Today some more details about the Citi breach were revealed and it looks like it is not connected with the RSA breach.
The investigation is still in place, but data collected so far show the kind of attack performed is pretty much more “traditional” then a SecureID clonation: the attackers were able to bypass the perimeter security systems by logging on the site reserved for credit card customers (but no one has explained so far how) were they were able to exploit some vulnerabilities on the Home Banking Web Site.
Once inside, they leapfrogged between the accounts of different Citi customers by inserting vari-ous account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.
It looks like application and database security is a curse and a bless for the infosec arena. Although not fully mature in my opinion, it is one of the most promising sectors (in which there are grand maneuvers under way by the vendors), but in the same way, application in(security) has been the indirect reasons for several events this year: Sony (in some of the suffered breaches) and Epsilon have been victims of SQL Injection, and if for a moment we forget the breaches (real leading actors of this 2011) and pass to consider malware, we must necessarily mention LizaMoon which has flooded an impressive number of databases all over the world with SQL Injection, infecting more than 1,500,000 URLs.
Unfortunately these kinds of attacks are not simple exercises in style but are often the first stage of more complex Cybercrime operations. If the stolen Data immediately usable (such as Credit Card Numbers and corresponding CVV codes), they are sold in the Black Market Bazaar. In other circumstances, when the stole information is not enough to gain immediate profit, the targets become victims of tailored spear-phishing campaigns (which could potentially last for several years) aimed to gain the missing pieces of the puzzle (read information) necessary to perform the malicious actions.
That is the reasons why, if not already done, Enterprises need to make application security a key foundation for the development of secure business application and services: educating the developers with secure development guidelines, implementing adequate countermeasures with Web Application/Database Firewall, periodically probing the security level of the infrastructure with Vulnerability Assessment and Penetration Test and, last but not least, performing a constant patching.
This corresponds to implement an application oriented modern form of the Deming Cycle, more poetically summarized by the expression “performing Application Housekeeping”.
- Application Security: What’s Next? (paulsparrows.wordpress.com)
- Citigroup Breach and RSA Breach: A Possible Connection? (paulsparrows.wordpress.com)
Today Citigroup revealed that the company has been victim of a breach of its online banking platform, which might have exposed sensitive data belonging to about hundreds of thousands of Citi customers.
Citigroup owns approximately 21 million card customers, which means, in turn, that data of 200.000 cardholders have been impacted.
According to Sean Kevelighan, head of communications and public affairs for Citigroup: “A limited number – roughly 1 percent – of Citi North America bankcard customers’ account information [such as name, account number and contact information, including e-mail address] was viewed, the customer’s Social Security number, date of birth, card expiration date and card security code [CVV] were not compromised. We are contacting customers whose information was impacted.”
Apparently the credit cards and Social Security Numbers are safe, but this will not prevent the Cardholders from the real risk of scams, phishing and fake phone calls from Citibank or its subsidiaries…
At first glance Citigroup is only the last breach following the notorious similar events occurred to RSA, Sony, Epsilon, so definitively nothing new under the sun of this really troubled (from an infosec perspective) 2012.
However, the more (scant so far) information I read, the stronger the suspicion became that the Citigroup and RSA breaches could somehow be linked.
Of course it is right to emphasize that what follows is a mere personal speculation (I would rather say a personal curiosity) based on the few information unleashed so far.
My concern comes from the fact that, according to the original statement, the breach was originated by an unauthorized access to the systems of Citi Account Online discovered during routine monitoring in early May. Citigroup is one of the main RSA customers, and most of all has been one of the first (together with Bank of America, JPMorgan Chase, Wells Fargo) to immediately ask to replace the tokens as soon as RSA declared the direct involvement of compromised SecurIDs in the Lockheed Martin breach (and consequently offered to replace SecurID tokens). Since I am not a Citigroup Customer, I do not know how the Citi Account Online Service works (in this moment the site is not completely visible, at least from Italy, but from what I have understood OTP is used only for transactions), so I cannot definitively trace a direct a connection between the unauthorized access and the use of compromised seeds (OK this is the weak point of my theory J), nevertheless if the coincidence of factors appears quite strange. For sure, to compromise data of 200.000 users it is likely (I would say obvious) that the attackers exploited other vulnerabilities.
Also the timeline of the breach is clearly noteworthy: it looks like the Citigroup breach happened at the early May, nevertheless the customers were notified Sunday JUne the 5th : said in few words, a month later. Maybe Citigroup has decided not to warn its customers of too many breaches at the same time (I wonder how many owners of SecurID or PSN members there are between them). Anyway few hours after the notification to Citigroup customers, RSA would have officially announced the evidence of a direct connection between its breach and the one to Lockheed Martin (and the consequent decision to replace the tokens); equally curiously, according to RSA, this evidence was obtained on June the 2nd, that is approximately three days before the notification by Citigroup to replace the cards to its customers. It is possible (but I repeat this is only a mere personal speculation) that at the moment of notifying its customers, Citigroup was already aware of the direct involvement of the compromised seeds on the Lockheed Martin affair (if I were in RSA’s shoes I would have immediately advised the affected customers), and probably also aware of the RSA offer to replace the compromised tokens. Consequently at that point the Bank realized the true extent of the breach and decided it was the right moment to take adequate countermeasures, first of all notifying the customers, and then finally replacing the tokens, but only after the official RSA statement.
Why Citigroup did not decide to replace the tokens before? The answer is pretty much simple: RSA security breach might cost banks $100 million, so who knows what would have been the cost if Banks should have purchased the new tokens from their own?
In the coming days I will try to follow developments closely, since I am really curious to see it a real involvement of compromised seeds will be identified. For sure we will have to face other similar events in the near future, and I do not exclude other “sons of a (RSA) breach” to come (or better to be unleashed).
- Citigroup Admits Being Hacked in May: Coy About Extent of Impact (spectrum.ieee.org)
- Citigroup Hack of the Day (geeks.thedailywh.at)
- Citigroup Helpfully Notifies Customers It Was Hacked a Month Ago [Hackers] (gawker.com)
- Citigroup hacked: data for 200,000 or more US Citibank customers breached (boingboing.net)
- Citigroup breach exposes data on 210,000 customers (infoworld.com)