Comments on: Citigroup hacked: data for 200,000 or more US Citibank customers breached http://boingboing.net/2011/06/09/citigroup-hacked-dat.html Brain candy for Happy Mutants Thu, 23 May 2013 01:52:00 +0000 hourly 1 http://wordpress.org/?v=3.4.1 By: SamSam http://boingboing.net/2011/06/09/citigroup-hacked-dat.html#comment-1134126 SamSam Wed, 30 Nov -0001 00:00:00 +0000 #comment-1134126 And I tried a 16-character password and it seemed to stick. So not only do they have the worst restrictions on picking passwords -- almost every one of which makes your password less secure -- but they don't bother to implement their own restrictions. Somehow that makes me feel worse. Hmmm... what do you bet that the idea was "wait! What if we need to tell people their passwords over the phone! We can't use zeros, what if we read them as O's? And how are you supposed to pronounce characters like ^ anyway -- we need to ban those. And no one wants to have to read out a 13-character password!" And I tried a 16-character password and it seemed to stick.

So not only do they have the worst restrictions on picking passwords — almost every one of which makes your password less secure — but they don’t bother to implement their own restrictions. Somehow that makes me feel worse.

Hmmm… what do you bet that the idea was “wait! What if we need to tell people their passwords over the phone! We can’t use zeros, what if we read them as O’s? And how are you supposed to pronounce characters like ^ anyway — we need to ban those. And no one wants to have to read out a 13-character password!”

]]> By: Anonymous http://boingboing.net/2011/06/09/citigroup-hacked-dat.html#comment-1133902 Anonymous Wed, 30 Nov -0001 00:00:00 +0000 #comment-1133902 Citigroup bought the repeal of Glass-Steagal in order to retroactively legalize their purchase of Traveler's, and that's what led to TARP and the economic mess the whole world is in right now. http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/weill/demise.html Citigroup is greedy and corrupt, and spreads corruption and evil in its wake. Citigroup bought the repeal of Glass-Steagal in order to retroactively legalize their purchase of Traveler’s, and that’s what led to TARP and the economic mess the whole world is in right now.

http://www.pbs.org/wgbh/pages/frontline/shows/wallstreet/weill/demise.html

Citigroup is greedy and corrupt, and spreads corruption and evil in its wake.

]]> By: Chong http://boingboing.net/2011/06/09/citigroup-hacked-dat.html#comment-1133903 Chong Wed, 30 Nov -0001 00:00:00 +0000 #comment-1133903 Any news on who was behind it? Only had a quick skim of the linked articles so I apologise if I missed it. Any news on who was behind it? Only had a quick skim of the linked articles so I apologise if I missed it.

]]> By: MrJM http://boingboing.net/2011/06/09/citigroup-hacked-dat.html#comment-1133904 MrJM Wed, 30 Nov -0001 00:00:00 +0000 #comment-1133904 My local credit union has never been hacked for the secure data of its customers. Just saying. My local credit union has never been hacked for the secure data of its customers.

Just saying.

]]> By: Anonymous http://boingboing.net/2011/06/09/citigroup-hacked-dat.html#comment-1134426 Anonymous Wed, 30 Nov -0001 00:00:00 +0000 #comment-1134426 I, too, like my credit union, but come on folks- do you think their online security is any better? The size of the corporation doesn't matter as much as you think it does when it comes to online security. I, too, like my credit union, but come on folks- do you think their online security is any better? The size of the corporation doesn’t matter as much as you think it does when it comes to online security.

]]> By: SamSam http://boingboing.net/2011/06/09/citigroup-hacked-dat.html#comment-1133935 SamSam Wed, 30 Nov -0001 00:00:00 +0000 #comment-1133935 Is there any way on earth now that we can avoid losing our information to stupid websites with stupid bad internet security? If we want to live in the modern world and bank and stuff, of course. I just rushed over to change my password, don't know how much it will help. FWIW, here are the inane password requirements Citibank forces you to follow: <blockquote> To create a secure password for your account, follow these quick and simple Password Guidelines: * Must include a combination of letters and numbers only // <i>ok, so explicitly disallowing other characters -- which are no harder to store or hash!!! -- makes us less safe</i> * Must be 6 to 12 characters // <i>setting a top limit of 12 characters -- what, 13 characters is too big to store on your server??? -- makes us less safe</i> * Cannot begin with a zero // <i>adding arbitrary rules limits the number of passwords, making us less safe</i> * Cannot include spaces // <i>a space is just a character -- it's no harder to store or hash -- excluding it makes us less safe</i> * Cannot have more than 2 consecutive characters (for example, 222 or MMM, etc) // <i>adding arbitrary rules limits the number of passwords, making us less safe</i> </blockquote> DUM DUM DUM Is there any way on earth now that we can avoid losing our information to stupid websites with stupid bad internet security? If we want to live in the modern world and bank and stuff, of course.

I just rushed over to change my password, don’t know how much it will help.

FWIW, here are the inane password requirements Citibank forces you to follow:

To create a secure password for your account, follow these quick and simple Password Guidelines:
* Must include a combination of letters and numbers only // ok, so explicitly disallowing other characters — which are no harder to store or hash!!! — makes us less safe
* Must be 6 to 12 characters // setting a top limit of 12 characters — what, 13 characters is too big to store on your server??? — makes us less safe
* Cannot begin with a zero // adding arbitrary rules limits the number of passwords, making us less safe
* Cannot include spaces // a space is just a character — it’s no harder to store or hash — excluding it makes us less safe
* Cannot have more than 2 consecutive characters (for example, 222 or MMM, etc) // adding arbitrary rules limits the number of passwords, making us less safe

DUM DUM DUM

]]> By: Anonymous http://boingboing.net/2011/06/09/citigroup-hacked-dat.html#comment-1133941 Anonymous Wed, 30 Nov -0001 00:00:00 +0000 #comment-1133941 I stopped doing business with Citibank three years ago, after my card data was stolen for the third time. On that third occasion, fraudulent transactions began appearing on a newly-issued debit card DAYS BEFORE THE CARD WAS ACTIVATED. I concluded that (a) Citi's security was fucked; or (b) Citi itself was engaging in broad-scale intentional fucking of its customers; or (c) both. Switched entirely to my credit union. Zero problems since then. I stopped doing business with Citibank three years ago, after my card data was stolen for the third time. On that third occasion, fraudulent transactions began appearing on a newly-issued debit card DAYS BEFORE THE CARD WAS ACTIVATED. I concluded that (a) Citi’s security was fucked; or (b) Citi itself was engaging in broad-scale intentional fucking of its customers; or (c) both.

Switched entirely to my credit union. Zero problems since then.

]]> By: SamSam http://boingboing.net/2011/06/09/citigroup-hacked-dat.html#comment-1133943 SamSam Wed, 30 Nov -0001 00:00:00 +0000 #comment-1133943 Damnit, there were supposed to be line breaks in that bulleted list. I meant to click preview, I swear! Anyway, I see now it's supposed to just be credit card information. Since I would never willingly be a Citi customer for anything (my mortgage was transferred to them, out of my control), I feel a little safer. Damnit, there were supposed to be line breaks in that bulleted list. I meant to click preview, I swear!

Anyway, I see now it’s supposed to just be credit card information. Since I would never willingly be a Citi customer for anything (my mortgage was transferred to them, out of my control), I feel a little safer.

]]> By: Anonymous http://boingboing.net/2011/06/09/citigroup-hacked-dat.html#comment-1133955 Anonymous Wed, 30 Nov -0001 00:00:00 +0000 #comment-1133955 If you think Citibank's password rules are inane, look up the ones for American Express. For some stupid reason you can’t have a password over 8 characters long with them. If you think Citibank’s password rules are inane, look up the ones for American Express. For some stupid reason you can’t have a password over 8 characters long with them.

]]> By: Cowicide http://boingboing.net/2011/06/09/citigroup-hacked-dat.html#comment-1133964 Cowicide Wed, 30 Nov -0001 00:00:00 +0000 #comment-1133964 <blockquote>My local credit union has never been hacked for the secure data of its customers.</blockquote> Good for you! Not to mention using a local credit union is what every other patriotic American should be doing if they <i>really</i> want to stop these "too big to fail" bullshit operations from having so much power in Washington, D.C. and keep screwing the rest of us. <a href="http://cowicide.blogspot.com/2010/04/william-black-should-be-household-name.html">I think if more people watched this, they'd understand why choosing a large bank is basically an act against America.</a> Want to stop financial terrorism against America? Pull your money OUT of them, America.

My local credit union has never been hacked for the secure data of its customers.

Good for you!

Not to mention using a local credit union is what every other patriotic American should be doing if they really want to stop these “too big to fail” bullshit operations from having so much power in Washington, D.C. and keep screwing the rest of us.

I think if more people watched this, they’d understand why choosing a large bank is basically an act against America.

Want to stop financial terrorism against America? Pull your money OUT of them, America.

]]> By: TEKNA2007 http://boingboing.net/2011/06/09/citigroup-hacked-dat.html#comment-1134003 TEKNA2007 Wed, 30 Nov -0001 00:00:00 +0000 #comment-1134003 Credit union member here. You couldn't wish for better customer service, especially if you need to call up and talk to a human. I usually get people I've talked to before. Credit union member here. You couldn’t wish for better customer service, especially if you need to call up and talk to a human. I usually get people I’ve talked to before.

]]> By: Anonymous http://boingboing.net/2011/06/09/citigroup-hacked-dat.html#comment-1134276 Anonymous Wed, 30 Nov -0001 00:00:00 +0000 #comment-1134276 I see they're trying to sneak this in when people are paying attention to sony's fail, seeing as it happened in may and we're 1/3 of the way through June. So, this company had 20,000 accounts compromised and didn't tell anyone until at least a week or more likely several had passed. Yep, confirmed for sony-tier security and service. I see they’re trying to sneak this in when people are paying attention to sony’s fail, seeing as it happened in may and we’re 1/3 of the way through June. So, this company had 20,000 accounts compromised and didn’t tell anyone until at least a week or more likely several had passed.

Yep, confirmed for sony-tier security and service.

]]> By: Courtney http://boingboing.net/2011/06/09/citigroup-hacked-dat.html#comment-1134284 Courtney Wed, 30 Nov -0001 00:00:00 +0000 #comment-1134284 Actually, I have a friend who works in customer service (not at citibank) and you would not believe the things she's heard people call the @ character. Like "epsilon," "the letter kitten," and "strudel sign." Actually, I have a friend who works in customer service (not at citibank) and you would not believe the things she’s heard people call the @ character. Like “epsilon,” “the letter kitten,” and “strudel sign.”

]]> By: Anonymous http://boingboing.net/2011/06/09/citigroup-hacked-dat.html#comment-1134039 Anonymous Wed, 30 Nov -0001 00:00:00 +0000 #comment-1134039 Is it me or have there been more hackings of these big institutions? I wouldn't be surprised to see it was Lulzsec. Is it me or have there been more hackings of these big institutions? I wouldn’t be surprised to see it was Lulzsec.

]]> By: nosehat http://boingboing.net/2011/06/09/citigroup-hacked-dat.html#comment-1134298 nosehat Wed, 30 Nov -0001 00:00:00 +0000 #comment-1134298 Yes, such a system would prioritize reading-out-account-passwords-over-the-phone-to-whomever-is-calling over account security. Which would be consistent anyway. There is no reason why a bank should ever read out your password over the phone. In fact, there's no reason a bank should ever have your plain text password in the first place. Is the one-way hash dead these days? Yes, such a system would prioritize reading-out-account-passwords-over-the-phone-to-whomever-is-calling over account security.

Which would be consistent anyway.

There is no reason why a bank should ever read out your password over the phone. In fact, there’s no reason a bank should ever have your plain text password in the first place. Is the one-way hash dead these days?

]]> By: Courtney http://boingboing.net/2011/06/09/citigroup-hacked-dat.html#comment-1134059 Courtney Wed, 30 Nov -0001 00:00:00 +0000 #comment-1134059 I have non-letter/number characters in my citibank pw. I have non-letter/number characters in my citibank pw.

]]> By: Anonymous http://boingboing.net/2011/06/09/citigroup-hacked-dat.html#comment-1134315 Anonymous Wed, 30 Nov -0001 00:00:00 +0000 #comment-1134315 No, i think forums still use it :D. Basically, the least important, least formal places on the internet are more secure than the most important. No, i think forums still use it :D. Basically, the least important, least formal places on the internet are more secure than the most important.

]]> By: superzorgon http://boingboing.net/2011/06/09/citigroup-hacked-dat.html#comment-1134060 superzorgon Wed, 30 Nov -0001 00:00:00 +0000 #comment-1134060 WARNING: My co-worker has a Citibank account, and she just discovered that their remedy is to switch customers to a new account... and then charge them $100 for doing so. Any of you out there w/ Citibank accounts, take heed. I bet the Citibank employee who came up with that policy got a raise. WARNING: My co-worker has a Citibank account, and she just discovered that their remedy is to switch customers to a new account… and then charge them $100 for doing so.

Any of you out there w/ Citibank accounts, take heed.

I bet the Citibank employee who came up with that policy got a raise.

]]>