Citibank Hack Shines Light on PCI Compliance

Details emerge of elaborate plot to hack Citibank's ATM network architecture

Just two days after the Payment Card Industry (PCI) Security Standards Council announced the deadline for application security compliance and said it would be issuing guidelines for PIN entry devices, court documents have emerged detailing an elaborate plot to hack Citibank's ATM network architecture.

According to security experts, the timing couldn't have been better for highlighting the serious issue of intrusion and data theft on networks anchored by a Windows OS-based system.

"Any device that processes personal identification numbers is an important link in the transaction chain," wrote Bob Russo, general manager of the PCI Security Standards Council, in an e-mail to "The council is reaffirming its commitment to developing additional standards to meet the needs of the industry and to ensure continued safety and security for consumers."

In its announcement on Monday, the PCI Council advocated a testing and product approval program for unattended payment terminals and related host hardware. Such a program would help protect sensitive card data at any point in the transaction process.

Meanwhile, the court case against Yuriy Rakushchynets, Ivan Biltse. and Angelina Kitaeva -- all three indicted at a New York federal court four months ago for allegedly hacking Citibank's ATM system through a browser-based attack vector -- should be seen as a call to action, one independent security consultant said.

"You have federal IT security guidelines such as HIPAA for hospitals and health care. I think it's time a similar uniform code for personally identifiable information was put in place," said Kris Lovejoy, IBM's director of corporate governance, risk, compliance, and security strategies, in an interview on Wednesday. "The big question is, 'What the heck do you protect?' Many organizations I talk to don't know where to start or what to do about issues like this and are stymied by the increasing complexities of compliance."

While Lovejoy advocated some type of government-mandated security benchmark that defines what "personally identifiable information is and how to protect it," she warned against a lengthy legislative process that could stifle innovation.

At issue in the Citibank hack is the vulnerability of "low-hanging fruit" -- data that was easily accessible through a browser-based application based on Windows architecture and designed solely for ATM network maintenance, repair, and remote monitoring. Somehow, the hackers were able to access data fields containing the PINs of bank customers which, in most cases, should be encrypted.

To protect against such attacks, experts such as Lovejoy suggest -- among other things -- one-way password hashing, where even a system or network administrator can't see passwords; elevated encryption of critical data fields in database tables containing personal info; or obfuscation of data, which could be done by hiding the information in the data field or encoding it so it displays as undecipherable symbols instead of personal information.

Citigroup, the holding company for Citibank, is mum on the issue, saying in a statement to the Associated Press that any customers who have lost money due to the hack will not be held responsible for "fraudulent activity in their accounts."

Meanwhile, the guidance that the PCI Council is issuing amid several high-profile breaches has taken center stage in what IT security pros say is a brave new world of threats.

"I think currently what [PCI Council] is doing is a relatively good start," Lovejoy said. "What the government could do is work with [the] industry to develop best practices and standards that can create a reasonable assurance of security. If they want to work with the PCI Council, then that's fine, but they need to do something."

-- Jabulani Leffall

Must Read Articles