November 18, 2024

DealBook: Citigroup Says Credit Card Customers’ Data Was Hacked

CitibankRobert Galbraith/Reuters

12:49 p.m. | Updated Citigroup acknowledged on Thursday that unidentified hackers had breached its security and gained access to the data of hundreds of thousands of its credit card customers in North America.

“During routine monitoring, we recently discovered unauthorized access to Citi’s account online,” the bank said in an e-mailed statement. “We are contacting customers whose information was impacted.”

The bank said about 1 percent of its North American credit card holders had been affected, putting the total count of customers exposed in the hundreds of thousands, based on its annual report for 2010, which said it had about 21 million credit card customers in North America.

While information concerning customers’ names, credit card numbers, addresses and e-mail addresses was exposed, the bank said that data like the “Social Security number, date of birth, card expiration date and card security code were not compromised.”

Citi is notifying cardholders who have been affected via mail, as well as via their online accounts. Most customers will also received a replacement card, the company said.

“Citi has implemented enhanced procedures to prevent a recurrence of this type of event,” the bank said. “For the security of these customers, we are not disclosing further details.”

While no group has claimed responsibility for the breach, it is part of a spate of recent cyberattacks.

Sony has reported a series of assaults on its PlayStation network and several Sony Web sites — one hacker site says there have been 18 so far — after the company sued, and then settled with, a programmer who had cracked the PlayStation code. Other attacks have hit PBS, Fox and an F.B.I. affiliate known as Infragard. And most worrying of all, perhaps, they compromised the security system of RSA, maker of the popular SecurID.

But none of those breaches appears to pose as direct a threat to consumers as the one reported by Citi. A spokesman for the bank said that only credit card customers had been affected, not debit card holders, and that law enforcement had been alerted.

The Financial Times earlier reported the breach.

Two people associated with the hacker collective Anonymous said they did not believe the group was involved.

“Anonymous kind of moved off the banks,” one said, adding that it was “because they were bored.”

Anonymous has become known for prominent denial-of-service attacks that disable and deface the Web sites of companies the hackers dislike; for example, the group disrupted service at Visa and MasterCard after they stopped allowing donations to WikiLeaks.

“For-profit attacks are always foreign,” one of the people said. “I’ve never heard of an American group doing that. You can deface a Web site, but once you start stealing money … we understand the FBI. They can kick your door down for downloading torrents.”

Citigroup was reported to have been breached by hackers tied to a Russian group in 2009, and before that in 1995.

One of the members of Anonymous questioned Citigroup’s security as the bank described it on its Citi Card site, saying the 128-bit encryption the bank boasts of is “really not that big a deal.”

“Two-hundred-and-fifty-six bit would take someone a lifetime to decrypt,” the person said. “The security is so weak right now, if you know a couple attacks, you can just go around and see what works.”

Article source: http://feeds.nytimes.com/click.phdo?i=e5b18760f5e312a43a8a211ce4e132cb

Bits: The RSA Hack: How They Did It

The hack last month at RSA Security has been shrouded in mystery.

How did a hacker manage to infiltrate one of the world’s top computer-security companies? And could the data that was stolen be used to impair its SecurID products, which are used by 40 million businesses that are trying to keep their own networks safe from intruders?

The division of the EMC Corporation is staying mum about what exactly was stolen from its computer systems, aside from that is was data related to SecurID.

But on Friday RSA shed some light on the nature of the attack. In a blog post titled “Anatomy of an Attack,” the company’s head of new technologies, Uri Rivner, described a three-stage operation that was similar to several other recent prominent attacks on technology companies, including a 2009 attack on Google that it said originated in China.

In the attack on RSA, the attacker sent “phishing” e-mails with the subject line “2011 Recruitment Plan” to two small groups of employees over the course of two days. Unfortunately, one was interested enough to retrieve one of these messages from his or her junk mail and open the attached Excel file. The spreadsheet contained malware that used a previously unknown, or “zero-day,” flaw in Adobe’s Flash software to install a backdoor. RSA said that Adobe had since released a patch to fix that hole.

After installing a stealthy tool that allowed the hacker to control the machine from afar, he stole several account passwords belonging to the employee and used them to gain entry into other systems, where he could gain access to other employees with access to sensitive data, Mr. Rivner said.

Then came stage three: spiriting RSA files out of the company to a hacked machine at a hosting provider, and then on to the hacker himself.

The attacker left few traces. But an unclassified document from the United States Computer Emergency Readiness Team (US-CERT) obtained by the blogger Brian Krebs revealed three Web addresses used in the intrusion, one of which includes the letters “PRC,” which could refer to the People’s Republic of China — or it could be a ruse.

According to Mr. Rivner, it’s difficult for companies with the world’s most sophisticated defenses to stop this newfangled “advanced persistent threats,” which are made potent by the combination of low-tech “social-engineering” cons and a high-tech zero-day attack that antivirus software won’t recognize.

That RSA detected the attack in progress was a victory, he argued. Many other companies hit by similar attacks “either detected the attacks after months, or didn’t detect them at all and learned about it from the government,” he said. “As an industry, we have to act fast and develop a new defense doctrine; the happy days of good old hacking are gone, and gone too are the old defense paradigms.”

But some security experts ridiculed the notion that the attack was sophisticated. Jeremiah Grossman, founder of WhiteHat Security, posted on Twitter: “I can’t tell if this RSA APT blog post is actually being serious or an April 1st gag. The content is absurd either way.”

Article source: http://feeds.nytimes.com/click.phdo?i=56c20c1e89f376464221bb850abffac2