Citibank Hack Shines Light on PCI Compliance
- By Jabulani Leffall
- July 02, 2008
Just two days after the Payment Card Industry (PCI) Security Standards Council
announced the deadline for application security compliance and said it would
be issuing guidelines for PIN entry devices, court documents have emerged detailing
to hack Citibank's ATM network architecture.
According to security experts, the timing couldn't have been better for highlighting
the serious issue of intrusion and data theft on networks anchored by a Windows
"Any device that processes personal identification numbers is an important
link in the transaction chain," wrote Bob Russo, general manager of the
PCI Security Standards Council, in an e-mail to Redmondmag.com. "The council
is reaffirming its commitment to developing additional standards to meet the
needs of the industry and to ensure continued safety and security for consumers."
In its announcement
on Monday, the PCI Council advocated a testing and product approval program
for unattended payment terminals and related host hardware. Such a program would
help protect sensitive card data at any point in the transaction process.
Meanwhile, the court case against Yuriy Rakushchynets, Ivan Biltse and Angelina
Kitaeva -- all three indicted at a New York federal court four months ago for
allegedly hacking Citibank's ATM system through a browser-based attack vector
-- should be seen as a call to action, one independent security consultant said.
"You have federal IT security guidelines such as HIPAA for hospitals and
health care. I think it's time a similar uniform code for personally identifiable
information was put in place," said Kris Lovejoy, IBM's director of corporate
governance, risk, compliance and security strategies, in an interview on Wednesday.
"The big question is, 'What the heck do you protect?' Many organizations
I talk to don't know where to start or what to do about issues like this and
are stymied by the increasing complexities of compliance."
While Lovejoy advocated some type of government-mandated security benchmark
that defines what "personally identifiable information is and how to protect
it," she warned against a lengthy legislative process that could stifle
At issue in the Citibank hack is the vulnerability of "low-hanging fruit"
-- data that was easily accessible through a browser-based application based
on Windows architecture and designed solely for ATM network maintenance, repair
and remote monitoring. Somehow, the hackers were able to access data fields
containing the PINs of bank customers which, in most cases, should be encrypted.
To protect against such attacks, experts such as Lovejoy suggest -- among other
things -- one-way password hashing, where even a system or network administrator
can't see passwords; elevated encryption of critical data fields in database
tables containing personal info; or obfuscation of data, which could be done
by hiding the information in the data field or encoding it so it displays as
undecipherable symbols instead of personal information.
Citigroup, the holding company for Citibank, is mum on the issue, saying in
a statement to the Associated Press that any customers who have lost money due
to the hack will not be held responsible for "fraudulent activity in their
Meanwhile, the guidance that the PCI Council is issuing amid several high-profile
breaches has taken center stage in what IT security pros say is a brave
new world of threats.
"I think currently what [PCI Council] is doing is a relatively good start,"
Lovejoy said. "What the government could do is work with [the] industry
to develop best practices and standards that can create a reasonable assurance
of security. If they want to work with the PCI Council, then that's fine, but
they need to do something."
Jabulani Leffall is an award-winning journalist whose work has appeared in the Financial Times of London, Investor's Business Daily, The Economist and CFO Magazine, among others.