Citi Bank Reveals Attack... One Month Late

An anonymous reader writes "Is account security a thing of the past? Quote: 'We're talking a fairly serious hack, too. The personal and account information of some 200,000 Citibank card holders in North America was breached, reports Reuters, including contact specifics like names and email addresses. The solitary bit of good news? Citibank claims far more sensitive info like social security numbers, birth dates, card expiry dates and CVV card security codes was not compromised.'"

How do they know??

[jmd_akbar]

that

social security numbers, birth dates, card expiry dates and CVV card security codes was not compromised.'"

Re:

[jmd_akbar]

This is actually my honest doubt..

Re:

[Anonymous Coward]

Even if they were, it's likely that we wouldn't find out about it for at least another month or two.

Re:

[Anonymous Coward]

The article is very light on details but it could be an online profile system rather than the actual credit system of record. There would be an internal token that would associate one with the other, but no direct way to connect between those systems. It's definitely possible to build a system that is segregated in such a manner, and such an architecture is recommended (and to some extent dictated) by many of the financial security rules.

Or they could be lying.

Re:

[zonky]

What is very interesting is that Firefox 4 is now reporting that this slashdot article is a Reported Web Forgery.

Re:

[cbiltcliffe]

Same with Chrome.

I bet it's Citibank that's reported it, so nobody can risk seeing the details of their stupidity. :)

Re:

[WrongSizeGlass]

Citi Bank: Your deposits are federally insured but your personal information isn't. Want to upgrade your personal information to a secure account? Just sign up for one of our Duke Nukem Forever accounts, coming soon to a Citi Bank near you - we promise.

Re:

[somersault]

My copy of DNF was dispatched earlier today ;)

Re:

[slick7]

Citi Bank: Your deposits are federally insured but your personal information isn't.

After the bailout fiasco, this does not instill confidence.

Re:

[Anonymous Coward]

Your deposits are federally insured but your personal information isn't

The heart of the problem:

-Hi, I'm John Smith and I want a credit card.
>OK...there are a lot of John Smiths. I need to identify you. Which John Smith are you?
-How do I do that?
>Is there some token of information that everybody has agreed upon to uniquely identify you?
-Oh, yeah. I'm John Smith, SSN 123-45-6789
>OK...now, just to make sure everything is on the up-and-up, we need to authenticate you. Can you prove you are who you c

Re:

[kmoser]

Is there some token of information that only John Smith, SSN 123-45-6789 could ever possibly know, and would never divulge to anyone else?

Even if there is such a thing, as soon as they tell it to the credit card issuer (who doesn't know it either at that point, making your "token of information" useless, but that's another story) it is no longer something that only that person could ever possibly know. A better bet would be biometrics, although that's not without its flaws.

Re:

[Richard_at_work]

Held on a different server that has no relation with the server or server pool that was compromised (in other words, compartmentalised data storage)? No evidence of non-legitimate access to that server?

Re:

[ObsessiveMathsFreak]

Well, if they didn't store those, then they could be sure. As it happens, they can just lie instead.

Re:

[kelemvor4]

It's a bank, they ISSUE those things. How could they run the business without storing them?

Re:

[CODiNE]

Because (quoting citicards.com)

Forgot your User ID or password?
No problem - you can reset your information at Sign On Help. Please have your Credit or ATM/Debit card handy. You may also need your PIN, account number, CVV, Security Word, or ABA number on hand to complete the process.

If those WERE hacked then it would mean citi has no way of verifying any of it's customers online and would be completely vulnerable.

That just can't be allowed to happen so... no.

Log files

[wiredog]

They log every access. It's not hard to implement, and many systems do it by default.

Re:

[sjames]

Because even the most despicable blackhat would never alter, delete, or bypass log files!

Re:

[hawkinspeter]

They wouldn't if the log files are on paper!

There's other ways of ensuring that log files aren't altered - it's trivial to set up a syslog server that accepts logs from other machines but can be hardened (only have local console logons enabled) to ensure that the logs arent altered.

It's also pretty easy to put a copy of logs onto a multi-session dvd that's effectively write only.

Re:

[sjames]

Yes, there are ways, but considering they have already been hacked, what are the odds they actually DID any of those things? And did them correctly?

About a zillion years ago before touring a system was even a crime, I knew one that logged everything, until you exited the captive shell into a system promt. That would log your connection as terminated and then leave you completely un-monitored. That is a good example of bypassing logs. It doesn't matter if logging was to a line printer at that point.

What "wasn't" compromised...

[Ferzerp]

That's because they're going to wait a few weeks and admit that everything really was.

It should be criminal to employ this tactic, but we see it again and again. These companies have a responsibility to be good stewards of the information we have granted them. When they hide these breaches, they are not acting in good faith.

paying by cellphone is coming

[circletimessquare]

and if google wallet and its competitors are smart, they'll start with better security from the ground up, and use that as a selling point. consumer awareness of credit card insecurity is high

replacing all our credit cards with our cell phones is a natural evolution, regardless. but at this stage, in the beginning of the evolution, now is the time to address security robustly, before weaknesses get baked in

and for the lunatic paranoid fringe who thinks their own democratically elected government is an evil alien entity out to butt rape you: i said replace CREDIT CARDS, not replace cash

Re:

[Anonymous Coward]

It's not wise to call out the lunatic paranoid fringists on a website dominated by lunatic paranoid fringists.

Re:

[circletimessquare]

true

but i'm amused by their desperation

i call them out for my entertainment purposes

Re:

[Penguinisto]

One would hope that better security is already a given in a new from-scratch system... especially one that you want people to have trust in, away from the existing banks. But... if someone were to want to compromise Google Wallet, the script kiddie's best bet is to not attack the servers, but the individual phones, where Google will lose a lot of the control.

Unless Google is working to get FDIC insured and become their own bank, they themselves will have to connect to the banks to access the money somehow.

The way Google could do it

[RobertLTux]

find a good sized but stressed bank and then just go ahead and BUY IT.

advantages for Google
1 no need to burn time/money on building the "stuff" needed for a bank
2 instant access to millions of new customers (have as part of the deal that the bank hosts email on google servers)
3 this would be a real established bank

advantages for the Bank
1 tens of millions new customers (they would logically be the default bank for GWallet)
2 point and click dibs on the GProfiles of everybody with a Google Account
3 "native" access to the google server farm network

Re:

[circletimessquare]

there might be regulations about that

and if not, if you are part of the oligopoly of large banks worried about competition that works for the consumer (but not for you), then there is a congressional whore in your employ holding a chair on a finance committee who can "raise serious objections" about some sort of "regulations" for you

Re:

[GrumpySteen]

> Any use of FTFY or editing of my posting agrees to a US$50.00 charge by the person editing

Sounds like a good deal to me.

"Any use of FTFY or editing of my posting agrees to a US$50.00 charge by the person editing."

FTFY
(added the period to conclude the sentence properly)

Now, according to our agreement, you are being charged $50 by the person editing (that would be me). I prefer cash, but will accept paypal, cashier's check or money order.

Advertising superior security.....

[curio_city]

Dropbox? If a company can conceal/lie about compromises of sensitive information, it can lie about its security.

Re:

[circletimessquare]

i'm a man in black who enjoys watching interplanetary sex acts, but i don't smoke. i resent the stereotyping, you insensitive clod!

us men in black are unique and special individuals, to be valued and judged independently on the merits of our unique journey in life, not to be thought of as a monolithic force bent on galactic domination!

paying by cellphone (only) == epic FAIL

[Anonymous Coward]

Maybe your idea would work for cell phone addicts, those who can't be without one.

As for me, I can't conveniently carry a cellphone in my wallet (too large and fragile), I don't want to pay a monthly fee for one just to use it as plastic, and Murphy's Law says that the battery would run out just as I had to pay my bill at a restaurant feeding a few tables of attendees of a State Police convention.

Re:

[circletimessquare]

the same could be said for credit cards. think of all points on the chain that could fail but have to work for credit cards to work

but that doesn't seem to bother you

there are indeed more points of failure with cellphones

and also increases in convenience

and that latter point outweighs any argument you could make

Re:

[sjames]

Well, I must admit, ALIEN might be going too far... We just wish we could disown them from our species.

Re:paying by cellphone is coming

[dkleinsc]

Actually, the basic problem with the security of payment systems is that there's money involved. If there's money involved, there will be fraud and theft.

There was fraud when the standard money was gold or silver coin (as minters would substitute in other metals). There's fraud with cash by counterfeiters today. There's fraud with checks. There's fraud at ATMs. There's fraud with credit cards and electronic check payments. There's rampant fraud with PayPal.

So there's no reason to think that cell phone payments (which wouldn't even be available to large segments of the world population) would be immune to fraud.

Re:

[circletimessquare]

well yeah, but just because fraud will always exist doesn't mean you stop trying to minimize it

altering security protocols to prevent frequent and common means of exploitation is worthwhile, even though someone somewhere will still get ripped off

Great big huge fines ...

[gstoddart]

Companies really need to start getting slapped with very large fines for stuff like this.

Being incompetent to actually protect the data of your clients doesn't mean you simply get to say "oops" and act like nothing happened.

Someone needs to start holding these companies accountable for stuff like this. You're a bank (albeit a sketchy, annoying one who keeps sending me offers for cards and a bunch of other crap I don't want) ... you're supposed to have a legal obligation to protect this information.

From the annoying telemarketing and other crap they send me in the mail, I already can't stand Citibank. An inability to actually protect data is just further proof of why I'd never actually deal with Citibank. They just don't give off the feel of actually being a reputable organization to me.

Re:

[Penguinisto]

Most companies that hold credit-affecting data (SSNs, names, addys, etc) are actually obligated in some (but not nearly enough) states to provide anti- ID theft protection/correction at their expense, and to eat any additional costs associated with that.

One would hope that it would become federal law, but good luck with that one...

Agreed but ...

[schlameel]

In America? Where those same companies own the regulators? Unlikely. Token fines perhaps... someday.

Re:

[TheGratefulNet]

Companies really need to start getting slapped with very large fines for stuff like this.

lets examine this idea of yours.

who runs the world? who watches the corporations? who watches those who are in bed with corporations?

you know the answers to all those questions. you were not born yesterday.

if individuals get any justice today, its by accident. corps own the world after only a brief interlude that we had a few decades ago. its basically back to barons and serfs again, just without the drab clothing

Re:

[gstoddart]

you know the answers to all those questions. you were not born yesterday.

if individuals get any justice today, its by accident. corps own the world after only a brief interlude that we had a few decades ago. its basically back to barons and serfs again, just without the drab clothing we used to have to wear.

So, America has jumped the shark, and finally become the oligarchy I've been saying they would for years, then?

Re:

[sjames]

And that's why I personally reserve judgement on vigilante groups that attack the corporations.

Re:

[Hatta]

Companies really need to start getting slapped with very large fines for stuff like this.

CxOs need to start going to jail for stuff like this.

If they don't take this seriously

[rebelwarlock]

Don't take them seriously. Find a real bank to do business with.

Re:

[slick7]

Don't take them seriously. Find a real bank to do business with.

That's what mattresses are for. Yeah, mattresses and guns.

Re:

[Anonymous Coward]

Don't take them seriously. Find a real bank to do business with.

In the US? That would be which bank?

Re:

[drinkypoo]

Don't take them seriously. Find a real bank to do business with.

I took that attitude so I went with WAMU. Then they were eaten by Chase with the assistance of the federal government in spite of the fact that other banks were in even worse financial straits and got bailouts instead.

I bank with a local credit union but they're pretty incompetent so I'm not really happy with them either.

If I were rich I could bank with someone out of the country, but I don't really have enough money for that. So I'm stuck with the shit we have available here.

One month?

[grassy_knoll]

Did it take them that long to figure out there was a breech? Infrequently reviewing logs instead of real time monitoring, perhaps?

I MAY believe them...

[Anonymous Coward]

I have a feeling my account was one of the compromised.

They forced me to change my CC# for no reason, and no fraud was present I was aware of or they admitted to.

I have been getting a lot of 409 scams and viagra emails lately. They seem to have started a month or so ago. Never got them before.

For forcing me to change my CC#, they lost a customer.

However, I had has zero unauthorized charges. So they my be telling the truth about the info compromised.

Re:

[himself]

Well, I didn't get a new number, but my wife got a pretty convincing phish about ten days ago. *sigh* Citi, I hates you.

Re:

[tibit]

I agree that the data breach is inexcusable, but wait a minute -- you claim it's somehow their problem that you are apparently emotionally attached to a 16 digit number?! WTF? I wouldn't mind not having a fixed CC number period. For all online transactions I'm using their single-use number generator (virtual account number), and for brick-and-mortar stores I try to use cash whenever possible.

Re:

[hawguy]

I agree that the data breach is inexcusable, but wait a minute -- you claim it's somehow their problem that you are apparently emotionally attached to a 16 digit number?! WTF? I wouldn't mind not having a fixed CC number period. For all online transactions I'm using their single-use number generator (virtual account number), and for brick-and-mortar stores I try to use cash whenever possible.

I've memorized my account number and use it nearly everywhere. Over the years I've had it compromised twice, but fortunately they've only changed the last 4 digits (plus the CID) so it's easy to remember the new one.

Since I have it memorized and it's quick and easy to type for a new purchase, I never check the box "Remember this credit card for your next purchase" to help limit the chance of someone getting the card number, though I don't know if merchants really prevent it from being stored if I check that

Re:

[tibit]

You should use a virtual number every single time when online. All merchants are shady in that there's no telling when their records may be compromised.

Re:

[hawguy]

You should use a virtual number every single time when online. All merchants are shady in that there's no telling when their records may be compromised.

Even though my credit card number has been compromised twice (once thanks to Nashbar, a large, legitimate retailer), I've suffered no out of pocket losses - just 15 minutes to call the bank, then fill out the followup paperwork.

Since the inconvenience to me is small, and all of the loss is shouldered by the bank and merchant, I see no reason to spend an extra few minutes with every purchase to get a virtual card number. If I have some reason to suspect that the merchant is not going to take care of my numb

Maybe it's time to cheer for breaches.

[Seumas]

Hell, maybe it's time to embrace these types of breaches. The more frequently this happens and the greater population it impacts, the less accountable people will have to be. I mean, if everyone has every piece of your data that is used for anything that you do, then there will never be any way to reasonably affix responsibility to you.

On the other hand, they'll just solve it by finally cracking down and imposing some sort of draconian National ID stuff both on and offline and these activities will just ser

Re:

[sjames]

Sadly, it's already rampant but they have somehow successfully re-defined acts of fraud against them (aided and abetted by their own crappy security) as acts of "identity theft" against consumers, and so have shifted the burden of cleaning it up onto individuals with limited resources and no ability to prevent the crime.

It's NOT identity theft. I am still me. If the justice system was vaguely functional for individuals, it would not be MY problem if THEY chose to hand scads of cash to a stranger using my na

Every Time I See "Citi Bank"...

[Greyfox]

I hear the "City Wok" guy from South Park screaming "Shitty Bank!"

Welcome to Shitty Bank! You want shitty bank account? How about shitty credit card? I can get you a shitty mortgage!

Oh god damn it! How come every time a hard working Chinese man starts a bank, some JAPANESE DOG open one right next door?!

Re:

[Nidi62]

Oh god damn it! How come every time a hard working Chinese man starts a bank, some JAPANESE DOG open one right next door?!

And some damn Mongolians have to come and break down their wall

One month Late? Or just later?

[necro81]

The article title is "... One Month Late". I ask though: "late" by what standard? By what time, legally, does citibank need to disclose such a breach? Because that is, unfortunately, the only standard that they'd care about. And as long as the penalties for permitting this kind of breach and not disclosing it quickly are laughably small, then there really is no "late".

I raise this semantic quibble not to take potshots at the submitter and editors, nor to let citibank off the hook for such lax pract

Re:

[that IT girl]

People also forget that, as much as this sucks, it's worth it to not cause a panic too early when maybe they don't have all the details themselves. I would rather hear the solid facts in a calm manner a little later than a panicked "um, some of your information was stolen, we're still figuring out the scope of this..." on zero day.

Were they PCI compliant?

[hawguy]

Did the systems that had the data stolen meet PCI compliance guidelines? If not, can I levy non-compliance fines on the bank for not following their own standards for protection of cardholder data?

Re:

[jedidiah]

Are you a consumer, then probably not.

Many laws and regulations that are phrased in terms of consumer protection quite often deny standing to actual victims/consumers.

Liable

[DaMattster]

It is time to hold banks civilly liable for behavior like this! Banks over the last decade have behaved recklessly and it is time for them to face the consequences.

Security question

[mrjb]

My bank recently started doing the "security question" thing. Just think of the potential. "Was the name of your first childhood pet really Spotty '); DROP TABLE accounts;--?" "Oh yes, spotty tables we called him."

Can we?

[dcigary]

Can we as the public charge them a late fee? They certainly have a lot of them from me that I'd like to get back! :)

CVV data?

[rickb928]

Um, of COURSE CVV data wasn't compromised... What nimrod would store CVV in the same system as PAN? (That's Primary Account Number, for those of you who don't play with credit card data enough to stop using 'card number' as the term).

In fact, just stating that CVV wasn't compromised bugs me. That should NEVER be exposed to anything that returns data. Heres how it should work:

1. Merchant swipes your card into terminal (or keys it into whatever).
2. Merchant reads and enters your CVV (or CVC or CVV2 or CID) into whatever.
3. Authorization request is sent to the processor.
4. Processor compares PAN and CVV to their records.
5. Processor makes a decision.
6. Processor responds to request.
7. Merchant's system discards CVV if it didn't already.

The CVV may not be saved by the merchant per PCI specs, and also per every processor spec that I'm aware of. If someone is able to get and match CVV etc with PAN, they do it by either intercepting authorization data or reching in and compromising processor and/or issuer databases that should not be connected to any external network. These should only be accessible by the 'inside' or secure side of trusted platforms, never externally.

So you should hear of CVV-type data being disclosed only by terminals or POS software being compromised, or by someone carrying the data out of a building.

And that Citi actually said this worries me just a little. Like hearing your 3rd grader's teacher telling you they always wear a condom to work. Um, why? that should NEVER be an issue, sirs.

Of course, Citi might just be covering their bases, claming that no other data, even the stuff that should not even be connected, was taken. Again, doing it wrong, guys.

ps - as an aside, there is a good chance that up to 30% of all cards in use have been compromised somehow, and no one bothers to replace them. Too expensive, they will run out of numbers faster than IPv4, and they handle the ongoing threat of fraud with existing fraud systems. No problem. Well, not much of a problem. I bet Citi doesn't even bother to replace these cards.

Second aside, while waiting a month sounds bad, perhaps Citi was gathering history and understanding how these details would be used, to both crack the fraud rings and maybe connect them to the infiltrators. This will happen more and more as the banks especially decide to fight back and make an effort to find the perps of the intrusions. And about time.

Re:

[hawguy]

Um, of COURSE CVV data wasn't compromised... What nimrod would store CVV in the same system as PAN? (That's Primary Account Number, for those of you who don't play with credit card data enough to stop using 'card number' as the term).

I don't play with enough credit card data to call the card number a PAN, but Card issuers/processors are allowed to store the CVV (duh, otherwise they wouldn't be able to validate it) so it wouldn't be surprising if Citi lost the CVV too.

But since payment systems are often complex systems with software pieced together from multiple vendors, it's easy for a merchant to inadvertently store the CVV without even knowing it, I have an open bug request for a supposedly PCI compliant application (it's on the list

Re:

[rickb928]

Yup, we encrypt our log file. we haven;t figured out how to scrub RAM, but it's being worked on.

Re:

[TheGratefulNet]

how does amazon get away with this, then? I'm curious. amazon has 'one click' and even if you don't use that, I've NEVER had to re-enter cvv strings to use my 'on file' CC with them.

newegg and all the rest - I have to re-enter the cvv. but not amazon. how did they pull this off?

(then again, I wonder how they can send me a box FROM calif TO calif and not charge me tax. amazon has some 'creative' accts, I would assume, but why don't other big names also use these loopholes?)

Re:

[hawguy]

how does amazon get away with this, then? I'm curious. amazon has 'one click' and even if you don't use that, I've NEVER had to re-enter cvv strings to use my 'on file' CC with them.

I imagine that they just don't use the CVV for future transactions. They use it the first time to make sure that you have possession of the card, but after that first transaction, they just process transactions without the CVV. The CVV isn't required, though it reduces the merchant's chance of chargeback and often results in a lower transaction fee (though Amazon's negotiating power probably means that they don't pay a higher transaction fee for future non-CVV transactions).

On Amazon, if you ship a product

Re:

[rickb928]

Pretty much what hawguy said. Most major retailers have arrangements with the issuers to acceptvchargebacks for nonswiped transactions, and Amazon is in the nonswiped or 'card not present' model. So they tolerate the chargebacks.

Also, many processors allow a merchant (Amazon, perhaps) to process a card again if previously successful. Still subject to other fraud rules, but they can do it without the CVV etc.

The CVV is useful to merchants that are in the nonswipe model, and wish to have the extra authenti

Re:

[MobyDisk]

You are right, but the underlying hole is this:

The merchant voluntarily discards information

The reality is they don't discard information. They keep it, mine it, sell it, etc. It should be illegal to do so. But even more important, the system should never expose any information to the merchant: not the credit card number, expiration date, CVV code, cardholder name -- nothing. There are smart card systems that work this way but I've never seen one in practice.

Re:

[rickb928]

That would be how EMV cards are supposed to work. The cryptogram can be shown to the merchant, but good luck using it without certificates. And if it gets out of synch, say after a man in the middle attack that forced an offline transaction, at least the cardholder is alerted and the card dies.

Yes, mag cards are insecure. Merchants that don't discard CVV (actually the spec says 'do not store') are in violation and risk all sorts of reprisals, though they are never harsh enough. Some merchants do engage

Re:

[garwain]

Hey if anyone stole my CITI mastercard information, just let me know, and I'll willingly transfer it over. My account is only about $500 overdrawn. Take my account, it would help my credit rating!

Re:

[rickb928]

Precisely. But it should be stored on systems so inaccessible to the outside, as to be impervious.

I know, that. sounds. naive. But it can be done.

A processor Or bank never needs to send CVV out at all, except as it is needed to load new accounts, and then of course encrypted for the exchange and over a secured link. I know, naive again.

Re:

[hawguy]

Precisely. But it should be stored on systems so inaccessible to the outside, as to be impervious.

I know, that. sounds. naive. But it can be done.

Really? You should tell RSA and Lockheed how to make computer systems storing high value data impervious to the outside. I'm sure they could use the help.

Re:

[rickb928]

Well, one way is to santitize input and discard anything not expected. Most processing platforms do this. Try FTPing into any major platform some time. Another way is to ensure that whatever the external platform gets, it is parsed and sent on. No, our platforms don't even recognize characters used in injection attacks etc, and those don;'t even get passed on.

It is possible. RSA and Lockheed got used because they failed. Not every other system is run by incompetents.

Re:

[hawguy]

Well, one way is to santitize input and discard anything not expected. Most processing platforms do this. Try FTPing into any major platform some time. Another way is to ensure that whatever the external platform gets, it is parsed and sent on. No, our platforms don't even recognize characters used in injection attacks etc, and those don;'t even get passed on.

It is possible. RSA and Lockheed got used because they failed. Not every other system is run by incompetents.

That's why computer security is so hard - hackers rarely come in the way you expect them to. In RSA's case, they exploited a previously unknown Flash vulnerability - you can sanitize inputs all day long, but when the hacker takes over your workstation because they managed to get you to view an infected Flash ad, he suddenly gets the same access to your secret data that you have. (you may say "I'm safe because I don't run flash", it doesn't matter - exploits can live in any software or operating system, may

Re:

[rickb928]

You're not going to exploit a Flash vulnerability with any processor platform - they don't do any of that.

And if the workstation is able to view the data, well, yes, compromising the workstation gets you data. None of that has to do with processors.

You're assuming this incident was a workstation attack,which is not implausible.

Re:

[hawguy]

I'm not saying anything about this incident, I'm disputing your statement that a network attached system can be rendered impervious from outside attack:

But it should be stored on systems so inaccessible to the outside, as to be impervious.

I know, that. sounds. naive. But it can be done.

I'm sure that RSA wasn't storing secret keys on a workstation running Flash, yet a Flash vulnerability gave hackers the stepping stone they needed to get into secure servers.

Re:

[rickb928]

Around work, we sit inside multiple firewalls and run multiple methods of intrusion detection and anti-whatever stuff. So much so that I see scans multiple times a day, and other stuff monitoring communications and looking specifically for sensitive and encrypted data, and where it is going.

When I use my system outside of work, it goes through a VPN and always has. It's never seen the Internet without going through the corporate VPN and then the corporate security. So far, no hint of problems.

And when I

Re:

[rickb928]

Not yet, anyways. Visa certainly takes their time, and I suspect the PCI Council will act first and revoke the cert.

Then of course they will be paying for much fraudlent activity if any occurs.

How to get the attention of Banks

[Anonymous Coward]

If we want to get the attention of the banks, the fine for compromised credit card accounts should be equal 10% of the credit limit for the cardholder. So if my card has a $10,000 limit and my personal information is compromised, I get a *CHECK* from Citi in the amount of $1,000, not a credit to my account I get real money.

This way all banks now start to take things very seriously, and I'm sure we'll see appropirate security measures start to be used.

If the average credit limit for the 200,000 users who ha

Re:

[hawguy]

If we want to get the attention of the banks, the fine for compromised credit card accounts should be equal 10% of the credit limit for the cardholder. So if my card has a $10,000 limit and my personal information is compromised, I get a *CHECK* from Citi in the amount of $1,000, not a credit to my account I get real money.

How would you justify this fine? What is the cost to you for a lost name and account number and a reissued credit card? The bank is already on the hook to eat unauthorized charges and reissue cards, but what are your real losses? And why is it based on your credit limit? Shouldn't it be more of a factor of your average activity? I have a $15,000 limit on a card that gets maybe $100 or less of use in a typical month.

Now if the SSN was released, that's a whole different scenario and the banks should pay dearl

Ironic

[gaiageek]

I have a Citi card and found out about this (though not the scale of it) a few days ago when I received a letter with a new card saying my data had been compromised. The irony of this is that while I stopped using the physical card a few years ago, I've kept my Citi account open solely for purpose of using their Virtual Account Numbers service. I've been going through all this extra trouble to protect myself using disposable card numbers only to have the "real" account number compromised at the source.

My

Personal Experience

[Lucidus]

My sister was affected by this a few weeks ago, and I wondered that there was nothing on the news about it at the time.

She got a call saying that her account might have been compromised, and that a new card was on the way. Early on the day after she received the replacement card, and before she had even activated it, there was another call telling her that the new account number had already been used to make several purchases.

Clearly this was a serious breach that continued over at least several days, and was not the fault of a merchant, as they tried to claim.

subject

[Legion303]

"Is account security a thing of the past?"

Well, back in the early 90s, Citibank sent a bunch of 3.5" floppies to our school for students to use. Those floppies all had account information and spreadsheets on them. My job was to format them for use by the kids. Since I didn't relish the thought of formatting 50 of these fuckers on one computer, I just brought in a box of blank disks of my own the next day and kept the ShitiBank ones, formatting them for my own use as needed. Shiti is extremely lucky I had no plans to use the information for personal gain, but really, they had absolutely zero way to verify where those disks ended up.

So to answer your question, I don't think account security has ever realistically been on Citibank's mind.

News or Normal?

[Clinoti]

One one hand we have the constant news of yet another security breech where an unknown amount of data is stolen, the time lapse of the disclosure, and another breech breaking the news later the same day. On the other hand we have every financial company up-selling a service they've rolled out to monitor credit scores, credit inquires, and social security numbers. At what point are people going to clasp those hands together and just stop caring? Between social networking sites and the new lack of financial

Come on everyone whats wrong with you?

[Anonymous Coward]

Where is the hate for them because they got hacked like you had for sony?

Citi bank, foriegn governments, hb gary, mastercard, paypal, square enix all get hacked and you dont get upset? But when sony gets hacked you all act like idiots and want to complain about them and take any chance you can to put them down.

Re:

[HikingStick]

Many still have a big chip on their collective shoulder regarding Sony's little DRM/spyware debacle. IMO, that's the source of the hate. It must be thrown into the fires of Mount Doom.

Re:

[FrellMeDead]

Citibank sucks completely and most people know/realize this over the years/decades of crappy customer service, overly high interest rates, and underhanded/illegal tactics that they use to change your account balance/interest rate/minimum payment/etc. As a result of the long term screw over I think most people just are fed up and don't even want to deal with another Citibank issue. As another commenter said the whole DRM and the multiple breaches are relatively fresh and as a result throws more fuel into the

Two by Four Approach

[ThatsNotPudding]

Has any publicly-traded company had their stock down graded by stock analysts? Dropping from an AA rating to a B because you kept sensitve data on a digital equivalent of a post-it note would get their attention far more than any 'cost of doing business' fine by the Federales.

Mongolians?

[sjames]

Damned Mongolians breaking down my firewall!!