Citi Hackers Got Away With $2.7 Million 126
angry tapir writes "Citigroup suffered about US$2.7 million in losses after hackers found a way to steal credit card numbers from its website and post fraudulent charges. Citi acknowledged the breach earlier this month, saying hackers had accessed more than 360,000 Citi credit card accounts of U.S. customers. The hackers didn't get into Citi's main credit card processing system, but were reportedly able to obtain the numbers, along with the customers' names and contact information, by logging into the Citi Account Online website and guessing account numbers."
Amateur (Score:4, Informative)
Let's not forget that the account numbers were passed with no security in the URL. I think I'll be canceling my Citi card (when I pay it off...).
Re: (Score:3, Insightful)
You should do that even if it wasn't for this security breach. Big banks like Citi have been defrauding everyone including sucking money off the taxpayer teat courtesy of its puppet politicians.
Why anyone knowing that would want to continue being their customer is beyond me. Use a local credit union instead.
Re: (Score:3)
Re:Amateur (Score:5, Informative)
Credit Unions are non-profit organizations, with totally different goals. It is possible, and not uncommon, to have smaller credit unions that are just a few dozen to a few hundred people.
They are much, much more transparent than banks and frequently totally transparent in both their books and operations.
For example, I found that my place of work has a credit union. Its sole purpose is basically to make affordable car loans to employees. There is no online banking, no ATMs, and just one office open 3 hours a day, 4 days a week. Almost no one has a "checking" account there, because they offer only the barest minimum of service.
What they do offer is savings accounts and auto loans and very reasonable rates. No, they don't offer mortgages.
They're chartered, insured and totally transparent to members -- 95% of which see each other on an almost daily basis.
Re: (Score:3)
Credit Unions are non-profit organizations, with totally different goals. It is possible, and not uncommon, to have smaller credit unions that are just a few dozen to a few hundred people.
They are much, much more transparent than banks and frequently totally transparent in both their books and operations.
Apparently, Texans CU didn't get the memo:
http://www.cutimes.com/2009/12/23/management-shakeup-lawsuits-cuso-bankruptcy-plagued-texans-cu [cutimes.com]
http://www.cutimes.com/2011/04/27/credit-union-industry-reacts-to-fai [cutimes.com]
Re: (Score:3)
Yes. Right now, I take size into account when I consider the trustworthiness of a credit union. Texans, with their 16 physical locations in over a dozen different cities and even more ATMs, would be "too big" in my estimation.
Smaller isn't always better, because it is quite possible to be "too small". I can't give you a hard number, but and more than 5 branches and I'd be thinking of them as a normal "bank".
being not-for-profit... (Score:2)
... while it means that they don't have the goal of maximizing shareholder's equity, doesn't meant that they don't exhibit profit-seeking behavior. It just means that the profit isn't paid out in the form of dividends. It could, as one example, be paid out in the form of executive compensation.
Moreover, many credit unions are for-profit concerns. But the dividends go to account holders rather than third-party investors that don't deposit money into the credit union. And the money that is deposited is used b
Re: (Score:2)
So, basically you're saying you have a very specialized CU for a small number of people that basically does nothing in general? Great, go sign rubycodez up right now! Except that would be just stupid.
Re: (Score:2)
Re: (Score:2)
No, the point of my post is that credit unions can offer a variety of services, ranging from the very specialized to full-service banking. This makes it easier to find something that is a more comfortable fit for you individually.
However, their model is different from for-profit banks. In a credit union, the shareholders of the company are the depositors on record. "Maximizing shareholder value" has a totally different meaning than it does for banking corporations. For instance, cramming as many fees and se
Re: (Score:2)
Two words: cash back. Also, I've never seen a credit union that offered true credit cards. Debit cards, sure, but I'm not comfortable using a debit card anywhere unless I've been shopping there for years, because all it takes is one sleazy employee cloning your stripe, and somebody can then guess your PIN numbers and clear out your account without actually stealing your card. And because it is a debit card, your liability when this happens is unlimited.
Re: (Score:2)
Read my post again, I wasn't criticizing credit cards.
Re:Amateur (Score:4, Informative)
Re: (Score:2)
I've never had a bank or credit union that didn't pre-assign an initial PIN. Odds are, yours did, too. And just to be cynical, the bad guys probably know what it is already, even if you don't.
Re: (Score:2)
Yeah, but if all their customers leave it will just lead to another bailout by the government.
Look at the airlines: many of them lost their asses when air travel became so much of a hassle and fee-minefield that people stopped flying and started driving/riding the train/bus. Of course, the government was like "No! We're a rich successful country, and we can't let a big industry fail even if they're morons! That makes our country look weak. Cash! Throw it at them hard and quick!"
Welcome to the 21st century,
Re: (Score:2)
Small regional banks are pretty good, too. Just watch for signs of being overextended and/or being gobbled up by one of the big boys.
Re: (Score:2)
Re: (Score:2)
Use a local credit union instead.
You only really get those in the US, plus why would I trust a small organisation with limited capital to look after my money? Are deposits guaranteed as with proper banks?
Re: (Score:2)
Citibank is the worst. They needed to be bailed out after taking on too much risk every few decades. Read up on their history.
Re: (Score:2)
You can cancel your account while still paying it off. It's actually a good thing to do, as it will keep you from charging any more (and prevent fraud charges).
Just make sure you switch to paper statements first, as once you cancel/close your account, you can't access statements online anymore.
I had my CitiBank card compromised twice in one month. The first time I called and told them, and they canceled the account number and overnighted me a replacement card. It sat in the overnight envelope on my coffe
Re: (Score:2)
2.7million USD (Score:2, Funny)
Citigroup suffered about US$2.7 million in losses
- dollars?
Nothing of value was lost.
Re: (Score:3)
I guess when you're used to getting billions in bailouts, millions don't really register as an amount anymore.
Re: (Score:3)
Re: (Score:2)
Ooooh, a couple mill (Score:1)
Call me when there's news of the billions in cash that mysteriously was lost in Iraq.
Re: (Score:3)
I got a slice of it after receiving an offer in my email yesterday.
Re: (Score:2)
All you have to do is send a blank check to this Nigerian prince...
Re: (Score:2)
All you have to do is send a blank check to this Nigerian prince...
When you do send it, don't forget to sign it "Bernie Madoff".
PCI compliant? (Score:3)
I find this funny and sad at the same time. Their PCI certification needs to be revoked. Besides it has been done before to Citi. http://redmondmag.com/articles/2008/07/02/citibank-hack-shines-light-on-pci-compliance.aspx [redmondmag.com] . if a bank can't be compliant then the PCI needs to be abolished because it appears to mean nothing to large financial institutions.
Re: (Score:2)
Any regulation that depends on enforcement from someone whose congressional superiors you can simply bribe away with campaign contributions will fail.
Re:PCI compliant? (Score:5, Insightful)
Compliance auditing is a circle jerk business. It's like peer review, just worse, insofar that there are no "honest" people in the game that could debunk the scheme. They're all in for the money.
One thing you learn quickly as a young, aspiring and motivated auditor is that your job is not to test whether the company you audit is compliant. Your job is to make sure they are. Why? Because we want to be rehired for the checkup in a year, DUH! And because your first audit in a company is your foot in the door for other audits, and especially with BIG companies, there's a lot of things you can audit and certify, and all means moolah. Being "stubborn" means that your company will not be rehired and you will be fired.
Quick question for 100 (or, in auditor's terms, 5 minutes of work): What's your goal when auditing?
So I don't fear for their PCI cert. They will certainly be audited, this hole will be sealed, a lot of checkboxes will be ticked off (btw, transfer security is a very minor point in PCI-DSS compliance. Don't ask me why, I didn't make the cert requirements, I just have to endure them) and they will pass.
Re:PCI compliant? (Score:4, Insightful)
What's needed here is strict liability. If your company performs an audit and declares that a company is in compliance and it is later determined that they were not at the time of your audit, your auditing firm and its employees should be held liable for any damages.
That one small change to the legal code would end the practices you describe in a heartbeat.
Re: (Score:3)
What's needed here is strict liability. If your company performs an audit and declares that a company is in compliance and it is later determined that they were not at the time of your audit, your auditing firm and its corporate officers should be held liable for any damages.
FTFY.
For all you know the people performing the audit are contractors or employees under orders from their management to certify the audit no matter what they actually find.
Re: (Score:2)
Right, so management needs to be financially and criminally held liable for this sort of thing. If it affects their pocket book and they might face jail time for not following the rules, perhaps they'll be something done differently?
Re: (Score:2)
So the freedom of the CEO of a auditing company hinges on his auditors ability to do their job? I somehow don't think that's a good idea, a disgruntled employee might abuse that power fairly quickly.
If we're talking about the company that actually drops the ball and leaks data, we can talk. If the CEO neglects security to the point where he cannot show that he has done what is reasonably possible (educate his staff, hire security auditors that don't just check off boxes but actually audit the shit out of hi
Re: (Score:2)
Somehow you've missed what I'm saying. This is not about leaking data. I'm not even talking about inept auditors. This is about an auditor finding problems, and management telling them to ignore them, not report them, and/or minimize them.
Perhaps you've never had to deal with management with this sort of thing? It happens all the time, but if you want to keep your job you just document it in your private files and leave it at that.
Re: (Score:2)
I have, and what am I going to do? Send the incriminating order (which I'd have to gain with illegal means, since recording people without their consent is not legal in my country and you may rest assured that you'll NEVER get an order like that by mail) to Wikileaks? My next job would include the phrase "want fries with that".
The main problem is that everyone involved has a vested interest in not performing at peak level. Hell, what do you think is easier, to ignore security holes (and pretend I just misse
Re:PCI compliant? (Score:4, Interesting)
Aside from this not happening, it's also not feasible. And, bluntly, it wouldn't increase security one bit.
I gave it in detail in a similar topic, compliance with security laws has nothing to do with security as the average IT person sees it. Consider this: It takes months (sometimes years) from detecting a security problem, formulating a law/compliance test around it, implement the test, implement the checkbox-ticker-form, get companies compliant and finally tack a "audited and passed" sticker to it. ISO27001 is currently current in the 2005 version. 2005. I think nobody here would consider himself secure if he is secure against everything known by 2005.
To counter this, the requirements to pass the test are usually very broadly defined and in a quite unspecific way. There's a lot of talk about "reasonable security" and "state of the art/best practice", as well as securing "against current threats". There is a lot of talk about what has to be done, leaving the how completely open. Or, to give an example, you have to have a firewall that protects against current threats. It says nowhere what this may be. Or how "current" is defined. And here's where the whole mess starts to hit the fan.
What is a "current threat"? What is "reasonably well secured"? What is "state of the art"? And most of all, what would happen if you make us circle jerks liable for our blunders? Well, we'd define what a current threat is, what reasonably good security is and also what's state of the art is. Who else could? The (snicker) government? If that's the case, I have no worries that I'll ALWAYS be auditing by best practice standards, they'd probably be from 1980something. And rest assured that we'll always cover our respective backs when it comes to the question whether one of us audited perfectly. You don't piss off the people you work with in this trade, it comes back so terribly quickly, and there ain't that many companies that can actually do an ITSEC audit, so there is no heated competition. Hell, we hire each other to reaudit our own certs, take a wild guess how much we hate each other...
The solution is much simpler. First of all, get rid of all those fancy security stickers that get so much credibility but actually mean jack when it comes to security. Second, make companies care about security, and tack a fine on it that actually HURTS. As a neat side effect, it might reduce the data hunger some companies started to develop, since every bit they store might come back to bite them in their ass. In today's economy, it might actually already be sufficient to say that a company that can't get its act together is banned from bailouts. The rest will fall into place by itself.
Re: (Score:2)
You make some good points, and it's not just PCI, but various government security standards too...
You have a list of "approved products", a list which is very expensive and time consuming to get on to. As a result, the approved products tend to be several releases behind and often have known vulnerabilities.. You also ensure that only a few vendors will bother to go through the process thus creating a cartel and forcing smaller players or open source out of the market. Few of those vendors will bother certi
Re: (Score:2)
And lemme guess: There's nobody actually overseeing those rules, unless they want your company to have troubles?
Our jobs ain't so different.
Re:PCI compliant? (Score:4, Insightful)
They need a way to fine the auditor to the point of bankrupting them for effectively "lying"
Re: (Score:2)
The employee of the auditing corp? Be reasonable, he was probably facing the decision of signing a cert or being fired.
That won't change jack. Now, if his CEO would have to face personal responsibility... but then, could you see a mere auditor holding the CEO of a huge international auditing co at his balls? Be nice or I sign this bogus cert?
Give companies an incentive to be secure besides getting useless certificates that certify nothing and you'll see change. Nothing else will.
Re: (Score:2)
This is where whistle-blower laws need to be improved. Should a CEO or management do this, they should be financially penalized and face jail time, and the whistle blower should be financially well taken care of.
Basically, and auditor should be untouchable. They should be able to follow the rules, and if not, huge fines should face the management and a large portion of that should go to the auditor.
Auditor's personal financial records need to be an open book, otherwise this would set them up to be able to
Re: (Score:2)
Heh, while I like the idea of being untouchable, I doubt it's a good idea either. You could easily hold whole corporations ransom or, in case you don't like them, keep failing them. There needn't be even any monetary incentives to do so if the auditor in question has a personal grunge against a certain company.
In other words, don't send me to audit Sony.
The whole process needs an overhaul. And I don't think creating overly complicated rules or regulations is going to do it, neither is sending CEOs to prison
Re:PCI compliant? (Score:5, Informative)
Re: (Score:2)
Compliance auditing is a circle jerk business. It's like peer review, just worse...
God, this reminds me of code reviews. I would send them out, and get back a "Looks good!" email... to which I would note that in the time between me sending them the code review and me receiving their "looks good!" I found two bugs and one of them was a flagrant syntax error.
I tried to reform the process, but imagine how well that went over? If you said that I got the response "looks good!" and then it was never touched again, you'd be right.
Re: (Score:2)
Code reviews don't mean that someone reads your code. Don't be deluded into thinking that I'd have the time to read thousands of lines of source code, find out what the coder actually wants to do with it and painstakingly follow every variable through its lifetime, and make sure that all mem leaks are sealed. That's none of my business. I don't debug your code, I check it for security holes.
Say we're looking at the review of a PHP created webpage. Do I care whether you display the results correctly? Probabl
Re: (Score:2)
Code reviews don't mean that someone reads your code. Don't be deluded into thinking that I'd have the time to read thousands of lines of source code, find out what the coder actually wants to do with it and painstakingly follow every variable through its lifetime, and make sure that all mem leaks are sealed. That's none of my business. I don't debug your code, I check it for security holes.
Say we're looking at the review of a PHP created webpage. Do I care whether you display the results correctly? Probably not, unless it is explicitly part of the review. I'll look for the lines that deal with database access, cookies and XSS vulnerabilities. Whether your results are correct or whether it looks like a monkey tried to write HTML is usually not the scope of a security code review.
And all of the same bugs were skipped and missed in the code reviews I've seen.
And how do you check all that stuff without reading the code for real? And if you don't have time to sit down and read-through and understand everything I wrote, why aren't there people whose job it is to do precisely that. Journalism and publishers have editors whose job is explicitly to read and understand and provide feedback. If we're relying upon other writers to do the exact same thing, when they're too busy to read anythin
Re: (Score:2)
There are still editors? I thought they went down the road of the dodo along with the typesetters and the layouters.
Code reviews are not there to find bugs. Code reviews are there to get a signature on certificate. And I'm not arrogant, just jaded.and disillusioned.
Re: (Score:2)
There are still editors? I thought they went down the road of the dodo along with the typesetters and the layouters.
Code reviews are not there to find bugs. Code reviews are there to get a signature on certificate. And I'm not arrogant, just jaded.and disillusioned.
I think we're running into an is/ought problem... I'm saying the purpose of code reviews ought be to find bugs, and help correct them. You're saying that code reviews regardless of what they ought be, are in fact actually just signatures on a form in order to permit a check-in, and thus get degraded down to the most minimal aspect... no review, just a sign off.
I can't hardly argue with you about what reality actually is, as it's pretty much what I'm complaining about. And since you declare yourself to be ja
Re: (Score:2)
Ok, you're right. From the is/ought to be point of view, of course a code review should be more than a checkbox-ticking chore. The problem is that nobody in the game WANTS it to be more than that.
The auditor doesn't want to, because while getting paid by the hour, no customer would agree to you spending about as much time reading code than the programmer spent writing it, just at about the triple (or more, hey, I'm actually cheap...) hourly rate. Plus, bluntly, reading the n-th php code dealing with databas
Re: (Score:2)
So, who do you think would complain?
That pedantic bitch that everyone doesn't like, because she makes them do real code reviews, rather than just checking off boxes? You know, because if she's going to do something, she's going to do it right...
My ex-boss also didn't like me doing root-cause analysis and figuring out what really caused XY bug/error/failure. He just wanted it fixed, and for me to move on.
Re: (Score:2)
That bitch gets fired before she's done complaining. She's keeping the company from getting certified, she's working against the interests of the company, she needs to leave. That's the sad truth, despite her being the only person in the whole process that shows responsibility, and would probably actually save the company a lot of money in the long run when (not if) a bug causes damage.
Re: (Score:2)
That bitch gets fired before she's done complaining. She's keeping the company from getting certified, she's working against the interests of the company, she needs to leave. That's the sad truth, despite her being the only person in the whole process that shows responsibility, and would probably actually save the company a lot of money in the long run when (not if) a bug causes damage.
Except she's the best programmer in the group... thus, you direct her outrage at code reviews in order to implement a reform of the code reviews, she wastes months and months on the reform, then once it is complete, you don't implement it, and then you start working on firing her... (you don't fire her immediately, because you have your HR department to CYA so she doesn't sue for discrimination, you know, given that women comprise some 10% of computer programmers in many organisations.)
Sounds like you know
Re: (Score:2)
Ah the beauty of just providing the tools for the people doing the "tests". I feel for you. The part where a client gets pwnd and you were the one confirming their compliance rocks. I've had more than one call that start, "I'm the new guy" because of it. Anyway, money. Sure wish I was the guy with lots of it.
Re: (Score:2)
At first, I was worried when a company that I audited got pwned. Then I was bothered. Now I just open a new window and read Dilbert, and 5 seconds later I forgot about it.
In all seriousness. First I was worried that I might be liable. I'm not. If I ticked down the checkboxes correctly, I'm not. Then I was bothered that they simply ignored my recommendations because they didn't give half a shit about their own security after they got the signature on the all-holy toilet paper called certificate. Now I guess
Re: (Score:2)
I say we return to VLB. When the central processors and the peripheries are forced to work at the same pace, there is less opportunity for corruption. Sure, it might mean the former needs to slow down a bit, but that's essential in dealing with any sleight of hand issues.
Re: (Score:2)
PCI isn't security. No set of rules mandated by people that don't understand IT could be. PCI, SOx, and all the other government mandated rules are just well intentioned attempts to tell people how to get security. It can't cover every aspect needed so it's doomed to failure.
Re: (Score:2)
PCI needs to be clarified and enforced properly. If you've read the spec (I have), you'd realize how utterly vague parts of it are, and pointless other parts are. There are some perfectly valid things in there that should be second nature to anyone but never hurts to have on a checklist (run firewalls, do not use default passwords on your software, etc.), some things that are good to have (unless there's a business requirement to do so such as in an admin panel, do not display more than bin+last4 of card)
Re: (Score:2)
Well I also wonder if Visa and MC would actually fine Citibank considering how much revenue they derive from their card holders. PCI was supposed to help reduce the amount of fraud by enforcing minimum security standards on people accepting payments and dealing in the transaction stream. It remains to be seen if now a large financial institution will be held accountable by the PCI consortium for these actions. I definitely know the FTC would be involved but again, they'll get a slap on the wrist because
Re: (Score:3)
I wish I still had mod points to bump up your comment. The whole PCI compliance scam is a pet peeve of mine. I own a hardware store and we're fully compliant, but it cost a bunch and is a real pain considering that we're trying to protect credit cards and a system that is essentially poorly secured in the first place. There are thousands and thousands of independent business owners that are not anywhere near compliant, and they have no clue how to get in compliance. They are just scared that when a brea
Can you see the dialogue happen at citi? (Score:3)
CSO: Sir, we had a security breach! Credit card data was stolen and we lost money. We should up our security budget and improve our security standards! ... is bad, right? But ... no, I'll just tell finance to add the damage to our next bailout request. How much is it?
CEO: This
CSO: 2.7 millions.
CEO (enraged): 2.7 millions? You waste my time for that? Get the hell out of my office and come back when something serious happens!
Re:Can you see the dialogue happen at citi? (Score:5, Funny)
CSO: Sir, we had a security breach! Credit card data was stolen and we lost money. We should up our security budget and improve our security standards!
CEO: This ... is bad, right? But ... no, I'll just tell finance to add the damage to our next bailout request. How much is it?
CSO: 2.7 millions.
CEO (enraged): 2.7 millions? You waste my time for that? I make more than that in bonuses every year, even when we lose money. Get the hell out of my office and come back when something serious happens!
Fixed that for you
Re: (Score:2)
I doubt the CEO would tell the CSO that he makes more in bonuses than what the CSO thinks is money. He might get a wee bit pissed at the CEO, and you do NOT want a pissed off CSO as a CEO. He can make your life pretty miserable if he doesn't care about his own.
Re: (Score:2)
Re: (Score:2)
In this case, are they hiring?
I'm not for sale, but nobody said anything about renting. ;)
This problem just cannot be solved (Score:3)
If only there was a way to have credit card owners approve each charge through the entering of some kind of a pin.
If only credit card numbers weren't special since what really mattered was signed transactions.
If only every consumer had a personal device capable of signing transactions in his pocket at almost all times.
Call me a dreamer, but someday in the next hundred years, I think that all those "huge" technological problems could be solved and we could end this problem of having our credit card and social security numbers being exposed.
Re: (Score:2)
Wrong. The simple, easy and obvious solutions is known to anybody that knows the first thing web application security:
DO NOT KEEP CRITICAL STATE CLIENT_SIDE.
I do not know what cretins designed this solutions. But the violated very basic principles. If it took the attackers longer than half a day to find this vulnerability, then they are also exceedingly incompetent. It is one of the first things checked in a security evaluation (or hacking attempt).
Re: (Score:2)
Agreed. I think the two options here are EMV and old-fashioned paper for credit cards. In the later case they may ask for an ID on larger sums. Have not seem mag-stripe for a long time.
Re: (Score:1)
If only there was a way to have credit card owners approve each charge through the entering of some kind of a pin.
In Europe it is often already required to enter a PIN when paying something with a credit card. I am wondering why they didn't introduce it in the USA yet...
Re: (Score:3)
Because the merchant is liable for fraudulent transactions when no PIN is entered. Liable plus a fine on chargeback. Liable plus a fine plus a threat of increased discount percentage.
Small businesses are the backbone of modern America: if you want to conquer America you have to break its backbone.
Re: (Score:2)
Re: (Score:2)
You mean the government, right? The bank has little incentive because it profits from the fraudulent transaction (as long as there's not so much fraud that the banks actually get negative publicity and lose customers to all the great alternatives for online payment).
Re: (Score:3)
Re: (Score:2)
Makes sense. FWIW I have a UK Amex Blue card, all recent issues of which have been chip/PIN. It was launched with the simple benefit of straight cashback on all purchases, which is far too generous and lacking in leeching middle men, so I don't think it's offered any more to new customers. Now Amex UK is all "Nectar points" and "BA miles" and other such barrel-scraping bullshit.
Re: (Score:2)
Re: (Score:3)
This is beyond silly. The reason Chip & Pin happened in Europe is because payment card operators in Europe got together and decided to do it. They told retailers they didn't have to use it if they didn't want to, but they would be more liable for fraudulent transactions if they didn't.
Given that the increased liability would cost more than the chip & pin terminals, everyone moved over.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
So now my mobile 'phone is the device which gets cracked and keylogged for access to the signing certificates which approve dozens of credit card transactions?
I understand your proposal but I hear it as, "Now, rather than only keeping it in your head and typing it on dedicated terminals, you enter your PIN-substitute on a computer you use for general Internet access etc."
Re: (Score:1)
Asking for it (Score:2)
Here in Aus they have implemented a new system whereby you do not need to enter a pin or sign if it is a "small" amount (less than $100 at MacD's and less than $35 at Coles / Kmart stores) - Paypass / paywave.
It's been in for a couple of months, and is gradually gaining acceptance. There's a few problems though; one being the marketing material which clearly states that '.. there is no risk..'.
Let's see here. If I get mugged, said mugger can use my CC to their heart's content - so long as it is less than $1
Most insecure ebanking ever. (Score:4, Insightful)
Several things went wrong here:
- "Developers" without a clue about web-application kept critical state client-side. An absolute Noob-mistake. They must not have had any clue what they were doing.
- The security evaluation was either done by people without basic knowledge of web application security as well, or not done at all. This is one of the first things anybody with at least a bit of knowledge (as in understanding web-mechanisms and having researched on the web for, say, 1/2 day about web application security).
- Incompetent and greedy management selected / signed off on the development team and the evaluation team (or did without evaluation), without any regard for their actual skills.
The developers and evaluators should be forbidden to work in IT for the rest of their lives or until they demonstrate strong skills. The managers responsible, however should go to prison, pay for the damage out of their own pockets and should be banned for life from working in management or any other place where they have the power to make decisions for an organization.
Re: (Score:2)
The managers responsible, however should go to prison, pay for the damage out of their own pockets and should be banned for life from working in management or any other place where they have the power to make decisions for an organization.
This. For everyone on Wall Street with a title of VP or higher. Now.
Re: (Score:2)
Many companies refuse to approve implementing costly security, and will fire techies who raise concerns about that too often and then hire incompetent techies who don't think to question the lack of security.
Who is really at fault in this case, the fool or the fool who hired him.
Re: (Score:1)
Developer skills? What are you talking about? I'm sure the low bidder won the contract to develop the site, then outsourced it to someone even cheaper so they could get a cut, and the CxO overseeing this sewage system got a nice, fat bonus for coming in under budget. Developer skills were never part of the equation.
Re: (Score:2)
They never are on Slashdot, where all programmers are brilliant, handsome, and competent.
Re: (Score:2)
Developer skills were never part of the equation.
They never are on Slashdot, where all programmers are brilliant, handsome, and competent.
Slashdot HQ is in Lake Woebegone?
Re: (Score:2)
Developer skills? What are you talking about? I'm sure the low bidder won the contract to develop the site, then outsourced it to someone even cheaper so they could get a cut, and the CxO overseeing this sewage system got a nice, fat bonus for coming in under budget. Developer skills were never part of the equation.
Unfortunately, you are perfectly right. I have seen this several times now. The way to deal with it is make the people getting the bonus personally liable (civilly and criminally) if it goes wrong.
Re: (Score:2)
The developers and evaluators should be forbidden to work. The managers responsible, however should go to prison, pay for the damage out of their own pockets and should be banned for life from working in any place where they have the power to make decisions of any kind.
There, fixed that for you.
Well, a bit harsh, but I cannot say I fundamentally disagree.
Can you tell I'm a web developer that's fed up with guys like these making me look bad just because I happen to be in the same field? End users can't tell the difference between my code and there's because when mine doesn't do this, there's no way for them to understand it couldn't do this (encrypt, and even then don't trust client information). Most end users don't understand anything about this problem, no matter how it is described to them. They just see some overpaid programmer who screwed up.
That is why you need to have competent (and preferably outside) evaluation for anything that has security functionality. Of course, that is expensive and does not add to the functionality. Even worse, if the security folks say, "this is not secure", or even worse, "no way can this be made secure, you project failed" the manager in question is exposed as incompetent (as he/she should be). So the people that would need to get the security evaluation done have the most to lose. On the other hand, that is possi
Oh the irony... (Score:2)
-2008: Citi's Market Montage Solution Supports 200,000 Updates per Second with SQL Server 2005 [microsoft.com]
- june 2011: Citigroup hacker attack affected more customers than first thought [latimes.com]
-a week later, in the neighborhood of Redmont (about the PSN outage): "As a company, you can look back 8, 9 years ago, when Bill Gates wrote his Trustworthy Computing Memo that basically said, 'We need to change the way we architect our products and it has to be de [industrygamers.com]
sigh! (Score:1)
They did it using URL stuffing (Score:1)
As in running a perl script that generated a randomly changing URL string and WGETing on it - such sophistication - must be the Chinese again .. :)
"Citigroup suffered about US$2.7 million in losses after hackers found a way to steal credit card numbers from its website and post fraudulent charges. Citi acknowledged the breach earlier this month, saying hackers had accessed more than 360,000 Citi credit card accounts of U.S. customers. The hackers didn't get into Citi's main credit card processing system, bu
this is the fault of ... (Score:1)
Visa and MasterCard, which allow middle-man entities to process charges without requiring tertiary security information
That's all? (Score:2)
Re: (Score:1)
Wisconsin Pensions (Score:1)
Maybe we could use the same technique and recover all of the pension funds looted by Wall Street for the State of Wisconsin?
-Hack
Numbers (Score:2)
Find them and put them in charge (Score:5, Funny)
They seem to have stolen less than the bankers themselves.