Citi Hackers Got Away With $2.7 Million 126
angry tapir writes "Citigroup suffered about US$2.7 million in losses after hackers found a way to steal credit card numbers from its website and post fraudulent charges. Citi acknowledged the breach earlier this month, saying hackers had accessed more than 360,000 Citi credit card accounts of U.S. customers. The hackers didn't get into Citi's main credit card processing system, but were reportedly able to obtain the numbers, along with the customers' names and contact information, by logging into the Citi Account Online website and guessing account numbers."
Re:Amateur (Score:3, Insightful)
You should do that even if it wasn't for this security breach. Big banks like Citi have been defrauding everyone including sucking money off the taxpayer teat courtesy of its puppet politicians.
Why anyone knowing that would want to continue being their customer is beyond me. Use a local credit union instead.
Re:PCI compliant? (Score:5, Insightful)
Compliance auditing is a circle jerk business. It's like peer review, just worse, insofar that there are no "honest" people in the game that could debunk the scheme. They're all in for the money.
One thing you learn quickly as a young, aspiring and motivated auditor is that your job is not to test whether the company you audit is compliant. Your job is to make sure they are. Why? Because we want to be rehired for the checkup in a year, DUH! And because your first audit in a company is your foot in the door for other audits, and especially with BIG companies, there's a lot of things you can audit and certify, and all means moolah. Being "stubborn" means that your company will not be rehired and you will be fired.
Quick question for 100 (or, in auditor's terms, 5 minutes of work): What's your goal when auditing?
So I don't fear for their PCI cert. They will certainly be audited, this hole will be sealed, a lot of checkboxes will be ticked off (btw, transfer security is a very minor point in PCI-DSS compliance. Don't ask me why, I didn't make the cert requirements, I just have to endure them) and they will pass.
Most insecure ebanking ever. (Score:4, Insightful)
Several things went wrong here:
- "Developers" without a clue about web-application kept critical state client-side. An absolute Noob-mistake. They must not have had any clue what they were doing.
- The security evaluation was either done by people without basic knowledge of web application security as well, or not done at all. This is one of the first things anybody with at least a bit of knowledge (as in understanding web-mechanisms and having researched on the web for, say, 1/2 day about web application security).
- Incompetent and greedy management selected / signed off on the development team and the evaluation team (or did without evaluation), without any regard for their actual skills.
The developers and evaluators should be forbidden to work in IT for the rest of their lives or until they demonstrate strong skills. The managers responsible, however should go to prison, pay for the damage out of their own pockets and should be banned for life from working in management or any other place where they have the power to make decisions for an organization.
Re:PCI compliant? (Score:4, Insightful)
What's needed here is strict liability. If your company performs an audit and declares that a company is in compliance and it is later determined that they were not at the time of your audit, your auditing firm and its employees should be held liable for any damages.
That one small change to the legal code would end the practices you describe in a heartbeat.
Re:PCI compliant? (Score:4, Insightful)
They need a way to fine the auditor to the point of bankrupting them for effectively "lying"