Citi Hackers Got Away With $2.7 Million 126
angry tapir writes "Citigroup suffered about US$2.7 million in losses after hackers found a way to steal credit card numbers from its website and post fraudulent charges. Citi acknowledged the breach earlier this month, saying hackers had accessed more than 360,000 Citi credit card accounts of U.S. customers. The hackers didn't get into Citi's main credit card processing system, but were reportedly able to obtain the numbers, along with the customers' names and contact information, by logging into the Citi Account Online website and guessing account numbers."
Re:PCI compliant? (Score:4, Interesting)
Aside from this not happening, it's also not feasible. And, bluntly, it wouldn't increase security one bit.
I gave it in detail in a similar topic, compliance with security laws has nothing to do with security as the average IT person sees it. Consider this: It takes months (sometimes years) from detecting a security problem, formulating a law/compliance test around it, implement the test, implement the checkbox-ticker-form, get companies compliant and finally tack a "audited and passed" sticker to it. ISO27001 is currently current in the 2005 version. 2005. I think nobody here would consider himself secure if he is secure against everything known by 2005.
To counter this, the requirements to pass the test are usually very broadly defined and in a quite unspecific way. There's a lot of talk about "reasonable security" and "state of the art/best practice", as well as securing "against current threats". There is a lot of talk about what has to be done, leaving the how completely open. Or, to give an example, you have to have a firewall that protects against current threats. It says nowhere what this may be. Or how "current" is defined. And here's where the whole mess starts to hit the fan.
What is a "current threat"? What is "reasonably well secured"? What is "state of the art"? And most of all, what would happen if you make us circle jerks liable for our blunders? Well, we'd define what a current threat is, what reasonably good security is and also what's state of the art is. Who else could? The (snicker) government? If that's the case, I have no worries that I'll ALWAYS be auditing by best practice standards, they'd probably be from 1980something. And rest assured that we'll always cover our respective backs when it comes to the question whether one of us audited perfectly. You don't piss off the people you work with in this trade, it comes back so terribly quickly, and there ain't that many companies that can actually do an ITSEC audit, so there is no heated competition. Hell, we hire each other to reaudit our own certs, take a wild guess how much we hate each other...
The solution is much simpler. First of all, get rid of all those fancy security stickers that get so much credibility but actually mean jack when it comes to security. Second, make companies care about security, and tack a fine on it that actually HURTS. As a neat side effect, it might reduce the data hunger some companies started to develop, since every bit they store might come back to bite them in their ass. In today's economy, it might actually already be sufficient to say that a company that can't get its act together is banned from bailouts. The rest will fall into place by itself.