Browse > Home /

Security Precautions to Take Following Citibank’s Second Reported Online Breach

 

Updated Feb. 4, 2012

 

Citibank’s acknowledgment that private information of 360,083 North American Citigroup credit card accounts was stolen by hackers, which affected 210,000 customers, serves as a warning for all businesses and consumers to take precautionary steps.

The bank’s May, 2011 security breach wasn’t reported until weeks later. Originally, Citibank said 200,000 accounts were affected.

None of the reports I found pointed out that it was Citibank’s second reported major security issue in just 18 months. Soon after the bank’s first breach was reported, it seemed as though the security issue was buried. There weren’t any follow-up reports.

That’s when I wrote the column, How to Protect Yourself from the Internet Crime Wave, quoting Dr. Stan Stahl, a nationally known security expert based in Los Angeles.

Over the years, Dr. Stahl has been a valuable resource – some of the most-widely read Biz Coach columns have included his expert opinions, especially these three columns:

Our Mobile-Banking Warnings about Security Prove Prophetic

Using Starbucks’ WIFI? Security Pro Issues Warning and Security Checklist

5 Safety Measures to Thwart Mounting Social-Network Attacks

A security expert I’m not, but I’ve learned from Dr. Stahl’s valuable insights.

In addition to the tips in the above columns – whether you’re a Citibank customer or not – I’d suggest immediately taking these defensive computer measures:

  1. Change all log-in information. That means all banking, retail credit card and e-mail passwords and information.
  2. Make certain that you don’t use the same password twice.
  3. Install adequate firewall and anti-virus protection on your computer.
  4. To limit your exposure, use the same computer for your financial information. Never use it for social media networking.
  5. Review all privacy and policy information.
  6. Avoid using your debit card online. At least personal credit cards offer liability protection under federal regulation. But business banking is not federally protected – it’s left up to individual banks, so check your bank’s policies regarding your company’s accounts.
  7. Don’t conduct financial transactions over WIFI.
  8. Don’t do mobile banking.
  9. If you get an e-mail allegedly from your financial institution, act like an all-pro football defensive end. Prevent an end run. Assume it’s a fraud. If you must communicate with your financial institution, make a telephone call or a personal visit.
  10. When doing your online banking, be sure to type in the financial institution’s Web address in your browser.
  11. Regarding the security questions, be creative and don’t list the right answer, which might be obvious to any hacker who learned about your personal situation.
  12. Check your financial accounts daily.
  13. If your account is compromised, quickly take appropriate action.

For your company’s management controls, Dr. Stahl has previously recommended taking six precautions:

  1. Don’t allow your employees to use your computers in social networking.
  2. Establish a list of allowable web-sites.
  3. Closely monitor your bank account.
  4. Train employees in social engineering awareness.
  5. Change the mindset of your managers and employees – if something seems odd, say no and call for Internet security.
  6. Strengthen your defenses.

Cybercriminals, I’m sad to say, are here to stay. Do your due diligence.

(Note: Dr. Stahl and I are fellow members of Consultants West, www.consultantswest.com, a roundtable of veteran management consultants.)

From the Coach’s Corner, here’s Dr. Stahl’s cyber security blog and his Web site.

“In a world in which the total of human knowledge is doubling about every ten years, our security can rest only on our ability to learn.”

- Nathaniel Branden

 

__________

Columnist Terry Corbell is also a business-performance consultant and profit professional. Click here to see his management services (many are available online). For a complimentary chat about your business situation or to schedule Terry Corbell as a speaker, why don’t you contact him today?

 

Filed Under: Finance, Tech
Tagged: , , , , ,

Are You Insured for Cyber Theft?

 

Aug. 30, 2010

On a regular basis, cybercriminals are creating hardship for businesses and consumers. A post by blogger Brian Krebs caught my eye – a Texas company is struggling to get its bank to pay for a $50,000 cyber theft.

“Attorneys for Dallas-based Hi-Line Supply Inc. recently convinced a state court to require depositions from officials at Community Bank, Inc. of Rockwall, Texas,” wrote Mr. Krebs. “Hi-Line requested the sworn statements to learn more about what the bank knew in the time surrounding Aug. 20, 2009, when crooks broke into the company’s online bank accounts and transferred roughly $50,000 to four individuals across the country who had no prior business with Hi-Line.”

Ostensibly, the comments in the deposition are locked up, but the lawyers maintain the bank is guilty of security incompetence and a lawsuit might be the next step.

Mr. Krebs quoted an attorney:

 “In the event Community Bank refuses to resolve this matter, now that we have uncovered some of the information obtained by virtue of the court’s order, Hi-Line intends to assert claims for misrepresentation, violations of the Texas Deceptive Trade Practices Act, fraud, and breach of warranties, among other things,” said Michael Lyons, a partner with the Dallas law firm Deans Lyons.

The fraud apparently began on Aug. 20 last year when Hi-Line processed its $25,000 payroll, according to Gary Evans, the firm’s president.

“After Hi-Line submitted that batch of payments to its bank, the unknown intruders attempted two more transfers of nearly identical amounts on Friday and the following Monday, Aug. 24,” explained Mr. Krebs. “Evans said he had trouble logging in to his account on Thursday and had the bank reset his password, but the fraudulent transactions hadn’t showed up on his account at that time. He said he took that Friday off as he always does, and when he tried again to log in after returning to work on Monday, he again found the bank’s site would not accept his password.”

Then, Mr. Evans sensed trouble.

“When I finally got the bank to reset my password and got into my account, I noticed the duplicate payroll batches and said ‘Why are you all pulling my payroll out three times?’” Mr. Krebs quoted Mr. Evans about his recollection of how he came to realize his firm had been robbed. “At the time, as I was resetting my password, I had to scroll through the bank’s online customer agreement, which basically said the bank is not responsible for any fraud. I should have known at that point that they were not going to take any responsibility for this at all.”

Mr. Evans maintains the bank should have taken notice.

“Evans said the bank should have detected that something was amiss, and not just because of the unusual and repeated payroll batches,” wrote Mr. Krebs. “He said the crooks accessed his account from five different Internet addresses with locations that were nowhere near Texas, including from computers located more than 1,300 miles away, in Washington, D.C. and Maryland.”

The blogger says Community Bank did not respond to his request for a comment, but its deposition claims the cybercriminals “had infiltrated Evans’ computer with a virus and used it to steal his online banking credentials, which included a user name, password, PIN and several challenge/response questions.”

Mr. Krebs indicated the thieves pulled it off with the unknowing help of what are called money mules.

“Among those lured into the scam was Josh Enlow, a 28-year-old gas station attendant in Phoenix,” he wrote. “Enlow said he was hired by an entity calling itself The Total Group Co., which initially contacted him in an e-mail stating it had found his resume on a job search Web site, and would he be interested in an ‘accounts payable’ position?”

Reported, Mr. Enlow received several fund deposits and was asked to forward the money.

“He then wired the money to individuals in Eastern Europe as instructed, he said,” Wrote Mr. Krebs.

“If the customer wants the bank to reimburse it for fraud losses, it’s up to the customer to prove that the bank’s security procedures are not commercially reasonable…” says IT security expert Dr. Stan Stahl. “The result, all too often, is that the customer has little choice but to sue the bank.”

But Dr. Stahl says there are reasons for such victims to hope:

“There’s a very good chance the bank’s procedure’s fail the test of commercial reasonableness,” writes Dr. Stahl. “

But he adds the burden of proving a bank is at-fault is “huge.”

He says one solution is cyber theft insurance.

My counsel is due diligence by a top-notch security adviser, and to make sure you really know your bank.

From the Coach’s Corner, Dr. Stahl’s security blog: http://citadelonsecurity.blogspot.com/.

Filed Under: Tech
Tagged: , , , , ,

How to Protect Yourself from the Internet Crime Wave

Jan. 22, 2010

 

For Citibank customers and millions of other consumers who enjoy the convenience of online banking, a headline was alarming.

The Wall Street Journal headline: “FBI Probes Hack at Citibank – Russian Cyber Gang Suspected of Stealing Tens of Millions; Bank Denies Breach.”

The article on December 22, 2009 was the last we’ve seen about the Citibank situation. The reported multimillion dollar loss – a public relations nightmare for Citibank – has been hushed up.

Many online security experts say online fraud is skyrocketing and there are FBI warnings about online fraud and related scams.

Such cybersecurity experts also cite another alarming trend – increasing sophistication in the methods used by cybercriminals.

About three weeks after the Citibank report, online-banking warnings were issued by the American Bankers Association and FBI (“Cybercrooks stalk small businesses that bank online”). The warnings followed a wave of cybercrime afflicting small businesses, public-sector agencies, churches, schools, and other non-profits.

Cybercrime methods

Many crooks are using what are called “banking Trojans.” Here’s a typical case: “New Trojan Intercepts Online Banking Information – PC World.”

A cybersecurity expert, Dr. Stan Stahl, recently developed a plot line in another cybercrime issue, which is applicable to the banking scams.

“The plot line isn’t with Citibank but related to the recent web attack on Twitter that redirected users to the ‘Iranian Cyber Army.’ This same type of attack – stealing the UserID/password of Twitter DNS administrator and then changing the DNS to point to the Iranian Cyber Army – could be used to create a “cybercriminal-in-the-middle” attack against an eCommerce site,” he said.

Dr. Stahl further explained the cybercriminal is then able to steal a consumer’s sensitive credit-card information and seize control of the victim’s computer.

He is a widely known pioneer in security and the prevention of identity theft. He is the expert on Federal Trade Commission rules under the Gramm Leach Bliley Act governing non-public personal information by financial institutions. He is also president of the Los Angeles chapter of the Information Systems Security Association, a nonprofit, international organization of information security professionals and practitioners.

“I feel the banks must bear a significant share of the responsibility because they have the knowledge of what’s happening yet, in my experience and based on what I’ve been told by people in law enforcement, they are not working the problem with their customers nor are they supporting law enforcement by sharing what they know,” said Dr. Stahl. “They strike me as wanting to pretend this isn’t a problem.”

It’s true insurance companies reimburse victims of cybercrime. But cybercrime is expensive.

A client once hired Dr. Stahl to investigate a $1 million loss from an online banking theft, and I reported the details in this column, “5 Safety Measures to Thwart Mounting Social-Network Attacks.” He says it resulted in an expensive legal struggle.

“The lawsuit I’m involved in, for example, is between two insurance companies; both will lose dollars regardless of how the suit turns out,” Dr. Stahl explained. “If the insurance companies made bank cooperation with law enforcement a policy requirement, we’d get a lot more cooperation and the insurance companies would have fewer claims to pay.”

He is also assertive in explaining his perspective on the Internet-security issue, Google vs. China.

“There is little in the Google story that the information security community didn’t already know except for the specific vulnerabilities that were exploited,” he said. “What is new – and important – is that now the world knows. For our business, it’s just one more example we can point to of how unsafe the internet is. Plus, because it’s Google, the cybercrime has been deconstructed more thoroughly than usual. Kudos to Google.”

Smartphone dangers

A published report, “BBC News – Cybercriminals revive old scams to target smartphones,” raises the specter about threats against mobile phones.

The BBC smartphone report prompts this question from Dr Stahl: “How long will it take until this type of malware is used to steal online bank credentials?”

Here are some of his tips to enhance your personal online security:

  • Review all privacy and policy information.
  • Use unique and hard to guess login information.
  • Protect your computer.
  • Check your account balance regularly.
  • Pay using credit cards.
  • Do not access your account from public locations.
  • Verify email correspondence from bank.
  • If your account is compromised, take swift action.

For your company’s management controls:

  • Don’t allow your employees to use your computers in social networking.
  • Establish a list of allowable web-sites.
  • Closely monitor your bank account.
  • Train employees in social engineering awareness.
  • Change the mindset of your managers and employees – if something seems odd, say no and call for Internet security.
  • Strengthen your defenses.

(Note: I know Dr. Stahl well as a trusted expert, and I’ve interviewed him on multiple occasions. He and I are members of a roundtable of veteran consultants, Consultants West, www.consultantswest.com.)

Resource links:

From the Coach’s Corner, here are additional security tips:

  • If you’re a cyber victim, contact a noted security expert and authorities (How to Report E-Scams and Hoaxes to the FBI).
  • If you want to help the victims in Haiti: “Only donate through the Red Cross or other well-established charity organizations,” said Dr. Stahl. Ignore all email solicitations. They could be fake and prudence requires that one assume they are. There are lots of known safe groups through which one can contribute; no reason to take a risk here.”
Filed Under: Tech
Tagged: , , , , , , ,

Biz Coach Terry Corbell – the business-performance consultant – provides Proven Solutions for Maximum Profits.

Switch to our mobile site