Citi Breach: A Warning to Banks

Experts: No Institution is Immune to Today's Sophisticated Attacks

By , June 10, 2011.
Citi Breach: A Warning to Banks


See Also: Breaking Down Ease-of-Use Barriers to Log Data Analysis for Security

ndustry experts agree it's too early to say how hackers managed to infiltrate Citi's online banking platform. [See Citi Breach Exposes Card Data.] But they all say the breach, which could have exposed personally identifiable information about 200,000 Citi customers, should serve as a wake-up - not just for Citi, but all banking institutions.

"The industry thought that putting Albert Gonzalez away was the end of large scale card hacking," says Mike Urban, senior director of fraud solutions for FICO, provider of fraud analytics and detection technology. "What we are seeing is a major resurgence in hacking, targeting the smallest to the largest endpoints where card or consumer data lives."

Tom Wills, a fraud analyst at Javelin Strategy & Research, says banks are losing the fraud fight because they aren't focusing on the right things. "Even though Citi - and the major banks in general - clearly takes security seriously and invests significant resources to protect its data assets, something like this can still happen," he says.

Citigroup confirmed June 9 that a breach of its Citi Account Online platform had been accessed by an "unauthorized user." Citi spokesman Sean Kevelighan says the banking corporation has implemented enhanced security procedures, "to prevent a recurrence of this type of event."

"A limited number - roughly 1 percent - of Citi North America bankcard customers' account information [such as name, account number and contact information, including e-mail address] was viewed," Kevelighan said. "The customer's Social Security number, date of birth, card expiration date and card security code [CVV] were not compromised. We are contacting customers whose information was impacted."

Citi has approximately 21 million card customers.

Lessons Learned

How hackers broke into Citi's online system is not the main lesson for financial institutions, Wills says. The need for more sophisticated fraud detection is. "Even when you fund your security program well, hire first-rate professionals and follow best practices - and major global banks like Citi do exactly that as a rule - you're dealing with an extremely complex problem set that has literally millions of failure points," he says. "That makes 100 percent ironclad protection an impractical goal. The best you can aim for is to cover the biggest threats with the biggest impact."

None of this excuses the breach, Wills adds. "If Citi is wise, they'll do some serious reflection, and make sure this particular failure doesn't repeat itself."

Urban says with few known details about how the breach actually happened, it's difficult say which endpoint or access point may have been compromised, such as through a third party. "[It] could be anywhere, but sounds like they hit them directly," he says. "This is yet another [incident] in what is turning into a major 'breach streak,' which will make all of us rethink what information security really means."

The Citi hack comes on the heels of a number of highly publicized incidents, including breaches of Google's Gmail, Sony, Epsilon and RSA Security, which earlier this week announced that the March breach of its SecurID multifactor authentication tokens was linked to subsequent breaches at Lockheed Martin Corp. and L-3 Communications Holdings Inc. Lockheed and L-3 are both government contractors. [See RSA: SecurID Hack Tied to Lockheed Attack and Sony, Epsilon Testify Before Congress.]

Lockheed, the country's largest military contractor discovered a breach of its systems on May 21. RSA is now working to replace its customers' authentication tokens and says it will provide additional factors to strengthen all of its authentication products. [See RSA to Get Its First Chief Security Officer.]

Follow Tracy Kitten on Twitter: @FraudBlogger

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Lawmakers Lambaste OPM Chief Over Hack

Exasperated House Oversight Committee Chair Jason Chaffetz faults OPM Director Katherine Archuleta...

Latest Tweets and Mentions

ARTICLE Lawmakers Lambaste OPM Chief Over Hack

Exasperated House Oversight Committee Chair Jason Chaffetz faults OPM Director Katherine Archuleta...

The ISMG Network