It’s been a rough week for the banks. First, the Senate votes to go ahead with the debit fee cap that kicks in next month, then the Financial Times reports that hackers successfully broke into Citigroup’s North American card division and made off with names, account numbers and email addresses of around 200,000 customers. While data breaches at brands like Sony and Michaels have made headlines lately, the attack on Citi is noteworthy.
According to the Identity Theft Resource Center, more than 16 million accounts from banks, businesses, educational institutions, healthcare and government entities were exposed last year. But a direct hack on a bank — especially one as large as Citi — is rare.
According to Reuters, FDIC Chairman Sheila Bair said the agency planned to examine banks’ online security practices and suggested that some institutions may have to devote more resources to securing customer data. (Hey Sheila, given that the breach took place last month, maybe you could throw in some rules about disclosure requirements, too?) Now that the most successful bank robbers wield keyboards instead of guns, security has turned into a software arms race between banks and cyber-criminals. Lately, the guys in the black hats seem to be winning.
[time-link title=”(Read about how most banks get poor grades from customers)” url=http://moneyland.time.com/2011/03/17/consumer-study-most-big-banks-get-d-grades/]
It’s not so much that hackers are getting smarter, says John Sileo, an identity theft speaker and consultant. Instead, they’ve shifted strategies. Instead of storming the front gate, they’re chatting up the bored guard at the side entrance.
“I tend to think the cause of all of this is the human factor,” Sileo says. “One of the chief things that happens in these cases is an employee gets hacked via malware or spyware.” The prevalence of social networking has opened up a new avenue for scammers, he says. Even people who would be cautious about opening an email attachment from an unfamiliar sender might unsuspectingly click on a link from a Facebook friend, for instance. “There’s a level of trust between our friends. Those links look like they’re from friends,” he says.
Another weak link hackers exploit is the relative insecurity of smartphones. Third-party apps can be Trojan horses for malicious software, and most people don’t bother to take any protective measures when it comes to their phones. “The first line of defense is you need a password on your phone,” Sileo says. “It gives you time if it’s lost or stolen to remotely wipe out the data.” He says banks need to do a better job of educating all employees — not just high-level execs or IT specialists — about these potential risks.
[time-link title=”(How to launch a counteroffensive against bank fees)” url=http://moneyland.time.com/2011/05/17/how-to-launch-a-counteroffensive-against-bank-fees/]
So what can Citi credit cardholders do while they wait and wonder when — or if — the bank will issue them a new card? Although the data breach happened in May, thieves don’t always use or sell the data they steal right away. Sileo suggests setting up account alerts that send you a text message or email every time a transaction takes place. That way, you’ll know immediately if someone else is using your account information and can cancel the card.