second, the first is purely a read-only proposition.) If we can have one-way traffic for cars (and even lorries), why not sensitive personal information?
yeah i guess
(I'm picturing a piece of wire connecting two machines here....)
I guess a zener diode in the line would do it :)
these days they use that fancy smancy "soft" "ware" they have these days.
Round here we pronounce citi-bank the way the pronounce citi-wok on South Park, due to their rather troublesome ( for us) java client.
OK heres potentially a reason
This post is going to be downvoted hugely no doubt but there are some good and natural reasons why this stuff needs to be online! Citibank is a very large multinational corporation with offices in half the cities of the states as well as hundreds across the world. The people processing account actions are also most likely not located in the same city as the card holder and so yes those details need to be accessed online by others every now and again to perform a variety of account maintenance actions. These actions might include thinkgs like changes of address, contacting the client after suspicious activity on the account, processing of applications for overdrafts, new cards, etc.
So whilst you can say, this stuff should never be online, it needs to be in this day and age unless you want large quantities of paper being mailed aorund the world again - and we all know thats not much more secure! Citibank at least need some congratulations for not having pins, birth dates and passwords in the same location, as weve seen so many other companies get done with before!
One-way gateways do exist
There are a few 'one-way gateways' availbe in the market today. You will break a few things if you decide to allow traffic flowing only one way. The most important are: Handshaking, flow control and error correction. You can circumvent this by buffering the traffic, sending it via a oneway protocol (ie udp) via a steady pace (to fix the flow control issue) and add some additional error correction (like with PAR files). You can read more on this here: http://en.wikipedia.org/wiki/Unidirectional_network. <shameless plug>If you like you can view an animation on this here: http://www.youtube.com/watch?v=vemwnQmnvuo</plug>
CitiGroup is a large mutlinational corporation
and should have the same resources as Google have vis-a-vie their infrastructure. While all of their employees certainly do need access to the information, it should NOT be publicly facing. It should be a private WAN to reduce the leveraging factor for the internet.
Fun pronounciation fact
The Japanese have terrible trouble pronouncing the 'ci' sound and usually get it wrong and default to their native 'shi'
So citybank becomes...
Always amuses me.
Think we need a template here..
As a suggestion and given the almost daily reporting of this sort of tomfoolery, why not simply create a boilerplate doc for this...
"It has been reported today that [Insert Corporation] recently sufferred a serious hack that allowed miscreants to make off with [Insert scarily large number] of customers account details. A spokesperson for [Corporation] said "Whilst customers data has been compromised, it poses no real threat to their [Select from Bank Account/Email Account/Credit Card/Gaming Account] and this in no way diminishes our [loveliness/credibility/share price]...."
Failing that, why bother with all that guff. Simply provide us with a simple RSS feed that lists the company names and nothing further...
Would save you guys have to come up with a bunch of clart everytime.
Do I win a pint for saving you oodles of time?
There is already a project which lists when data has been lost
What makes you think
that's not what they've been doing?
Time to reply?
Our of interest, how long do you generally give companies to reply to your questions about data breaches before running a story with "We've emailed ACME Corp. about the data leak, but didn't hear back from them immediately" at the bottom of the article?
Well, that means you got 4 hours more than
I got when my rates got bumped 12% because my automatic payment was less than the amount I owed for the month.
It seems as if supposedly secure banking details are busted everyday
It seems as if everyday we hear of supposedly secure systems being compromised. Whether it's Sony, Citibank or whoever the headlines are almost identical and seemingly too so are the break-ins. If banks lost cash through safe-breaking to the same extent then it'd be declared a national calamity--the national guard or the army would be in the streets.
However, no one seems to care much other than customers whose records have been stolen. And the banks or other institutions just get a wrap over the knuckles--for, as we all 'know', cyber crime outwits everyone. Such cocky shit seems to becoming mainstream mantra these days.
The sooner these irresponsible bastards, banking CEOs, execs etc., are made directly responsible the sooner the problem will be fixed. If one's electronic bank gets broken into without a really good excuse then it's the slammer where one can compare notes with those who broke into the system.
These irresponsible management bastards could well begin to fix the security of their systems by truly acknowledging and understanding that electronic databases are not the same as paper records. Electronic records exhibit a completely different dynamic to paper ones--stealing a single paper file is probably harder than stealing a complete electronic database--thus, at a high level, the whole notion of electronic security must be treated very differently to that of paper.
Innovative thinking is needed but going harder on cyber crime is far from the complete solution.
50 years on with electronic records and we've still a paper-records security mentality. Moreover, the convenience of electronic records and love for the technology seems to have overwhelmed everyone industry wide.
Just improving or tightening security is not enough, nothing other than a complete paradigm shift in keeping with the granularity or extent of the change from paper to electronic records will be sufficient to fix the problem properly.
unauthorized access to Citi’s Account Online
"For the actual breach to happen at a bank is a very big deal", said Avivah Litan an analyst with Gartner Research
“During routine monitoring, we recently discovered unauthorized access to Citi’s Account Online. A limited number – roughly one percent – of Citi bankcard customers’ account information"
> Citigroup is the latest in a string of high profile companies to be targeted by cyber criminals. It has been criticised for not telling customers about the breach when it happened in May.
"We are contacting customers whose information was impacted. Citi has implemented enhanced procedures to prevent a recurrence of this type of event,"
> In April Paul Gaulant, former head of the bank's credit card unit, told Reuters,
"Security breaches happen, they're going to continue to happen ... the mission of the banking industry is to keep the customer base safe and customers feeling secure about their financial transactions and payments."
Security by warm blanket?
Let me translate some of this finance-speak,
"customer base safe" = retain *number* of thumb-suckers
"customers feeling secure" = as long as the thumber-suckers feel all warm and fuzzy, its ok. Just don't let them know too much, if you can afford it! [cf. Personal Data Privacy and Security Act bill to make it illegal to conceal data breaches in the US]
In my personal experience: Less than 4 hours, based on reply times to questions I've been asked by John Leyden and his putting that statement on the story (At least this time they bothered to actually add the reply later)
Expecting an immediate reply to something mailed at what was 4am my time is somewhat disingenuous at the very least.
Re: @Colin Miller
If it as an actual breach which we discover then we give the company reasonable time to fix it before reporting it.
In this case the breach was reported yesterday so I contacted UK PRs on the assumption that they'd have a statement from the US ready to send.
One way gateway concept - which way ?
When I query the database, does it refuse to reply ?
Or does the database reply, but only to telepathic queries ?
Was RSA involved?? :)
Because they are my security whipping boy of the week!!
But it's ok! The bank will reimburse you!
NO! That's what banks and credit cards would like you to believe. In reality it's more like this:
"But it's ok, you've already overpaid by a huge margin just so we can afford insurance (which we provide to ourselves at a HUGE markup) to mitigate the costs of potential litigation ensuing from damages alleged due to our inability to adequately secure your data, with which you have entrusted us. Besides, most of you won't do any more than whine to your mates about it so our exposure is really quite small... at least compared to yours. Yours faithfully, Iain McBanker."
The bank doesn't pay anything... it's customers, collectively, do.
On the bright side....
Sony has so many business units that it will be years before hackers are back to hacking the PlayStation network!.
It took them a month to tell us?
A month? Are you kidding me, a bank get's hacked and it takes a month to tell anyone about it? Well excuse the hell out of me, but I think that' total crap. A month!? How about a week at least?