Archive for June 9, 2011

Citigroup Breach and RSA Breach: A Possible Connection?

June 9, 2011 1 comment
Citigroup Center Building - New York

Image via Wikipedia

Today Citigroup revealed that the company has been victim of a breach of its online banking platform, which might have exposed sensitive data belonging to about hundreds of thousands of Citi customers.

Citigroup owns approximately 21 million card customers, which means, in turn, that data of 200.000 cardholders have been impacted.

According to Sean Kevelighan, head of communications and public affairs for Citigroup: “A limited number – roughly 1 percent – of Citi North America bankcard customers’ account information [such as name, account number and contact information, including e-mail address] was viewed, the customer’s Social Security number, date of birth, card expiration date and card security code [CVV] were not compromised. We are contacting customers whose information was impacted.”

Apparently the credit cards and Social Security Numbers are safe, but this will not prevent the Cardholders from the real risk  of scams, phishing and fake phone calls from Citibank or its subsidiaries…

At first glance Citigroup is only the last breach following the notorious similar events occurred to RSA, Sony, Epsilon, so definitively nothing new under the sun of this really troubled (from an infosec perspective) 2012.

However, the more (scant so far) information I read, the stronger the suspicion became that the Citigroup and RSA breaches could somehow be linked.

Of course it is right to emphasize that what follows is a mere personal speculation (I would rather say a personal curiosity) based on the few information unleashed so far.

My concern comes from the fact that, according to the original statement, the breach was originated by an unauthorized access to the systems of Citi Account Online discovered during routine monitoring in early May. Citigroup is one of the main RSA customers, and most of all has been one of the first (together with Bank of America, JPMorgan Chase, Wells Fargo) to immediately ask to replace the tokens as soon as RSA declared the direct involvement of compromised SecurIDs in the Lockheed Martin breach (and consequently offered to replace SecurID tokens). Since I am not a Citigroup Customer, I do not know how the Citi Account Online Service works (in this moment the site is not completely visible, at least from Italy, but from what I have understood OTP is used only for transactions),  so I cannot definitively trace a direct a connection between the unauthorized access and the use of compromised seeds (OK this is the weak point of my theory J), nevertheless if the coincidence of factors appears quite strange. For sure, to compromise data of 200.000 users it is likely (I would say obvious) that the attackers exploited other vulnerabilities.

Also the timeline of the breach is clearly noteworthy: it looks like the Citigroup breach happened at the early May, nevertheless the customers were notified Sunday JUne the 5th : said in few words, a month later. Maybe Citigroup has decided not to warn its customers of too many breaches at the same time (I wonder how many owners of SecurID or PSN members there are between them). Anyway few hours after  the notification to Citigroup customers, RSA would have officially announced the evidence of a direct connection between its breach and the one to Lockheed Martin (and the consequent decision to replace the tokens); equally curiously, according to RSA, this evidence was obtained on June the 2nd, that is approximately three days before the notification by Citigroup to replace the cards to its customers. It is possible (but I repeat this is only a mere personal speculation) that at the moment of notifying its customers, Citigroup was already aware of the direct involvement of the compromised seeds on the Lockheed Martin affair (if I were in RSA’s shoes I would have immediately advised the affected customers), and probably also aware of the RSA offer to replace the compromised tokens. Consequently at that point the Bank realized the true extent of the breach and decided it was the right moment to take adequate countermeasures, first of all notifying the customers, and then finally replacing the tokens, but only after the official RSA statement.

Why Citigroup did not decide to replace the tokens before? The answer is pretty much simple: RSA security breach might cost banks $100 million, so who knows what would have been the cost if Banks should have purchased the new tokens from their own?

In the coming days I will try to follow developments closely, since I am really curious to see it a real involvement of compromised seeds will be identified. For sure we will have to face other similar events in the near future, and I do not exclude other “sons of a (RSA) breach” to come (or better to be unleashed).

Social Notice

The relationship between social networks and law is very controversial. If, on one hand, we are now accustomed to consider Social Networks as enemies of privacy, on the other hand the lack of privacy together with the users’ lack of attention towards prudent rules of behavior (sometimes one thinks that behind an avatar everything is allowed) is a factor that is playing a major role in court trials, for instance (but not only) when parties must gather evidence during matrimonial disputes.

A “cheerful” behavior in social networks is often used to demonstrate infidelity: divorce lawyers are well aware of this, and the practice of creating fake profiles and “probe” the behavior of the adverse party involved in the dispute with friendship requests is now a common established practice.

This is useful for the collection of evidence (sometimes there is not even need to interact directly since some users are so stupid to write private messages in the wall). This strategy leverages partly the peculiar concept of privacy of social networks, partly the naivety and superficiality of users and, although questionable from the ethical point of view, is permitted in several countries including Italy. In the so called “Belpaese” the Law prohibits to gather evidence entering abusively in the partner profile, but in the mean time allows to gather evidence using fake profiles with no connection with real world (or also friend profiles), using them to probe the partner’s fidelity (the successful gathering of an evidence is a real trouble for the guilty since there is a sentence of the supreme court entitled to quash a judgement – 9287/1997 – according to which the virtual infidelity causes the charge of separation).

Besides this point of contact, to which (un)fortunately we are getting more and more familiar with (Facebook is the top cause of relationship trouble), there is also another (controversial) important point of convergence between social networks and law, brilliantly described in this Bllomberg article: Facebook is being used as Tool to Serve Court Papers.

It all began two years ago in Australia: when a judge in Canberra required lawyers to serve a foreclosure notice to debtors at their home address, a secondary address, as well as via Facebook, on behalf of the creditor. Since then the practice of online legal service is spreading as a means for courts to keep their dockets moving and courts in New Zealand, Canada and the U.K. have adopted the Australian example to avoid having cases stall when people can’t be located and served in person. As a consequence U.S. Lawyers said the U.S. may not be far behind in using the world’s most popular social-networking service for the same purposes.

This is clearly another field in which social networks are changing the rules: the opportunity to serve the court papers by mean of social networks not only recognizes the legal value of a digital (social) identity, but also identifies the social network (Facebook in that circumstance but the practice is applicable to Twitter as well) as a reliable, secure and private communication medium.

Nevertheless there are still many concerns that probably need to be addressed more in deep.

First of all (guess what?) privacy! Even if many countries will not recognize this role to Facebook, because of the well-known privacy issues, privacy advocates claim that serving court notices by mail or in person often already provokes privacy complaints, and using Facebook doesn’t add any new concern.

The landscape is completely different if we analyze the question from the reputation perspective (reputation of the receiver, or better of her social profile), which is probably the main concern. With regard to Social Networks I already expressed my doubts on social reputation and the dangers hidden behind fakes identities. These aspects are more relevant than ever as far as the delivery of a legal document is concerned: in order to serve notices via Social Networks the sender must clearly trust the profile, and make sure she is really the person the notice is addressed to. Moreover the sender must be able to prove that the receiver’s profile is checked often enough to ensure it’s a reliable  path of notification (probably in case the other traditional media failed to achieve the result)

Although many debtors or other kinds of defendants tend to hide their real o social identities, just to avoid the notices, the social delivery should be done without violating ethics codes that would prevent lawyers from “friending” the target in disguise to overcome privacy settings, even if we have seen that several countries (including Italy) permit the usage of such unethical methods to gather evidence.

In particular this aspect could not be a problem in Italy, because my country allows to “friend” a target in disguise, but also because a notice is successfully served if it has been sent using all the prescribed manners, and this is indipendent if it has been read by the receiver or not. In this case the unawareness is considered a negligence for the receiver.

Why should the lawyers and courts use social networks for serving notices? Give a look to the number of users on Facebook or the average time spent in social networks to have an answer. Moreover consider the fact that there are many cases in which  defendants, rather then receiving the notices, prefer to be not available at their real addresses or also to escape abroad, possibly in countries with no agreement for serving notices from the original country. In all those cases, it may take up to six months to deliver notes (at least in Italy) with the consequent stall of the legal prosecution.

Fortunately often the defendants escape from their real world but are not able to escape from their virtual world, the social networks…


Get every new post delivered to your Inbox.

Join 3,712 other followers