NEW YORK (MainStreet) – Some Citi customers got a rude awakening this morning, with the bank announcing that many of its cardholders had their credit card information stolen in a security breach.
The breach was just the latest in a series of cyber-attacks that have hit some of the world’s largest companies, with email service provider Epsilon leaking the email addresses of millions of retail customers and Sony likewise leaking the personal data of PlayStation Network users.
The good news for the 1% of cardholders who had their data compromised is that the attackers likely didn’t get away with enough data to make fraudulent charges on their cards. According to Citi, the expiration dates and security codes found on the back of cards were not stolen along with the card numbers, which should make it virtually impossible to use the numbers for online purchases.
Still, whoever carried out the attack was able to get away with the names and contact information (including email addresses) of the cardholders. And security experts agree that this sort of intelligence can be a potent weapon that can be used to steal financial data in a more roundabout way.
The main concern here is that personally identifying information – including your name, address, birthday and any banks or companies with which you do business – can be used for identity theft or so-called spear phishing campaigns, which use personally identifiable information to make a phishing attempt appear more legitimate. This was the main concern in the aftermath of the Epsilon data breach, and the intelligence gathered during the breach of the PlayStation Network could likewise be used to gain access to a user’s computer. For instance, even if a Sony customer didn’t have his or her credit card data stolen, whoever has their email address also knows their name and the fact that they use the PlayStation Network. Armed with this information, they could send the user a personalized email that appears to come from Sony, and which asks them to click a link that subsequently installs spyware on their home computer.
The Citi breach is no different. Stu Sjouwerman, CEO of network security firm KnowBe4, says that the compromised Citi customers have two things to worry about.
“One is phishing attacks directly to the consumers involved with a specific Citi bank branded email,” he says. “The other thing that might be more problematic over the long run is that they sell these files on the hacking black markets, so these names are now compromised. … Anyone that’s been affected needs to look at each email from the perspective that it might be a scam attempt.” He recommends that victims consider getting a new email addresses.
The potential for harm becomes more clear when one considers how many companies and organizations, from retailers to online news sources, are in possession of your email address and personal information. A leak at just one website or retailer can subsequently make you a potential target or a phishing attempt, and just one slip-up on your part can give a determined hacker control of your machine.
For this reason, Chet Wisniewski, a senior security analyst at computer security firm Sophos, says that he regularly gives fake email addresses, names and birthdays to the various companies that ask for this information. Of course, sometimes it’s necessary to give your real information to a company, whether it’s a banking institution or a retailer that needs your credit card. In that case, all you can do is hope that they take their security seriously – which, as Sony and Citi have taught us, is all too rare.
In a blog post following the Citi breach, Wisniewski explained a number of steps consumers should take to protect themselves from phishing attempts.
“Never accept incoming communications purporting [to] be from financial institutions you do business with, whether by email or phone call,” he writes. “Call them back using only the phone numbers published on your cards or statements. When logging in to perform online transactions, always enter their website address directly in your browser. Never click links.”
That’s sound advice for Citi customers, but the truth is that these are practices everyone should engage in, regardless of whether you think your data has been compromised. The sheer number of entities who hold your personal data, combined with how much publicly available data can be found about you on the Web, means that it’s almost inevitable that a determined hacker will be able to obtain certain personally-identifying data about you. To demonstrate this, Sjouwerman looked me up using a program called Maltego, an intelligence gathering program that relies on publicly-available information. It took him about five seconds to find the name of one of my co-workers, and he proceeded to explain how easy it would be to send an email appearing to be from her, including a link to what appeared to be to our website.
That’s why it’s up to the average consumer to protect their own data by being constantly vigilant and treating every email and link with scrutiny.
“Ultimately the stable position is to assume your data has been hacked,” Sjouwerman says. “It’s a game of chess, and the bad guy is white. They’re always one step ahead.”
—For the best rates on loans, bank accounts and credit cards, enter your ZIP code at BankingMyWay.com.