Citigroup accounts hacked

Citigroup Inc. plans to send replacement credit cards to about 100,000 North American customers after its systems were breached by a hacking attack affecting about 200,000 accounts.

Citi said on Thursday that the hacked accounts amounted to about 1% of its 21 million North American card customers and that it has referred the incident to law enforcement. The bank said it is contacting affected customers and has implemented procedures to prevent a recurrence.

The cyberintruders were able to access information including holders' names, account numbers and email addresses, Citi said. But the breach, which was discovered in early May and is the latest in a series of hacking attacks against companies, didn't compromise additional personal information such as Social Security numbers, dates of birth, or card security codes or expiration dates. The bank didn't rule out that fraudulent activity might have taken place following the attack but said Citi's debit cards weren't affected. Citi didn't say when the attacks occurred.

Experts estimate the cost of replacing credit cards is as high as $20 apiece.

Citigroup's action in reporting the problem within weeks and replacing most of the cards appears to be an aggressive response. In an episode earlier this year at Michaels Stores Inc., thieves tampered with card- processing equipment as early as February, but more than a hundred customers didn't find out until three months later that their accounts were being looted. Once Michaels learned of the situation in May, the crafts store says it made a prompt public disclosure and replaced the equipment.

The Citi breach comes on the heels of other similar attacks, raising concerns among financial regulators and security experts that banks and other companies aren't doing enough to protect themselves and their customers.

Other recent incidents have hit range of companies, including Sony Corp. and Lockheed Martin Corp., but security experts say financial institutions remain a top target for cybercriminals. "The most sophisticated hackers in the world target banks, and they target government agencies," said Tom Kellermann, a former World Bank cybersecurity official and current chief technology officer at AirPatrol Corp., a Maryland-based wireless-security firm.

Security experts—whose business it is to advise and provide security to corporations and the government—say banks also need to strengthen the authentication procedures they use to identify consumers and employees who access accounts or a firm's network. Criminals increasingly are targeting such authentication credentials. The rise of mobile-banking technologies makes this vulnerability more acute, say security experts.

Regulators agree. A group that includes the Federal Reserve, the Federal Deposit Insurance Corp. and the Office of the Comptroller of the Currency, months ago started work updating 2005 guidance on how banks can best authenticate the identity of customers accessing Internet-based financial accounts.

The attacks have lawmakers worried, too. Senate Banking Committee Chairman Tim Johnson (D., S.D.) is planning a hearing to examine data security in the financial-services industry, according to a Senate aide.

Citibank's peers defended the strength of their security.

"We are aware of the attack at Citi," Wells Fargo & Co. said in a written statement. "Security is core to our mission, and safeguarding our customers' information is at the foundation of all we do."

A J.P. Morgan Chase & Co. representative said, "Chase is unaffected by the incident involving our competitor," declining to comment further.

"We constantly evaluate the security of our systems, including all potential threats, and take appropriate steps to keep information secure," Bank of America Corp. said in a written statement.

A recent breach involving RSA Security, the company that provides security tokens used by millions of workers to access their company's computer systems, set off alarms for banking regulators, said people familiar with the situation. Not only do scores of banks use the tokens for their employees, but some banks also offer them to customers as a way to secure Internet banking activities.

The RSA event was discussed among banking regulators, the Treasury Department and the Department of Homeland Security, according to people familiar with the matter, and the Federal Reserve and the FDIC raised the issue with the banks they oversee.

The Citi incident and the RSA breach speak "to how sophisticated the bad guys have gotten," said David Robertson, of the Nilson Report, a newsletter about credit cards in Carpinteria, Calif. He added that RSA "is like Fort Knox. If RSA can get hacked, anybody can get hacked."

RSA said it is working with its customers to assess their risks. It has offered to provide customers with monitoring services or to replace tokens.

Banks including Citi are pushing for greater use of new wireless technologies. But the more consumers use devices such as iPhones, iPads, and Android-enabled phones for financial services, the more enticing mobile devices become for cybercriminals.

Officials at Citi in particular have talked up the future of online banking access. Citi has about one-sixth as many branches as its chief rivals J.P. Morgan and Bank of America Corp. At a recent panel, Tomasz Smilowicz, global head of mobile solutions at Citi's transaction-services unit, said processing paymentsthrough a mobile device compares favorably for merchants with the cost of handling cash, which can include using armored cars and guards to transport money.

Security officials say an infected application downloaded on a phone can be designed to take over a smartphone. When the user then logs on to his bank account with the phone, the hacker could steal the user's bank credentials. Many mobile-banking apps don't account for a phone being compromised, said JasonRouse, a wireless security expert with Cigital, a software consulting firm.

"We're very comfortable that the way we're managing mobile makes this actually a very safe and secure channel," said Jack Stephenson, J.P. Morgan Chase's managing director for mobile e-commerce and payments. The number of registered users of the bank's various mobile-banking offerings has more than tripled since January 2010, from three million to 10.5 million last month, with about five million users active every month, he said. Mr. Stephenson said it is true that mobile banking introduces new threats, and that attacks will keep coming, but that "the ways you can prevent those threats are a lot deeper and richer on mobile devices."

Read more:

wsj online

Enter your E-mail Address
Enter your First Name (optional)

Don't worry — your e-mail address is totally secure.
I promise to use it only to send you Newsletter.