MCPMag.com

Sign up for our newsletter.

I agree to this site's Privacy Policy.

News

Citibank Hack Shines Light on PCI Compliance

Just two days after the Payment Card Industry (PCI) Security Standards Council announced the deadline for application security compliance and said it would be issuing guidelines for PIN entry devices, court documents have emerged detailing an elaborate plot to hack Citibank's ATM network architecture.

According to security experts, the timing couldn't have been better for highlighting the serious issue of intrusion and data theft on networks anchored by a Windows OS-based system.

"Any device that processes personal identification numbers is an important link in the transaction chain," wrote Bob Russo, general manager of the PCI Security Standards Council, in an e-mail to Redmondmag.com. "The council is reaffirming its commitment to developing additional standards to meet the needs of the industry and to ensure continued safety and security for consumers."

In its announcement on Monday, the PCI Council advocated a testing and product approval program for unattended payment terminals and related host hardware. Such a program would help protect sensitive card data at any point in the transaction process.

Meanwhile, the court case against Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva -- all three indicted at a New York federal court four months ago for allegedly hacking Citibank's ATM system through a browser-based attack vector -- should be seen as a call to action, one independent security consultant said.

"You have federal IT security guidelines such as HIPAA for hospitals and health care. I think it's time a similar uniform code for personally identifiable information was put in place," said Kris Lovejoy, IBM's director of corporate governance, risk, compliance and security strategies, in an interview on Wednesday. "The big question is, 'What the heck do you protect?' Many organizations I talk to don't know where to start or what to do about issues like this and are stymied by the increasing complexities of compliance."

While Lovejoy advocated some type of government-mandated security benchmark that defines what "personally identifiable information is and how to protect it," she warned against a lengthy legislative process that could stifle innovation.

At issue in the Citibank hack is the vulnerability of "low-hanging fruit" -- data that was easily accessible through a browser-based application based on Windows architecture and designed solely for ATM network maintenance, repair and remote monitoring. Somehow, the hackers were able to access data fields containing the PINs of bank customers which, in most cases, should be encrypted.

To protect against such attacks, experts such as Lovejoy suggest -- among other things -- one-way password hashing, where even a system or network administrator can't see passwords; elevated encryption of critical data fields in database tables containing personal info; or obfuscation of data, which could be done by hiding the information in the data field or encoding it so it displays as undecipherable symbols instead of personal information.

Citigroup, the holding company for Citibank, is mum on the issue, saying in a statement to the Associated Press that any customers who have lost money due to the hack will not be held responsible for "fraudulent activity in their accounts."

Meanwhile, the guidance that the PCI Council is issuing amid several high-profile breaches has taken center stage in what IT security pros say is a brave new world of threats.

"I think currently what [PCI Council] is doing is a relatively good start," Lovejoy said. "What the government could do is work with [the] industry to develop best practices and standards that can create a reasonable assurance of security. If they want to work with the PCI Council, then that's fine, but they need to do something."

About the Author

Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.

comments powered by Disqus

Reader Comments:

Sun, Jun 26, 2011 Jason Roysdon Modesto, California

My CitiBank card account was compromised twice in April, the second time after they closed the original account number and overnighted a new card. The new card was never used, but still fraud charges one week after it was activated. Their security is clearly asleep. I've closed my Citi account and won't go back until they meet my demands for securing accounts:

All banks and credit cards should have to offer two-channel authentication for purchases over a customer-set limit. See ING.nl's TAN codes via mobile phone (in Dutch, but the video is clear what is going on):

http://www.ing.nl/particulier/internetbankieren/demo-tan-code-via-mobiel.aspx

Why is it ING.nl has TAN codes to confirm transactions via SMS, but ING.com (in the US) doesn't? Because the Netherlands have a law requiring extra authorization confirmation and the US does not. Not because the banks there want to do the right thing.

I wish I could set some cards to not be allowed without physically being present (in other words, block some cards from being able to be used over the phone or online, and require it to be in person and require ID checking), and some cards only allowed to be used online with temporary/virtual card numbers (and never allow the real/physical account number to be used).

You have to assume that the transaction method is going to be compromised at some point. You have to create a secondary way to verify transactions (like TAN codes which include the amount, location, and then require you to confirm). You have to be able to limit where and how a card can be used so people can limit exposure.

The entire credit card industry is broken. How many times does this need to occur before the banks will fix it? They won't, so we need the Senate to create a law to make them. I hate government regulation, but in this case, it appears to be the online solution.

Thu, Jul 3, 2008 Wayne Chicago IL

Youv'e got to be kidding, right? A PIN is a 4 digit numeric only field, and the industry doesn't think that one-way encryption (which by the way has been the standard on most commercial systems for over 30 years) is mandatory? And then they make the information accessible to a network managment console application? Give me a break, this is the 21st century isn't it?

Add Your Comment Now:

Your Name:(optional)
Your Email:(optional)
Your Location:(optional)
Comment:
Please type the letters/numbers you see above