Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
Crime Privacy Security The Almighty Buck IT

Citi Hackers Got Away With $2.7 Million 126

angry tapir writes "Citigroup suffered about US$2.7 million in losses after hackers found a way to steal credit card numbers from its website and post fraudulent charges. Citi acknowledged the breach earlier this month, saying hackers had accessed more than 360,000 Citi credit card accounts of U.S. customers. The hackers didn't get into Citi's main credit card processing system, but were reportedly able to obtain the numbers, along with the customers' names and contact information, by logging into the Citi Account Online website and guessing account numbers."
This discussion has been archived. No new comments can be posted.

Citi Hackers Got Away With $2.7 Million

Comments Filter:
  • Amateur (Score:4, Informative)

    by Anonymous Coward on Sunday June 26, 2011 @09:30AM (#36576098)

    Let's not forget that the account numbers were passed with no security in the URL. I think I'll be canceling my Citi card (when I pay it off...).

    • Re: (Score:3, Insightful)

      by rbarreira ( 836272 )

      I think I'll be canceling my Citi card (when I pay it off...).

      You should do that even if it wasn't for this security breach. Big banks like Citi have been defrauding everyone including sucking money off the taxpayer teat courtesy of its puppet politicians.

      Why anyone knowing that would want to continue being their customer is beyond me. Use a local credit union instead.

      • the banking cartel does the defrauding, and why do you imagine your credit union is independent of it?
        • Re:Amateur (Score:5, Informative)

          by chill ( 34294 ) on Sunday June 26, 2011 @10:28AM (#36576430) Journal

          Credit Unions are non-profit organizations, with totally different goals. It is possible, and not uncommon, to have smaller credit unions that are just a few dozen to a few hundred people.

          They are much, much more transparent than banks and frequently totally transparent in both their books and operations.

          For example, I found that my place of work has a credit union. Its sole purpose is basically to make affordable car loans to employees. There is no online banking, no ATMs, and just one office open 3 hours a day, 4 days a week. Almost no one has a "checking" account there, because they offer only the barest minimum of service.

          What they do offer is savings accounts and auto loans and very reasonable rates. No, they don't offer mortgages.

          They're chartered, insured and totally transparent to members -- 95% of which see each other on an almost daily basis.

          • by pongo000 ( 97357 )

            Credit Unions are non-profit organizations, with totally different goals. It is possible, and not uncommon, to have smaller credit unions that are just a few dozen to a few hundred people.

            They are much, much more transparent than banks and frequently totally transparent in both their books and operations.

            Apparently, Texans CU didn't get the memo:

            http://www.cutimes.com/2009/12/23/management-shakeup-lawsuits-cuso-bankruptcy-plagued-texans-cu [cutimes.com]
            http://www.cutimes.com/2011/04/27/credit-union-industry-reacts-to-fai [cutimes.com]

            • by chill ( 34294 )

              Yes. Right now, I take size into account when I consider the trustworthiness of a credit union. Texans, with their 16 physical locations in over a dozen different cities and even more ATMs, would be "too big" in my estimation.

              Smaller isn't always better, because it is quite possible to be "too small". I can't give you a hard number, but and more than 5 branches and I'd be thinking of them as a normal "bank".

          • ... while it means that they don't have the goal of maximizing shareholder's equity, doesn't meant that they don't exhibit profit-seeking behavior. It just means that the profit isn't paid out in the form of dividends. It could, as one example, be paid out in the form of executive compensation.

            Moreover, many credit unions are for-profit concerns. But the dividends go to account holders rather than third-party investors that don't deposit money into the credit union. And the money that is deposited is used b

          • So, basically you're saying you have a very specialized CU for a small number of people that basically does nothing in general? Great, go sign rubycodez up right now! Except that would be just stupid.

          • So the point of your post is that credit unions don't offer a full banking service, in which case isn't it pretty fucking obvious why people use banks?
            • by chill ( 34294 )

              No, the point of my post is that credit unions can offer a variety of services, ranging from the very specialized to full-service banking. This makes it easier to find something that is a more comfortable fit for you individually.

              However, their model is different from for-profit banks. In a credit union, the shareholders of the company are the depositors on record. "Maximizing shareholder value" has a totally different meaning than it does for banking corporations. For instance, cramming as many fees and se

      • by dgatwood ( 11270 )

        Two words: cash back. Also, I've never seen a credit union that offered true credit cards. Debit cards, sure, but I'm not comfortable using a debit card anywhere unless I've been shopping there for years, because all it takes is one sleazy employee cloning your stripe, and somebody can then guess your PIN numbers and clear out your account without actually stealing your card. And because it is a debit card, your liability when this happens is unlimited.

      • Yeah, but if all their customers leave it will just lead to another bailout by the government.

        Look at the airlines: many of them lost their asses when air travel became so much of a hassle and fee-minefield that people stopped flying and started driving/riding the train/bus. Of course, the government was like "No! We're a rich successful country, and we can't let a big industry fail even if they're morons! That makes our country look weak. Cash! Throw it at them hard and quick!"

        Welcome to the 21st century,

      • Small regional banks are pretty good, too. Just watch for signs of being overextended and/or being gobbled up by one of the big boys.

      • by SolusSD ( 680489 )
        What is 'Insightful' about this post? This is your standard 'fuck the man!" BS post with no substance.
      • Use a local credit union instead.

        You only really get those in the US, plus why would I trust a small organisation with limited capital to look after my money? Are deposits guaranteed as with proper banks?

    • Citibank is the worst. They needed to be bailed out after taking on too much risk every few decades. Read up on their history.

    • You can cancel your account while still paying it off. It's actually a good thing to do, as it will keep you from charging any more (and prevent fraud charges).

      Just make sure you switch to paper statements first, as once you cancel/close your account, you can't access statements online anymore.

      I had my CitiBank card compromised twice in one month. The first time I called and told them, and they canceled the account number and overnighted me a replacement card. It sat in the overnight envelope on my coffe

    • What's in your wallet ?
  • by Anonymous Coward

    Citigroup suffered about US$2.7 million in losses

    - dollars?

    Nothing of value was lost.

  • Call me when there's news of the billions in cash that mysteriously was lost in Iraq.

  • by Virtucon ( 127420 ) on Sunday June 26, 2011 @09:39AM (#36576152)

    I find this funny and sad at the same time. Their PCI certification needs to be revoked. Besides it has been done before to Citi. http://redmondmag.com/articles/2008/07/02/citibank-hack-shines-light-on-pci-compliance.aspx [redmondmag.com] . if a bank can't be compliant then the PCI needs to be abolished because it appears to mean nothing to large financial institutions.

    • Any regulation that depends on enforcement from someone whose congressional superiors you can simply bribe away with campaign contributions will fail.

    • Re:PCI compliant? (Score:5, Insightful)

      by Opportunist ( 166417 ) on Sunday June 26, 2011 @09:54AM (#36576230)

      Compliance auditing is a circle jerk business. It's like peer review, just worse, insofar that there are no "honest" people in the game that could debunk the scheme. They're all in for the money.

      One thing you learn quickly as a young, aspiring and motivated auditor is that your job is not to test whether the company you audit is compliant. Your job is to make sure they are. Why? Because we want to be rehired for the checkup in a year, DUH! And because your first audit in a company is your foot in the door for other audits, and especially with BIG companies, there's a lot of things you can audit and certify, and all means moolah. Being "stubborn" means that your company will not be rehired and you will be fired.

      Quick question for 100 (or, in auditor's terms, 5 minutes of work): What's your goal when auditing?

      So I don't fear for their PCI cert. They will certainly be audited, this hole will be sealed, a lot of checkboxes will be ticked off (btw, transfer security is a very minor point in PCI-DSS compliance. Don't ask me why, I didn't make the cert requirements, I just have to endure them) and they will pass.

      • Re:PCI compliant? (Score:4, Insightful)

        by dgatwood ( 11270 ) on Sunday June 26, 2011 @10:22AM (#36576398) Homepage Journal

        What's needed here is strict liability. If your company performs an audit and declares that a company is in compliance and it is later determined that they were not at the time of your audit, your auditing firm and its employees should be held liable for any damages.

        That one small change to the legal code would end the practices you describe in a heartbeat.

        • What's needed here is strict liability. If your company performs an audit and declares that a company is in compliance and it is later determined that they were not at the time of your audit, your auditing firm and its corporate officers should be held liable for any damages.

          FTFY.

          For all you know the people performing the audit are contractors or employees under orders from their management to certify the audit no matter what they actually find.

          • Right, so management needs to be financially and criminally held liable for this sort of thing. If it affects their pocket book and they might face jail time for not following the rules, perhaps they'll be something done differently?

            • So the freedom of the CEO of a auditing company hinges on his auditors ability to do their job? I somehow don't think that's a good idea, a disgruntled employee might abuse that power fairly quickly.

              If we're talking about the company that actually drops the ball and leaks data, we can talk. If the CEO neglects security to the point where he cannot show that he has done what is reasonably possible (educate his staff, hire security auditors that don't just check off boxes but actually audit the shit out of hi

              • Somehow you've missed what I'm saying. This is not about leaking data. I'm not even talking about inept auditors. This is about an auditor finding problems, and management telling them to ignore them, not report them, and/or minimize them.

                Perhaps you've never had to deal with management with this sort of thing? It happens all the time, but if you want to keep your job you just document it in your private files and leave it at that.

                • I have, and what am I going to do? Send the incriminating order (which I'd have to gain with illegal means, since recording people without their consent is not legal in my country and you may rest assured that you'll NEVER get an order like that by mail) to Wikileaks? My next job would include the phrase "want fries with that".

                  The main problem is that everyone involved has a vested interest in not performing at peak level. Hell, what do you think is easier, to ignore security holes (and pretend I just misse

        • Re:PCI compliant? (Score:4, Interesting)

          by Opportunist ( 166417 ) on Sunday June 26, 2011 @11:01AM (#36576604)

          Aside from this not happening, it's also not feasible. And, bluntly, it wouldn't increase security one bit.

          I gave it in detail in a similar topic, compliance with security laws has nothing to do with security as the average IT person sees it. Consider this: It takes months (sometimes years) from detecting a security problem, formulating a law/compliance test around it, implement the test, implement the checkbox-ticker-form, get companies compliant and finally tack a "audited and passed" sticker to it. ISO27001 is currently current in the 2005 version. 2005. I think nobody here would consider himself secure if he is secure against everything known by 2005.

          To counter this, the requirements to pass the test are usually very broadly defined and in a quite unspecific way. There's a lot of talk about "reasonable security" and "state of the art/best practice", as well as securing "against current threats". There is a lot of talk about what has to be done, leaving the how completely open. Or, to give an example, you have to have a firewall that protects against current threats. It says nowhere what this may be. Or how "current" is defined. And here's where the whole mess starts to hit the fan.

          What is a "current threat"? What is "reasonably well secured"? What is "state of the art"? And most of all, what would happen if you make us circle jerks liable for our blunders? Well, we'd define what a current threat is, what reasonably good security is and also what's state of the art is. Who else could? The (snicker) government? If that's the case, I have no worries that I'll ALWAYS be auditing by best practice standards, they'd probably be from 1980something. And rest assured that we'll always cover our respective backs when it comes to the question whether one of us audited perfectly. You don't piss off the people you work with in this trade, it comes back so terribly quickly, and there ain't that many companies that can actually do an ITSEC audit, so there is no heated competition. Hell, we hire each other to reaudit our own certs, take a wild guess how much we hate each other...

          The solution is much simpler. First of all, get rid of all those fancy security stickers that get so much credibility but actually mean jack when it comes to security. Second, make companies care about security, and tack a fine on it that actually HURTS. As a neat side effect, it might reduce the data hunger some companies started to develop, since every bit they store might come back to bite them in their ass. In today's economy, it might actually already be sufficient to say that a company that can't get its act together is banned from bailouts. The rest will fall into place by itself.

          • by Bert64 ( 520050 )

            You make some good points, and it's not just PCI, but various government security standards too...

            You have a list of "approved products", a list which is very expensive and time consuming to get on to. As a result, the approved products tend to be several releases behind and often have known vulnerabilities.. You also ensure that only a few vendors will bother to go through the process thus creating a cartel and forcing smaller players or open source out of the market. Few of those vendors will bother certi

      • Re:PCI compliant? (Score:4, Insightful)

        by Bengie ( 1121981 ) on Sunday June 26, 2011 @11:30AM (#36576788)

        They need a way to fine the auditor to the point of bankrupting them for effectively "lying"

        • The employee of the auditing corp? Be reasonable, he was probably facing the decision of signing a cert or being fired.

          That won't change jack. Now, if his CEO would have to face personal responsibility... but then, could you see a mere auditor holding the CEO of a huge international auditing co at his balls? Be nice or I sign this bogus cert?

          Give companies an incentive to be secure besides getting useless certificates that certify nothing and you'll see change. Nothing else will.

          • This is where whistle-blower laws need to be improved. Should a CEO or management do this, they should be financially penalized and face jail time, and the whistle blower should be financially well taken care of.

            Basically, and auditor should be untouchable. They should be able to follow the rules, and if not, huge fines should face the management and a large portion of that should go to the auditor.

            Auditor's personal financial records need to be an open book, otherwise this would set them up to be able to

            • Heh, while I like the idea of being untouchable, I doubt it's a good idea either. You could easily hold whole corporations ransom or, in case you don't like them, keep failing them. There needn't be even any monetary incentives to do so if the auditor in question has a personal grunge against a certain company.

              In other words, don't send me to audit Sony.

              The whole process needs an overhaul. And I don't think creating overly complicated rules or regulations is going to do it, neither is sending CEOs to prison

      • Re:PCI compliant? (Score:5, Informative)

        by shoehornjob ( 1632387 ) on Sunday June 26, 2011 @11:41AM (#36576860)
        About 5 years ago I worked for a compliance unit in the brokerage section of Citi. Prior to the creation of this unit managers in different departmets were responsible for making sure their employees were in compliance. When I started there we found that the firewall guys were granting access to whole segments of ip addresses instead of just the 7 or 8 that were needed. We also found the Unix guys were not deleting access to highly sensative databases after employees left the company. Something tells me that the culture of ignorance in that place isn't going to stop any time soon. About 2 years after our group was formed they sent our jobs over to India. We were only there to develop the process and iron out the kinks. They gave the crew in India a month to learn our process manual and 8-9 months later they still didn't get it. Lets add greed to a culture of incompetance. BTW that's where the name shoehornjob comes from. For a while there the manager would come to us and shoehorn in new processes without review or vetting them.
      • Compliance auditing is a circle jerk business. It's like peer review, just worse...

        God, this reminds me of code reviews. I would send them out, and get back a "Looks good!" email... to which I would note that in the time between me sending them the code review and me receiving their "looks good!" I found two bugs and one of them was a flagrant syntax error.

        I tried to reform the process, but imagine how well that went over? If you said that I got the response "looks good!" and then it was never touched again, you'd be right.

        • Code reviews don't mean that someone reads your code. Don't be deluded into thinking that I'd have the time to read thousands of lines of source code, find out what the coder actually wants to do with it and painstakingly follow every variable through its lifetime, and make sure that all mem leaks are sealed. That's none of my business. I don't debug your code, I check it for security holes.

          Say we're looking at the review of a PHP created webpage. Do I care whether you display the results correctly? Probabl

          • Code reviews don't mean that someone reads your code. Don't be deluded into thinking that I'd have the time to read thousands of lines of source code, find out what the coder actually wants to do with it and painstakingly follow every variable through its lifetime, and make sure that all mem leaks are sealed. That's none of my business. I don't debug your code, I check it for security holes.

            Say we're looking at the review of a PHP created webpage. Do I care whether you display the results correctly? Probably not, unless it is explicitly part of the review. I'll look for the lines that deal with database access, cookies and XSS vulnerabilities. Whether your results are correct or whether it looks like a monkey tried to write HTML is usually not the scope of a security code review.

            And all of the same bugs were skipped and missed in the code reviews I've seen.

            And how do you check all that stuff without reading the code for real? And if you don't have time to sit down and read-through and understand everything I wrote, why aren't there people whose job it is to do precisely that. Journalism and publishers have editors whose job is explicitly to read and understand and provide feedback. If we're relying upon other writers to do the exact same thing, when they're too busy to read anythin

            • There are still editors? I thought they went down the road of the dodo along with the typesetters and the layouters.

              Code reviews are not there to find bugs. Code reviews are there to get a signature on certificate. And I'm not arrogant, just jaded.and disillusioned.

              • There are still editors? I thought they went down the road of the dodo along with the typesetters and the layouters.

                Code reviews are not there to find bugs. Code reviews are there to get a signature on certificate. And I'm not arrogant, just jaded.and disillusioned.

                I think we're running into an is/ought problem... I'm saying the purpose of code reviews ought be to find bugs, and help correct them. You're saying that code reviews regardless of what they ought be, are in fact actually just signatures on a form in order to permit a check-in, and thus get degraded down to the most minimal aspect... no review, just a sign off.

                I can't hardly argue with you about what reality actually is, as it's pretty much what I'm complaining about. And since you declare yourself to be ja

                • Ok, you're right. From the is/ought to be point of view, of course a code review should be more than a checkbox-ticking chore. The problem is that nobody in the game WANTS it to be more than that.

                  The auditor doesn't want to, because while getting paid by the hour, no customer would agree to you spending about as much time reading code than the programmer spent writing it, just at about the triple (or more, hey, I'm actually cheap...) hourly rate. Plus, bluntly, reading the n-th php code dealing with databas

                  • So, who do you think would complain?

                    That pedantic bitch that everyone doesn't like, because she makes them do real code reviews, rather than just checking off boxes? You know, because if she's going to do something, she's going to do it right...

                    My ex-boss also didn't like me doing root-cause analysis and figuring out what really caused XY bug/error/failure. He just wanted it fixed, and for me to move on.

                    • That bitch gets fired before she's done complaining. She's keeping the company from getting certified, she's working against the interests of the company, she needs to leave. That's the sad truth, despite her being the only person in the whole process that shows responsibility, and would probably actually save the company a lot of money in the long run when (not if) a bug causes damage.

                    • That bitch gets fired before she's done complaining. She's keeping the company from getting certified, she's working against the interests of the company, she needs to leave. That's the sad truth, despite her being the only person in the whole process that shows responsibility, and would probably actually save the company a lot of money in the long run when (not if) a bug causes damage.

                      Except she's the best programmer in the group... thus, you direct her outrage at code reviews in order to implement a reform of the code reviews, she wastes months and months on the reform, then once it is complete, you don't implement it, and then you start working on firing her... (you don't fire her immediately, because you have your HR department to CYA so she doesn't sue for discrimination, you know, given that women comprise some 10% of computer programmers in many organisations.)

                      Sounds like you know

      • Ah the beauty of just providing the tools for the people doing the "tests". I feel for you. The part where a client gets pwnd and you were the one confirming their compliance rocks. I've had more than one call that start, "I'm the new guy" because of it. Anyway, money. Sure wish I was the guy with lots of it.

        • At first, I was worried when a company that I audited got pwned. Then I was bothered. Now I just open a new window and read Dilbert, and 5 seconds later I forgot about it.

          In all seriousness. First I was worried that I might be liable. I'm not. If I ticked down the checkboxes correctly, I'm not. Then I was bothered that they simply ignored my recommendations because they didn't give half a shit about their own security after they got the signature on the all-holy toilet paper called certificate. Now I guess

    • I say we return to VLB. When the central processors and the peripheries are forced to work at the same pace, there is less opportunity for corruption. Sure, it might mean the former needs to slow down a bit, but that's essential in dealing with any sleight of hand issues.

    • by 1s44c ( 552956 )

      PCI isn't security. No set of rules mandated by people that don't understand IT could be. PCI, SOx, and all the other government mandated rules are just well intentioned attempts to tell people how to get security. It can't cover every aspect needed so it's doomed to failure.

    • by Firehed ( 942385 )

      PCI needs to be clarified and enforced properly. If you've read the spec (I have), you'd realize how utterly vague parts of it are, and pointless other parts are. There are some perfectly valid things in there that should be second nature to anyone but never hurts to have on a checklist (run firewalls, do not use default passwords on your software, etc.), some things that are good to have (unless there's a business requirement to do so such as in an admin panel, do not display more than bin+last4 of card)

      • Well I also wonder if Visa and MC would actually fine Citibank considering how much revenue they derive from their card holders. PCI was supposed to help reduce the amount of fraud by enforcing minimum security standards on people accepting payments and dealing in the transaction stream. It remains to be seen if now a large financial institution will be held accountable by the PCI consortium for these actions. I definitely know the FTC would be involved but again, they'll get a slap on the wrist because

    • by John3 ( 85454 )

      I wish I still had mod points to bump up your comment. The whole PCI compliance scam is a pet peeve of mine. I own a hardware store and we're fully compliant, but it cost a bunch and is a real pain considering that we're trying to protect credit cards and a system that is essentially poorly secured in the first place. There are thousands and thousands of independent business owners that are not anywhere near compliant, and they have no clue how to get in compliance. They are just scared that when a brea

  • by Opportunist ( 166417 ) on Sunday June 26, 2011 @09:44AM (#36576178)

    CSO: Sir, we had a security breach! Credit card data was stolen and we lost money. We should up our security budget and improve our security standards!
    CEO: This ... is bad, right? But ... no, I'll just tell finance to add the damage to our next bailout request. How much is it?
    CSO: 2.7 millions.
    CEO (enraged): 2.7 millions? You waste my time for that? Get the hell out of my office and come back when something serious happens!

    • by Nidi62 ( 1525137 ) on Sunday June 26, 2011 @09:48AM (#36576206)

      CSO: Sir, we had a security breach! Credit card data was stolen and we lost money. We should up our security budget and improve our security standards!

      CEO: This ... is bad, right? But ... no, I'll just tell finance to add the damage to our next bailout request. How much is it?

      CSO: 2.7 millions.

      CEO (enraged): 2.7 millions? You waste my time for that? I make more than that in bonuses every year, even when we lose money. Get the hell out of my office and come back when something serious happens!

      Fixed that for you

      • I doubt the CEO would tell the CSO that he makes more in bonuses than what the CSO thinks is money. He might get a wee bit pissed at the CEO, and you do NOT want a pissed off CSO as a CEO. He can make your life pretty miserable if he doesn't care about his own.

  • by osgeek ( 239988 ) on Sunday June 26, 2011 @10:03AM (#36576276) Homepage Journal

    If only there was a way to have credit card owners approve each charge through the entering of some kind of a pin.

    If only credit card numbers weren't special since what really mattered was signed transactions.

    If only every consumer had a personal device capable of signing transactions in his pocket at almost all times.

    Call me a dreamer, but someday in the next hundred years, I think that all those "huge" technological problems could be solved and we could end this problem of having our credit card and social security numbers being exposed.

    • by gweihir ( 88907 )

      Wrong. The simple, easy and obvious solutions is known to anybody that knows the first thing web application security:

      DO NOT KEEP CRITICAL STATE CLIENT_SIDE.

      I do not know what cretins designed this solutions. But the violated very basic principles. If it took the attackers longer than half a day to find this vulnerability, then they are also exceedingly incompetent. It is one of the first things checked in a security evaluation (or hacking attempt).

    • If only there was a way to have credit card owners approve each charge through the entering of some kind of a pin.

      In Europe it is often already required to enter a PIN when paying something with a credit card. I am wondering why they didn't introduce it in the USA yet...

      • Because the merchant is liable for fraudulent transactions when no PIN is entered. Liable plus a fine on chargeback. Liable plus a fine plus a threat of increased discount percentage.

        Small businesses are the backbone of modern America: if you want to conquer America you have to break its backbone.

        • Well, then they should simply make it impossible to pay without a PIN. Actually it should've been like that from the start and there wouldn't have been so much problems with stolen credit card numbers.
          • You mean the government, right? The bank has little incentive because it profits from the fraudulent transaction (as long as there's not so much fraud that the banks actually get negative publicity and lose customers to all the great alternatives for online payment).

        • Actually its simple, banks in the US are cheap. Chip and PIN costs money to implement. American Express rolled out chips in their first issue Blue credit card, but later phased it out... cost more then a regular credit card and nobody used the feature (lack of infrastructure in the US, hardly anyone has a chip and PIN terminal here). Same goes for things like implementing two factor authentication for online banking. Its likely the only way a US based bank will improve security is if they are forced to thro
          • Makes sense. FWIW I have a UK Amex Blue card, all recent issues of which have been chip/PIN. It was launched with the simple benefit of straight cashback on all purchases, which is far too generous and lacking in leeching middle men, so I don't think it's offered any more to new customers. Now Amex UK is all "Nectar points" and "BA miles" and other such barrel-scraping bullshit.

          • The cost of the terminal would be paid by the retailers, and they are cheap too. If the card companies and retailers who take the losses don't care why should the government? Europeans like chip-and-pin because they like living in a locked-down society.
            • by Nick Ives ( 317 )

              This is beyond silly. The reason Chip & Pin happened in Europe is because payment card operators in Europe got together and decided to do it. They told retailers they didn't have to use it if they didn't want to, but they would be more liable for fraudulent transactions if they didn't.

              Given that the increased liability would cost more than the chip & pin terminals, everyone moved over.

      • The credit card companies would have to overhaul the entire infrastructure and that would cost money. The goverment could stop giving them tax writeoff's for business losses. That might jump start the process a bit.
    • by gl4ss ( 559668 )
      if they had done the system like that, no pin would help them. the cc number itself was a 'pin' in this context, their billing address being another pin. sms confimations? yeah, that would have helped a bit.
    • Here in Aus they have implemented a new system whereby you do not need to enter a pin or sign if it is a "small" amount (less than $100 at MacD's and less than $35 at Coles / Kmart stores) - Paypass / paywave.

      It's been in for a couple of months, and is gradually gaining acceptance. There's a few problems though; one being the marketing material which clearly states that '.. there is no risk..'.

      Let's see here. If I get mugged, said mugger can use my CC to their heart's content - so long as it is less than $1

  • by gweihir ( 88907 ) on Sunday June 26, 2011 @10:18AM (#36576360)

    Several things went wrong here:

    - "Developers" without a clue about web-application kept critical state client-side. An absolute Noob-mistake. They must not have had any clue what they were doing.

    - The security evaluation was either done by people without basic knowledge of web application security as well, or not done at all. This is one of the first things anybody with at least a bit of knowledge (as in understanding web-mechanisms and having researched on the web for, say, 1/2 day about web application security).

    - Incompetent and greedy management selected / signed off on the development team and the evaluation team (or did without evaluation), without any regard for their actual skills.

    The developers and evaluators should be forbidden to work in IT for the rest of their lives or until they demonstrate strong skills. The managers responsible, however should go to prison, pay for the damage out of their own pockets and should be banned for life from working in management or any other place where they have the power to make decisions for an organization.

    • The managers responsible, however should go to prison, pay for the damage out of their own pockets and should be banned for life from working in management or any other place where they have the power to make decisions for an organization.

      This. For everyone on Wall Street with a title of VP or higher. Now.

    • by Anonymous Coward

      Developer skills? What are you talking about? I'm sure the low bidder won the contract to develop the site, then outsourced it to someone even cheaper so they could get a cut, and the CxO overseeing this sewage system got a nice, fat bonus for coming in under budget. Developer skills were never part of the equation.

      • by nomadic ( 141991 )
        Developer skills were never part of the equation.

        They never are on Slashdot, where all programmers are brilliant, handsome, and competent.
        • by gmhowell ( 26755 )

          Developer skills were never part of the equation.

          They never are on Slashdot, where all programmers are brilliant, handsome, and competent.

          Slashdot HQ is in Lake Woebegone?

      • by gweihir ( 88907 )

        Developer skills? What are you talking about? I'm sure the low bidder won the contract to develop the site, then outsourced it to someone even cheaper so they could get a cut, and the CxO overseeing this sewage system got a nice, fat bonus for coming in under budget. Developer skills were never part of the equation.

        Unfortunately, you are perfectly right. I have seen this several times now. The way to deal with it is make the people getting the bonus personally liable (civilly and criminally) if it goes wrong.

  • .. and yes, my money is safe under the pillow than in a electrified, triple encrypted, titanium vault.
  • by Anonymous Coward

    As in running a perl script that generated a randomly changing URL string and WGETing on it - such sophistication - must be the Chinese again .. :)

    "Citigroup suffered about US$2.7 million in losses after hackers found a way to steal credit card numbers from its website and post fraudulent charges. Citi acknowledged the breach earlier this month, saying hackers had accessed more than 360,000 Citi credit card accounts of U.S. customers. The hackers didn't get into Citi's main credit card processing system, bu

  • by Anonymous Coward

    Visa and MasterCard, which allow middle-man entities to process charges without requiring tertiary security information

  • If only 2.7 million was lost, something seriously fucked up is going on. They should be spending more than that just for a 3rd party to audit their security.
    • by tom229 ( 1640685 )
      That's kinda what I was thinking. Smells a little conspiracy...ey.. to me. We're seeing so much of this lately it almost seems like it's a reason being engineered to squash net neutrality/freedom.
  • Maybe we could use the same technique and recover all of the pension funds looted by Wall Street for the State of Wisconsin?

    -Hack

  • For 10 years when you lost a # to fraud the next card was different by only the last 4 numbers.
  • by IHateEverybody ( 75727 ) on Monday June 27, 2011 @03:29AM (#36581478) Homepage Journal

    They seem to have stolen less than the bankers themselves.

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...