In the past few months, hackers have enjoyed a swelling of fame while their hits have suffered hurt customer credibility and financial loss. Now it's Citibank's turn.
The past several months have seen multiple data breaches against Sony, Amazon and Google. LulzSec again hacked Sony for the sixth time, media reported Thursday, releasing 54MB of Sony Computer Entertainment Developer Network source code and maps of Sony BMG's internal network.
A direct hack from a bank is rare. Hackers usually go after retailers or card-holders to steal credit card information.
The breach into Citigroup's online banking system announced today may have shattered the confidence of bank systems that are traditionally known to be more robust and secure.
It raises a question as to whether flames of the ongoing cyber-war are leaping to financial banks. If so, prompt actions to combat the cyber-crime must be taken by both governments and private companies.
Computer security experts generally agree that hacking into a bank is doable, and not too difficult. Citigroup was breached by hackers in 2009, and before that in 2005. The company's online security is questionable, and according to a member of the hacker group Anonymous, the 128-bit encryption the bank boasts of is really not that big a deal, the New York Times quoted. The security is so weak right now, if you know a couple attacks, you can just go around and see what works, he said.
Though many bank websites ask the customers multiple questions to verify their identity, it may not necessarily enhance the security. In a lawsuit in 2009 filed against Ocean Bank, a Main-based company Patco Construction Co. had their online credentials stolen by cyber thieves. Patco's suit was intended to find the bank responsible for the financial loss of $345,000. A magistrate made a recommendation to deny Patco's motion and grant the bank's motion.
Ocean Bank allowed customers to log into accounts using little more than a user name and password. Customers were asked to answer a challenge question every time they used the online system, which Patco pointed out as the factor which increased the risk. A fraudster using a banking Trojan would be able to compromise the answers to the challenge questions, Patco's security expert claimed.
The point is, having the questions posed for every person on every transaction didn't provide additional security and the basic level of security may be lax anyway. Though bank websites are said to have employed bullet-proof security, it seems the enemy have pierced them.
As you may have been disappointed by the vulnerability of online security systems of major companies, with one of the top banks enlisted in the hackers' target list, it may be time to raise awareness of the need for self-defense, and find a real bullet-proof solution.