Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

3/9/2006
02:51 PM
50%
50%

If You Can't Trust Your Bank, Who Can You Trust?

You're traveling out of the country, for business or on vacation, and you decide it's time for lunch. You're about to hail a taxi to take you to that fantastic café you passed by this morning, but first you figure you might was well get some cash. No problem, there's even a branch of your local bank nearby. Well, maybe there is a problem. The ATM refuses to give you any money, informing you that your transaction cannot be completed and you should call your bank. You pull out your cell phone

You're traveling out of the country, for business or on vacation, and you decide it's time for lunch. You're about to hail a taxi to take you to that fantastic café you passed by this morning, but first you figure you might was well get some cash. No problem, there's even a branch of your local bank nearby. Well, maybe there is a problem. The ATM refuses to give you any money, informing you that your transaction cannot be completed and you should call your bank. You pull out your cell phone, but, it turns out after several minutes of hold music, the customer service representative can't figure out why your transaction was denied, and he can't help you. If this sounds like a realistic scenario, that's because, thanks to a data hack and careless encryption practices, it is for some customers of Citibank, Wells Fargo, and other financial institutions.Shortly after I wrote yesterday's story about Citibank's confirmation that a third-party company it does business with had been breached, causing the bank to block PIN-based transactions for customers in Canada, Russia, and the U.K., I started to hear from the people directly affected by the mess this latest data faux pas caused.

One Wells Fargo customer named Ken Rutsky was nice enough to relate his experiences on the record. Ken, who's the executive VP of worldwide marketing for security software maker (don't you love the irony?) Workshare Inc. told me he'd arrived in London on March 5 and was unable to get money out of an ATM using his Wells Fargo debit card. "I tried and saw the message on the ATM, 'this transaction can not be completed. Contact your Financial Institution,'" Rutsky wrote me in an E-mail message.

"I had zero £'s but $100 in my wallet, so I begged three cabbies to take $$s at 2:1 exchange rate, and found one," Rutsky wrote. "In the cab I was told by 1-800-TO-WELLS customer service that I was over limit, which I knew I was not. After getting to my hotel I went to the ATM across the street. Same message. I called customer support again, and was told the account should work, my limit was raised, try another ATM. I walked about 1 mile to two other ATMs, same thing. I gave up for the day."

The rest of Rutsky's tale unfolded as you might expect: more calls to customer support, confusion over the cause of the problem, escalation to a supervisor, very little resolved.

But he's not alone. In a February 28 Seattle Times Web site posting, Seattle's Frank Conlon described a similar scenario. "I arrived [in] London last Friday afternoon and discovered that my Wells Fargo ATM card would not work in any bank machine. It was not a technical fault--Wells Fargo had put a hold on any ATM transaction in the entire U.K. I learned this after many pounds worth of phone calls first to my local branch in Seattle and then to Wells Fargo headquarters."

Conlon also notes that when he asked why he hadn't been previously informed of this problem, the bank said it didn't want to "compromise our investigation." He was finally able to get some cash by writing a check at American Express after showing them his AMEX card. "How a major bank like Wells Fargo could pull a stunt like this without notifying its customers is beyond belief," he wrote.

How did this happen? Citigroup, Citibank's parent company, has been very cagey about what happened on its end, using vague language in its official announcement describing how the bank and its customers were the "victims of a third-party business' information breach" that the bank detected in February after seeing "several hundred fraudulent cash withdrawals in three countries." Citigroup also stated that it's "in the process" of contacting affected customers individually and issuing new cards.

Even though Citigroup has known about this problem for weeks, the company doesn't feel it's in a position to provide much more information. This has led to much speculation over the cause and scope of its latest data security problem. Gartner VP and Research Director Avivah Litan told me Thursday that her research indicates a "huge hack" was perpetrated against a company that stores information about Citigroup clients. It's unclear whether this company is a retailer or some sort of service provider. Either way, the attackers got their hands not only on Citibank customers' encrypted PINs, but on the master key used to decrypt this information, Litan told me.

"It is the first time there's been such a massive PIN debit fraud," Litan said. "It shouldn't be written off as just another breach." The fact that she even used the words "just another breach" tells you just how bad things have gotten.

There's another tricky aspect to the theft of encrypted data: Banks in some states aren't necessarily obligated to inform their customers of this theft because since the data is encrypted, technically there isn't a "reasonable risk" that the theft could lead to an invasion of one's privacy. Of course, in reality that goes out the window if the encryption key is also stolen.

More than 20 states have laws regarding data breach victim notification, and federal legislation is pending. California's Information Practices Act, for example, requires any company that conducts business in the state to disclose any breach in the security of the data of any resident of California whose unencrypted personal information has been compromised and acquired.

Although Citigroup counts itself as one of the "victims" in this crime, this is a very liberal interpretation of the word. The people who couldn't get their own money out of their bank accounts are the real victims, and Citigroup is guilty of not protecting them from being victimized by this scam. Citigroup may not have been responsible for storing the PINs and encryption keys that were stolen, but certainly a company that large and influential has the power to demand that retailers not store Citigroup customer PINs at all. Citigroup and other banks should also be asking retailers, service providers, and other companies they do business with how their customers' data is being protected. This would include ensuring that encryption is done properly. Surely Citigroup's IT executives are smart enough to know that the master encryption key must be closely guarded and kept away from the encrypted data.

When your bank's name is on the debit card, you can't go pointing the finger at someone else.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
Hacking Yourself: Marie Moe and Pacemaker Security
Gary McGraw Ph.D., Co-founder Berryville Institute of Machine Learning,  9/21/2020
Startup Aims to Map and Track All the IT and Security Things
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/22/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25137
PUBLISHED: 2020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via the alert_name or alert_message parameter to the /a...
CVE-2020-25138
PUBLISHED: 2020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via /alert_check/action=delete_alert_checker/alert_test...
CVE-2020-25139
PUBLISHED: 2020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur via la_id to the /syslog_rules URI for delete_syslog_ru...
CVE-2020-25140
PUBLISHED: 2020-09-25
An issue was discovered in Observium Professional, Enterprise & Community 20.8.10631. It is vulnerable to Cross-Site Scripting (XSS) due to the fact that it is possible to inject and store malicious JavaScript code within it. This can occur in pages/contacts.inc.php.
CVE-2020-4531
PUBLISHED: 2020-09-25
IBM Business Automation Workflow 18.0, 19.0, and 20.0 and IBM Business Process Manager 8.0, 8.5, and 8.6 could allow a remote attacker to obtain sensitive information when a detailed technical error message is returned in the browser. This information could be used in further attacks against the sy...