Features Podcasts Family Video Comics Music Tech Science Books Film & TV Games ✚

Jill

Citigroup hacked: data for 200,000 or more US Citibank customers breached

Xeni Jardin at 8:31 am Thu, Jun 9, 2011

— FEATURED —

Book Review

The Man Who Laughs: grotesque Victor Hugo potboiler was the basis for The Joker

Feature

Eurovision 2013: An American in London

Book Review

The Twelve-Fingered Boy - mesmerizing YA horror novel

— FOLLOW US —

Boing Boing is on Twitter and Facebook. Subscribe to our RSS feed or daily email.

 

— POLICIES —

Except where indicated, Boing Boing is licensed under a Creative Commons License permitting non-commercial sharing with attribution

 

— FONTS —

Tweet
Kindle

Citigroup Inc. says hackers accessed credit card data for some 200,000 US customers. The online security breach was first discovered in May, and reported yesterday by the Financial Times (which blocks access via an onerous paywall). "The bank said it recently discovered during routine monitoring that account information for about 1 percent of customers was viewed." AP, Reuters. As The Atlantic notes, the breach may be a lot worse than Citi's letting on. But even if the damage was limited to 200,000 users, that's a breach of 1% of all North American customer accounts (21 million). Washington Post item here.

Boing Boing editor/partner and tech culture journalist Xeni Jardin hosts and produces Boing Boing's in-flight TV channel on Virgin America airlines (#10 on the dial), and writes about living with breast cancer. Diagnosed in 2011. @xeni on Twitter. email: xeni@boingboing.net.

MORE:  Business • security • Technology

More at Boing Boing

Eurovision 2013: An American in London

The technology that links taxonomy and Star Trek

  • Anonymous

    Citigroup bought the repeal of Glass-Steagal in order to retroactively legalize their purchase of Traveler’s, and that’s what led to TARP and the economic mess the whole world is in right now.

    http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/weill/demise.html

    Citigroup is greedy and corrupt, and spreads corruption and evil in its wake.

  • Chong

    Any news on who was behind it? Only had a quick skim of the linked articles so I apologise if I missed it.

  • MrJM

    My local credit union has never been hacked for the secure data of its customers.

    Just saying.

    • Cowicide

      My local credit union has never been hacked for the secure data of its customers.

      Good for you!

      Not to mention using a local credit union is what every other patriotic American should be doing if they really want to stop these “too big to fail” bullshit operations from having so much power in Washington, D.C. and keep screwing the rest of us.

      I think if more people watched this, they’d understand why choosing a large bank is basically an act against America.

      Want to stop financial terrorism against America? Pull your money OUT of them, America.

  • Anonymous

    I, too, like my credit union, but come on folks- do you think their online security is any better? The size of the corporation doesn’t matter as much as you think it does when it comes to online security.

  • SamSam

    Is there any way on earth now that we can avoid losing our information to stupid websites with stupid bad internet security? If we want to live in the modern world and bank and stuff, of course.

    I just rushed over to change my password, don’t know how much it will help.

    FWIW, here are the inane password requirements Citibank forces you to follow:

    To create a secure password for your account, follow these quick and simple Password Guidelines:
    * Must include a combination of letters and numbers only // ok, so explicitly disallowing other characters — which are no harder to store or hash!!! — makes us less safe
    * Must be 6 to 12 characters // setting a top limit of 12 characters — what, 13 characters is too big to store on your server??? — makes us less safe
    * Cannot begin with a zero // adding arbitrary rules limits the number of passwords, making us less safe
    * Cannot include spaces // a space is just a character — it’s no harder to store or hash — excluding it makes us less safe
    * Cannot have more than 2 consecutive characters (for example, 222 or MMM, etc) // adding arbitrary rules limits the number of passwords, making us less safe

    DUM DUM DUM

    • Courtney

      I have non-letter/number characters in my citibank pw.

      • SamSam

        And I tried a 16-character password and it seemed to stick.

        So not only do they have the worst restrictions on picking passwords — almost every one of which makes your password less secure — but they don’t bother to implement their own restrictions. Somehow that makes me feel worse.

        Hmmm… what do you bet that the idea was “wait! What if we need to tell people their passwords over the phone! We can’t use zeros, what if we read them as O’s? And how are you supposed to pronounce characters like ^ anyway — we need to ban those. And no one wants to have to read out a 13-character password!”

        • Courtney

          Actually, I have a friend who works in customer service (not at citibank) and you would not believe the things she’s heard people call the @ character. Like “epsilon,” “the letter kitten,” and “strudel sign.”

        • nosehat

          Yes, such a system would prioritize reading-out-account-passwords-over-the-phone-to-whomever-is-calling over account security.

          Which would be consistent anyway.

          There is no reason why a bank should ever read out your password over the phone. In fact, there’s no reason a bank should ever have your plain text password in the first place. Is the one-way hash dead these days?

          • Anonymous

            No, i think forums still use it :D. Basically, the least important, least formal places on the internet are more secure than the most important.

  • Anonymous

    I stopped doing business with Citibank three years ago, after my card data was stolen for the third time. On that third occasion, fraudulent transactions began appearing on a newly-issued debit card DAYS BEFORE THE CARD WAS ACTIVATED. I concluded that (a) Citi’s security was fucked; or (b) Citi itself was engaging in broad-scale intentional fucking of its customers; or (c) both.

    Switched entirely to my credit union. Zero problems since then.

  • SamSam

    Damnit, there were supposed to be line breaks in that bulleted list. I meant to click preview, I swear!

    Anyway, I see now it’s supposed to just be credit card information. Since I would never willingly be a Citi customer for anything (my mortgage was transferred to them, out of my control), I feel a little safer.

  • Anonymous

    If you think Citibank’s password rules are inane, look up the ones for American Express. For some stupid reason you can’t have a password over 8 characters long with them.

  • TEKNA2007

    Credit union member here. You couldn’t wish for better customer service, especially if you need to call up and talk to a human. I usually get people I’ve talked to before.

  • Anonymous

    I see they’re trying to sneak this in when people are paying attention to sony’s fail, seeing as it happened in may and we’re 1/3 of the way through June. So, this company had 20,000 accounts compromised and didn’t tell anyone until at least a week or more likely several had passed.

    Yep, confirmed for sony-tier security and service.

  • Anonymous

    Is it me or have there been more hackings of these big institutions? I wouldn’t be surprised to see it was Lulzsec.

  • superzorgon

    WARNING: My co-worker has a Citibank account, and she just discovered that their remedy is to switch customers to a new account… and then charge them $100 for doing so.

    Any of you out there w/ Citibank accounts, take heed.

    I bet the Citibank employee who came up with that policy got a raise.