News & Resources

Banks' ID verification protocols questioned in wake of Citi hack

Jun 11, 2011 Brian Bradley

Banks' ID verification protocols questioned in wake of Citi hack
Citigroup has announced that a recent hacking compromised the security of approximately 1 percent of its 21 million North American card customers, raising concerns about the identity verification procedures of financial institutions.
 "The most sophisticated hackers in the world target banks, and they target government agencies," Tom Kellermann, a former World Bank cybersecurity official and current chief technology officer at Maryland-based wireless security firm AirPatrol, told the Wall Street Journal. According to Kellermann and other security experts, weaknesses in banks' identity authentication procedures leave them vulnerable to criminals - a problem that is being compounded by consumers' increased reliance on using iPads, iPhones, Androids and similar devices to conduct banking activities. The ID authentication recommendations that are currently in place for banks are six years old. They are in the process of being updated by the Federal Reserve, in partnership with the Federal Deposit Insurance Corporation, the Office of the Comptroller of the Currency and others. The new guidelines will focus on ID verification of customers accessing their bank accounts via the internet. The news source reports that Senate Banking Committee Chairman Tim Johnson, a South Dakota Democrat, is planning a hearing to investigate the security of data within the financial services industry. In the Citi incident, hackers accessed information associated with approximately 200,000 accounts, such as account numbers, holders' names and email addresses. Data related to Social Security numbers, birth dates and card details such as expiration dates and security codes were not exposed. However, according to Jonathan Gossels, president and CEO of information technology security firm SystemExperts Corporation, hackers can use contact details to send false emails in order to obtain more information. "They can use what they have to construct some very credible phishing attacks," Gossels told Reuters Wealth. He urged consumers to regard emailed requests for personal information with caution, even if they appear to be sent by familiar companies. The multinational financial services company has not revealed when the breach took place, however it reported the problem within weeks and is already taking steps to provide approximately 100,000 of its customers with replacement credit cards - an effort that may cost as much as $20 apiece. At the beginning of April, email marketing company Epsilon announced the first of a series of recent high-profile data breaches that have affected Sony, advanced technology company Lockheed Martin and security firm RSA. 

Speak with a business solution consultant

We’re here to help you protect and grow your business. If you have questions or need help let us know.