The Citigroup Breach and Tips for Secure Online Banking

Monday, June 13, 2011



Last week officials from Citigroup confirmed that an unauthorized network access event may have compromised the private account details of a large number of North American banking clients.

Recent reports put the number of affected Citigroup customers as high as 210,000, and the number could grow as the investigation continues.

Representatives of Citigroup said they detected the breach of the Citi Account Online network in May through routine monitoring of the systems.

Thus far, it appears that only credit card accounts were exposed in the breach, though some reports suggest that some debit card information may have been involved.

The Citigroup breach is considered one of the very few successful hacks against a major banks systems, and underscores the need for continued vigilance by financial institutions and their clients where security best practices are concerned.

Though these tips would not have prevented the breach at Citigroup, security experts advise consumers take some simple steps to help maintain their online banking account and transaction security:

1. Never accept incoming communications purporting to be from financial institutions you do business with, whether by email or phone call.

"Call them back using only the phone numbers published on your cards or statements," Richard Wang, manager of SophosLabs US, said.

2. Update your security software on your computer.

"Make sure it's malware protection and have the most sophisticated firewalls and anti-intrusion software," Adam Levin said.  "Those start screaming at you anytime you're even near something that has a worm on it."

3. Check the security of your mobile device and your mobile banking apps.

Mobile banking and payments are becoming more common, which means hackers may pay more attention in that marketplace also.

Andrew Hoog, chief investigative officer of viaForensics, a digital forensics and security company, found three unencrypted (i.e., less secure) passwords in apps for Foursquare, LinkedIn and Netflix on the Android in a recent round of app security testing.  Citibank received a "pass" rating for its app.

4. When logging in to perform online transactions, always enter the website address directly in your browser.

Never click links that claim to take you to banking sites.

5. Use strong passwords and don't reuse your bank password elsewhere.

Use two factor authentication if your bank offers it, such as confirmation numbers by text message to your phone, Wang said.

Levin adds that you should even have unusual answers to additional security questions.

"If they ask for your mother's maiden name, say 'superwoman,' or something outrageous that you would only know," Levin said.

6. Be active in monitoring your financial accounts.

Levin said he does not believe eliminating your online accounts is the answer because they can be the best tools to monitor your financial activity in real time.  He suggests you monitor your online accounts at least once a day.

Citigroup immediately reported the security incident to law enforcement and regulatory authorities, but has not revealed any particular details of the data loss event. Citigroup officials are in the process of notifying customers who's data may have been exposed.

So far, there have been no reports of stolen funds related to the incident. Citigroup indicated they have tightened security controls since the breach was discovered.


Possibly Related Articles:
Data Loss Online Banking Headlines Credit Cards Financial breach Consumers Citigroup
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.