<![CDATA[[SecurityRatty] tag: citibank]]> http://securityratty.com/tag/citibank Wed, 18 Jun 2008 19:45:00 +0000 iRatty Engine http://blogs.law.harvard.edu/tech/rss <![CDATA[Three Plead Guilty in $2 Million Citibank ATM Caper]]> http://securityratty.com/article/153e85da059b8fd2a67ca5dbdf75ac96 http://securityratty.com/article/153e85da059b8fd2a67ca5dbdf75ac96
]]> Wed, 05 Nov 2008 22:00:00 +0000 ukrainian immigrants admit cash machines citibank customers account atms cardtronics pins company owns Three Plead Guilty in $2 Million Citibank ATM Caper <![CDATA[Fed Blotter: Citibank Worker Allegedly Plunders Customer Accounts]]> http://securityratty.com/article/9137fd6e30be44b39748d16fc8b80500 http://securityratty.com/article/9137fd6e30be44b39748d16fc8b80500
]]> Fri, 19 Sep 2008 14:48:00 +0000 financial crisis investment insiders solutions Fed Blotter: Citibank Worker Allegedly Plunders Customer Accounts <![CDATA[ATM-Owner Cardtronics Issues Non-Denial Denial in Citibank Breach]]> http://securityratty.com/article/25d7127a199b9212565f907c104385f2 http://securityratty.com/article/25d7127a199b9212565f907c104385f2
]]> Mon, 07 Jul 2008 20:30:00 +0000 pin codes issues massive leak statements statement atms company owns ATM-Owner Cardtronics Issues Non-Denial Denial in Citibank Breach <![CDATA[Clothes don't make this man: Sweatshirt helps nail Citibank card scammer ]]> http://securityratty.com/article/c26ce21685373b5517a5f74f3870fc89 http://securityratty.com/article/c26ce21685373b5517a5f74f3870fc89 Wed, 02 Jul 2008 20:00:00 +0000 bank-card scammer citibank account distinctive sweatshirt illegal withdrawals thousands dollars pins hundreds Clothes don't make this man: Sweatshirt helps nail Citibank card scammer <![CDATA[Montgomery Ward breached, no notification obligation?]]> http://securityratty.com/article/d0a7010fb8fd83b7750424b96154c42b http://securityratty.com/article/d0a7010fb8fd83b7750424b96154c42b Security Breach

Date Reported:
6/27/08

Organization:
Direct Marketing Services Inc.

Contractor/Consultant/Branch:
Montgomery Ward
HomeVisions.com
SearsHomeCenter.com
SearsShowPlace.com
SearsRoomForKids.com

Victims:
Customers

Number Affected:
"at least 51,000 records"

Types of Data:
Names, addresses, phone numbers, card numbers, "security codes", and expiration dates

Breach Description:
"NEW YORK (AP) -- The parent company of Montgomery Ward is admitting that it was hit with a credit card hack, but it didn't inform the customers affected."

Reference URL:
The Associated Press
The Associated Press via WZTV Channel 17 News

Report Credit:
The Associated Press

Response:
From the online sources cited above:

At least 51,000 records were exposed in the breach at the parent company of Montgomery Ward.

The venerable Wards chain that began in 1872 went out of business in 2001, but in 2004 a catalog company, Direct Marketing Services Inc., bought the brand name out of bankruptcy.

Direct Marketing Services' CEO, David Milgrom, said the financial company Citigroup detected the computer invasion in December.

By going through HomeVisions.com, another Direct Marketing Services site, hackers had plundered the database that holds account information for all the company's retail properties.
[Evan] The AP story names five of the six Direct Marketing Services retail properties (See Above).  I don't know what the sixth is.

It now runs a Wards.com Web site along with six other sites, including three with Sears brands it has acquired: SearsHomeCenter.com, SearsShowplace.com and SearsRoomforKids.com

Milgrom said Direct Marketing Services immediately informed its payment processor and Visa and MasterCard.

Direct Marketing Services closely followed a set of guidelines, issued by Visa, on how to respond to a security breach.
[Evan] This is sad.  The Visa documentation regarding breach response is way too narrowly focused to be used as an organizational incident response.  Every organization that creates, collects, uses, stores, and/or transfers confidential information should have an incident response policy and accompanying procedures.  Take a look at the Visa "What To Do if Compromised" procedures, and judge for yourself.

That included a report to the U.S. Secret Service.

He said he believed by the end of December that Direct Marketing Services had met its obligations.
[Evan] Mr. Milgrom is the president of the company.  He really thought that his company had met all of its obligations with respect to this breach?  It never occurred to him that he should notify customers, even if he weren't required to by law?  Not only was the lack of notification illegal, but I think it is also unethical.

However, those guidelines from Visa are largely technical, and they do not cover a key additional step: that notification laws in nearly every state generally require organizations that have been hacked to come clean to the affected consumers, not just to the financial industry.

Companies that fail to comply can be hit with fines or be sued by affected customers, depending on the state

After being asked about those laws by The Associated Press, Milgrom said Direct Marketing Services now plans to contact consumers.

This hack might have stayed quiet except for online chatter detected in June by Affinion Group Inc.'s CardCops, a group of investigators who track payment-card theft for financial institutions.

In Internet chat rooms frequented by card thieves, CardCops spotted hackers touting the sale of 200,000 payment cards belonging to one merchant.

CardCops then intercepted several hundred of the records, along with the online handles belonging to hackers whose real names remain unknown.

Along with the card numbers, their three-digit "security codes" and expiration dates, the thieves had the cardholders' names, addresses and phone numbers.

The data had been organized in the same way, indicating the numbers likely came from the same database.

CardCops' president, Dan Clements, also noticed that the vast majority of the cardholders were women, a clue that the records came from a merchant catering to a certain demographic.

When he began calling them, the first eight said they had bought things online or through mail order from Montgomery Ward. At that point, Clements realized, "there's a high probability the entire database of Montgomery Ward was breached."
[Evan] This is some good investigative work.

It is not clear to Clements, though, whether the hackers were inflating their claim when they offered 200,000 records or whether Milgrom's number of 51,000 is accurate.
[Evan] According to the article, the "hackers" were able to compromise the information from all six Direct Marketing Services, Inc. properties.  51,000 may be Montgomery Wards customer accounts, and the remainder could be from the other five properties (just speculating).

A spokeswoman for Discover Financial Services LLC, Mai Lee Ua, said her company had addressed the problem by sending new cards to its cardholders who appeared in the compromised records.

Ua said they weren't told which merchant had been breached

Visa declined to comment.
[Evan] Visa always declines to comment.  No sense in even seeking one.

MasterCard issued a statement Friday acknowledging it was aware of the breach at Direct Marketing Services, and had notified the banks that issue MasterCards, telling them to monitor the accounts for suspicious charges.
[Evan] Three different card companies, three entirely different responses.  Of the three, I think I like the Discover one the best.

Such silence was the norm in the industry for years. But in response to fears of identity theft, 44 states have passed laws that generally require organizations holding consumer data to tell people when their information has leaked

Clements and other security analysts say that despite those laws, many breaches still are kept quiet, judging by the data being hawked in online black markets.

Avivah Litan, an analyst at Gartner Inc., believes unreported data breaches might still outnumber the ones that do get publicized.
[Evan] I absolutely agree.  You would be naïve to think that victim notifications go out in all breaches.  Too many corporate leaders would rather not notify and hope that nobody notices.

Litan says it especially is the case with online merchants. She believes it happens because of a lack of pressure from credit card companies, which are not responsible for fraudulent charges in "card not present" transactions over the Web and mail order.

Until fraud actually appears on the card, they'd rather avoid the cost of voiding compromised cards and giving consumers new ones, she said.

"What it reveals is the convoluted banking system," she said. "If this had taken place at a grocery store, we all would have heard about it."

In fact, because of the silence that still sometimes follows data breaches, even people who have never been informed one of their records has leaked should assume their information is floating online, Litan said.

"Probably every one of our cards is up there somewhere now," she said.
[Evan] I agree with all of the statements made by Avivah Litan except this one.  This is a stretch.

On the Net:
Links to the 44 state notification laws

Commentary:
Is this a case of a company that was caught trying to cover up a breach, or was this a company that didn't know any better?  I lean towards the former.  Either way, is ignorance of the law any kind of valid excuse? 

Let's assume for a second that company really didn't know that they were required to notify victims.  If this were true, then this leads me to believe that the company doesn't govern information security well (due care?), probably has no formal information security program, lacks incident response policy and procedures, and doesn't manage risk well.

I could only guess how the "hack" took place.  What vulnerability was exploited?  Even in this, the company appears to have not detected the attack.  Direct Marketing Services, Inc. had to be told of it by Citibank.  Does this mean that the company did not use intrusion detection/prevention? 

I could go on and on, but in the end I don't have much confidence here.

Past Breaches:
Unknown

]]> Fri, 27 Jun 2008 19:45:03 +0000 card companies companies services services closely credit card companies services retail properties financial company citigroup company montgomery ward Montgomery Ward breached, no notification obligation? <![CDATA[FBI Arrests Six More in Citibank ATM Heists]]> http://securityratty.com/article/b56716bc3b9f1e2e1e00833ac2c26407 http://securityratty.com/article/b56716bc3b9f1e2e1e00833ac2c26407
]]> Tue, 24 Jun 2008 23:00:00 +0000 citibank citibank atms customer pin codes russian cybercrime boss york-area fraudsters fbi engages computer intrusion cat-and-mouse game hands FBI Arrests Six More in Citibank ATM Heists <![CDATA[Some of the other noteworthy breaches last week, 6/16/08 - 6/22/08]]> http://securityratty.com/article/807b1e3ccc47c175a72b57ee98773462 http://securityratty.com/article/807b1e3ccc47c175a72b57ee98773462 Security Breach

The Breach Blog

Just SOME of the other noteworthy breaches from the past week (6/16/08 - 6/22/08)

Citibank Hack Blamed for Alleged ATM Crime Spree
By Kevin Poulsen, Wired.com, 6/18/08

A computer intrusion into a Citibank server that processes ATM withdrawals led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines in February, pocketing at least $750,000 in cash, according to federal prosecutors.

The ATM crime spree is apparently the first to be publicly linked to the breach of a major U.S. bank's systems, experts say.

Security firm finds server with health-care data
By Jeremy Kirk, NetworkWorld, 6/18/08

Security researchers with Finjan Software are seeing a growing thirst from cybercriminals for data other than credit-card numbers, with the latest findings including servers containing passwords leading to heath-care records and airline systems data.

The problem is two-fold: sensitive data is being stolen after PCs are infected with malicious software, and then that data sent to unprotected remote servers, said Yuval Ben-Itzhak, chief technology officer for Finjan. The content of those servers is then indexed by search engines, leaving it open to anyone who uses the right query terms.

Bank scam spreads as institutions look for possible source of breach
By Leanne Tokars, WSBT Channel 22 News, 6/18/08

SOUTH BEND - An international bank scam is spreading, and there is some idea how that information may have gotten out.

Hundreds of people and dozens of banks and credit unions across our area are trying to recover from a major security breach.

[Evan] This story is related to the "1st Source Bank reissues all debit cards in response to breach" posting on 5/30/08.  Another supporting story; Fraudulent ATM transactions overseas could be tied to Indiana bank breach  This is a winding storyline.

Parents livid over database putting student profiles, pictures online
By Mohit Joshi, Top News, 6/16/08

Melbourne, June 16: With the State government planning to post the profile of every state school student on its intranet database, called OneSchool, parents in Australia are livid over the fact that it will make their kids vulnerable to paedophiles.

OneSchool, will provide each and every detail of the state's 480,000 public school students enrolled from Prep to Year 12, for which, the photographs, personal details, career aspirations, off-campus activities and student performance records are already being collected from all 1251 state schools.

[Evan] I think I’d be livid too.  Are parents given the opportunity to opt out, without penalty or lost opportunities?  "According to Education Minister Rod Welford, if the parents refuse to give their consent to their child being profiled, they could also be denied access to public education."

Blears PC loss - officials blamed
BBC News, 6/17/08

Information on a computer stolen from Communities Secretary Hazel Blears' office had been sent in breach of data security rules, it has emerged.

The Communities and Local Government department admitted its officials had "not fully" complied with guidance on handling sensitive data.

Its top civil servant Peter Housden said "no damage had been done" as the documents were not secret.

The computer contained a combination of constituency and government information relating to defence and extremism.

[Evan] It is disappointing to read about breaches where the government does not follow its own laws and regulations.  Mr. Housden claims that the files were "not secret".  They certainly weren’t public, were they?

Personal details of thousands of patients stolen from hospital in new security blunder
By James Tozer, The Daily Mail, 6/18/08

Laptops holding tens of thousands of patients' records have been stolen from a hospital and a GP's home, it emerged yesterday.

In the latest lost personal data scandal, the information was stored on the machines in contravention of NHS guidelines.

It was revealed that details of 20,000 patients were on six laptops stolen earlier this month from filing cabinets at St George's Hospital, in Tooting, South West London.

[Evan]  This is six stolen laptops in one month, and the four breaches in one year?!  The exposed information in this breach was "names, postcodes, hospital numbers and dates of birth".  Check out the excuse for storing confidential information on these poorly secured laptops; "Normally such information is stored on the hospital's central network, but because of technical problems it was being stored temporarily on the laptops."


To Readers:  I am testing this weekly "Other noteworthy breaches" post.  I am using this first one to gauge interest and decide if it is something we should continue.  Please feel free to comment.


]]> Mon, 23 Jun 2008 04:11:34 +0000 major security breach breach security breach data airline systems data breaches noteworthy breaches indiana bank breach sensitive data Some of the other noteworthy breaches last week, 6/16/08 - 6/22/08 <![CDATA[Citibank Replaces Some ATM Cards After Online PIN Heist]]> http://securityratty.com/article/247d2bb3cff8ef942890facb1e767050 http://securityratty.com/article/247d2bb3cff8ef942890facb1e767050
]]> Fri, 20 Jun 2008 16:46:00 +0000 atm pin codes citibank server fbi processor party breach cash brooklyn fault Citibank Replaces Some ATM Cards After Online PIN Heist <![CDATA[.. and now - PIN stealing..]]> http://securityratty.com/article/2e699cb88411c7ece62621d294d7f5fb http://securityratty.com/article/2e699cb88411c7ece62621d294d7f5fb 1. Before the PIN is encrypted by the Tamper Resistant Security Module (an ATM in the case of bank customers). Most criminals have been using fake PIN PADs and a number of techniques like jamming cards etc steal PINs blissfully unaware that they are on camera most of the time. Nice video ? here.

2. After the PIN reaches the issuer and is decrypted. This is the scarier situation -as the attacker would have access to a database of unencrypted PIN numbers / PIN offsets coming in from all around the globe. PCI supposedly requires that issuers be compliant and not store unencrypted PANs or PINs - but no validation is required (unless they are a VisaNet processor).

Well - Kevin Poulsen at Wired wrote today about how an alleged ATM crime spree has been blamed on a Citibank hack. Though Citibank has denied the hack as the cause of the fraudulent withdrawals - all signs seem to point towards it so far.
(This definitely is not new - While testing an issuer's security I'd stumbled upon ATM log entry files - complete with PAN, PIN, full name, address, zip code and atm location - back in the day when RFP just released whisker. )

This is probably just the beginning of a new wave. Issuers really need to pull up their socks and begin to treat cardmember data with the same respect that PCI Co is requiring merchants and processors to do. - and while I'm wishing horses - can ANSI or someone start working on some standards for requiring all track data to be encrypted in transit?]]> Thu, 19 Jun 2008 06:38:00 +0000 pin pin reaches pin offsets fake pin pads atm location atm bank pins atm crime spree access .. and now - PIN stealing.. <![CDATA[Citibank ATM Server Allegedly Hacked, Leading to Cash Machine Crime Spree]]> http://securityratty.com/article/01904842457c0db436ef2cadfa2f69da http://securityratty.com/article/01904842457c0db436ef2cadfa2f69da
]]> Wed, 18 Jun 2008 19:45:00 +0000 atm withdrawals citibank server pin codes hard cash convenience stores federal prosecutors cold withdraw account Citibank ATM Server Allegedly Hacked, Leading to Cash Machine Crime Spree