Citi Breach: A Warning to BanksExperts: No Institution is Immune to Today's Sophisticated Attacks
"The industry thought that putting Albert Gonzalez away was the end of large scale card hacking," says Mike Urban, senior director of fraud solutions for FICO, provider of fraud analytics and detection technology. "What we are seeing is a major resurgence in hacking, targeting the smallest to the largest endpoints where card or consumer data lives."
Tom Wills, a fraud analyst at Javelin Strategy & Research, says banks are losing the fraud fight because they aren't focusing on the right things. "Even though Citi - and the major banks in general - clearly takes security seriously and invests significant resources to protect its data assets, something like this can still happen," he says.
Citigroup confirmed June 9 that a breach of its Citi Account Online platform had been accessed by an "unauthorized user." Citi spokesman Sean Kevelighan says the banking corporation has implemented enhanced security procedures, "to prevent a recurrence of this type of event."
"A limited number - roughly 1 percent - of Citi North America bankcard customers' account information [such as name, account number and contact information, including e-mail address] was viewed," Kevelighan said. "The customer's Social Security number, date of birth, card expiration date and card security code [CVV] were not compromised. We are contacting customers whose information was impacted."
Citi has approximately 21 million card customers.
Lessons LearnedHow hackers broke into Citi's online system is not the main lesson for financial institutions, Wills says. The need for more sophisticated fraud detection is. "Even when you fund your security program well, hire first-rate professionals and follow best practices - and major global banks like Citi do exactly that as a rule - you're dealing with an extremely complex problem set that has literally millions of failure points," he says. "That makes 100 percent ironclad protection an impractical goal. The best you can aim for is to cover the biggest threats with the biggest impact."
None of this excuses the breach, Wills adds. "If Citi is wise, they'll do some serious reflection, and make sure this particular failure doesn't repeat itself."
Urban says with few known details about how the breach actually happened, it's difficult say which endpoint or access point may have been compromised, such as through a third party. "[It] could be anywhere, but sounds like they hit them directly," he says. "This is yet another [incident] in what is turning into a major 'breach streak,' which will make all of us rethink what information security really means."
The Citi hack comes on the heels of a number of highly publicized incidents, including breaches of Google's Gmail, Sony, Epsilon and RSA Security, which earlier this week announced that the March breach of its SecurID multifactor authentication tokens was linked to subsequent breaches at Lockheed Martin Corp. and L-3 Communications Holdings Inc. Lockheed and L-3 are both government contractors. [See RSA: SecurID Hack Tied to Lockheed Attack and Sony, Epsilon Testify Before Congress.]
Lockheed, the country's largest military contractor discovered a breach of its systems on May 21. RSA is now working to replace its customers' authentication tokens and says it will provide additional factors to strengthen all of its authentication products. [See RSA to Get Its First Chief Security Officer.]
Hackers have the advantage, Javelin's Wills says. And like most breaches, the biggest worry for Citi right now should be its reputation. "The biggest damage for Citi is probably going to be reputational, because the hackers apparently didn't pull enough customer data to commit out-and-out fraud," Wills says. "But I won't be surprised to see it used in phishing and other social-engineering attacks - or aggregated with other compromised customer data to commit fraud, which is the bad guys' modus operandi these days."
Breach Raises Questions About Notification
Neal O'Farrell, founder of the Identity Theft Council, a support group for victims of identity theft, says the "slow drip" of breach information and facts is really what most hurts reputation, because it adversely affects the consumers and companies affected by the breach.
"I'm a Citi customer, have been for years. I still can't find any answers from Citi," O'Farrell says. "It's very frustrating, both as a customer and a professional, to see that banks still don't get it - the importance of being ready to talk to their customers clearly, fully and early."
The Office of the Comptroller of the Currency, Citi's main federal regulator, confirms that Citi notified it of the breach, but declined to provide any additional comment.
By notifying the OCC, Citi met at least part of its regulatory requirements for breach notification. Banking institutions are expected to notify their primary regulators any time sensitive customer data is compromised. How or if Citi has directly notified customers is unknown. Regulatory guidelines do suggest banks notify customers within a reasonable time period after a breach. [Read the American Bankers Association's perspective on the guidelines.]
But O'Farrell says Citi's notification process was weak.
"It looks like Citi discovered the breach about a month ago. I honestly don't think they need that much time to get even a fundamental understanding of the nature of the breach, and I'm a big proponent of the earliest possible public notification," O'Farrell says. "Early public and customer notification is rarely likely to jeopardize a response or investigation."
The only time early notification could cripple a case is when the breach has not yet been contained and the intruders are unaware they've been detected, he says.
O'Farrell says banks should use the Citi breach as an example, and a reason to revamp their crisis response plans. "A good response to a breach can go a long way to reducing the long-term financial and brand cost, and help rebuild customer trust faster," he says. "And customer trust should always be the bottom line for any financial institution."