Citi Bank Reveals Attack... One Month Late 111
An anonymous reader writes "Is account security a thing of the past? Quote: 'We're talking a fairly serious hack, too. The personal and account information of some 200,000 Citibank card holders in North America was breached, reports Reuters, including contact specifics like names and email addresses. The solitary bit of good news? Citibank claims far more sensitive info like social security numbers, birth dates, card expiry dates and CVV card security codes was not compromised.'"
What "wasn't" compromised... (Score:5, Insightful)
That's because they're going to wait a few weeks and admit that everything really was.
It should be criminal to employ this tactic, but we see it again and again. These companies have a responsibility to be good stewards of the information we have granted them. When they hide these breaches, they are not acting in good faith.
Great big huge fines ... (Score:5, Insightful)
Companies really need to start getting slapped with very large fines for stuff like this.
Being incompetent to actually protect the data of your clients doesn't mean you simply get to say "oops" and act like nothing happened.
Someone needs to start holding these companies accountable for stuff like this. You're a bank (albeit a sketchy, annoying one who keeps sending me offers for cards and a bunch of other crap I don't want) ... you're supposed to have a legal obligation to protect this information.
From the annoying telemarketing and other crap they send me in the mail, I already can't stand Citibank. An inability to actually protect data is just further proof of why I'd never actually deal with Citibank. They just don't give off the feel of actually being a reputable organization to me.
If they don't take this seriously (Score:5, Insightful)
Re:How do they know?? (Score:2, Insightful)
Your deposits are federally insured but your personal information isn't
The heart of the problem:
-Hi, I'm John Smith and I want a credit card.
>OK...there are a lot of John Smiths. I need to identify you. Which John Smith are you?
-How do I do that?
>Is there some token of information that everybody has agreed upon to uniquely identify you?
-Oh, yeah. I'm John Smith, SSN 123-45-6789
>OK...now, just to make sure everything is on the up-and-up, we need to authenticate you. Can you prove you are who you claim to be?
-How do I do that?
>Is there some token of information that only John Smith, SSN 123-45-6789 could ever possibly know, and would never divulge to anyone else?
-Oh, yeah. I know that my SSN is 123-45-6789
>Meh, that's good enough. Here's your new credit card.
Imagine signing up for some web account and receiving the error: "Your password must be the same as your username. Please try again." That, in a nutshell, is what the entire financial industry is doing, and we're somehow okay with that. SSNs should never have been treated as private information. Impersonating someone by knowing their SSN should be as successful as impersonating the President by knowing the address of the White House.
Re:paying by cellphone is coming (Score:4, Insightful)
Actually, the basic problem with the security of payment systems is that there's money involved. If there's money involved, there will be fraud and theft.
There was fraud when the standard money was gold or silver coin (as minters would substitute in other metals). There's fraud with cash by counterfeiters today. There's fraud with checks. There's fraud at ATMs. There's fraud with credit cards and electronic check payments. There's rampant fraud with PayPal.
So there's no reason to think that cell phone payments (which wouldn't even be available to large segments of the world population) would be immune to fraud.