Citibank Denies Reported Breach Linked To Russian Gang 53
alphadogg writes "US authorities are investigating the theft of an estimated tens of millions of dollars from Citibank by criminals using Russian software tailored for the attack, according to the Wall Street Journal (subscription required to access that link — CNET's coverage here). The security breach at the major US bank was detected mid-year based on traffic from Internet addresses formerly used by the Russian Business Network gang, the WSJ reported today, citing unnamed government sources. The Russian Business Network is a well-known group linked to malicious software, hacking, child pornography, and spam. The FBI is probing the case, the report said. It was not known whether the money had been recovered and a Citibank representative said the company denied any system breach or losses, according to the report."
Paywalls suck (Score:5, Informative)
Re: (Score:3, Informative)
Anyway, for those of us who disable referers from headers the google news method won't work either
WSJ article was misleading (Score:5, Insightful)
The reporter was trying to link a bunch of separate things together.
1. Black Energy conducted a DDoS against Citibank, but did not steal tens of millions of dollars from them.
2. Last year, Citi lost tens of millions of dollars from skimmers attached to ATMs.
3. The hacker Cr4sh is the author of Black Energy, but there is no evidence he was involved in the attack on Citi.
There is nothing relating these three incidents other than the wishes of an aggressive reporter wanting to build some kind of story against City; *perhaps* he's trying to pump up a case to make it appear they are risking bailout money. But at least when I type this kind of crap I'm labeling it for what it is: PURE SPECULATION.
Re:WSJ article was misleading (Score:5, Insightful)
The thing the banks really don't talk about is that losses from in-house embezzlers far exceed losses form outside agents. And of course we won't speak of the enormous losses caused by management greed and stupidity.
Re: (Score:3, Insightful)
The thing the banks really don't talk about is that losses from in-house embezzlers far exceed losses form outside agents.
Really? Have you recent facts to back that claim up? It may have been true in the 1950s, but is it still true in today's world, where a hacker can gain essentially "insider" authority?
And of course we won't speak of the enormous losses caused by management greed and stupidity.
There's an assertion I don't have to ask you to back up, as it's been pretty well covered in the press. But there's a lot of greed and stupidity going around, and some of it comes from the shareholders, Congress, lawyers, etc. It's not just limited to management.
Re: (Score:1)
Verizon publishes a really interesting [verizonbusiness.com] (downloads pdf) study on breaches every so often. While things are probably much different when it comes to actual banks, it mentions that 80% or so of the 'data' lost in breaches is actually coming from outsiders now a days.
Insiders still have the largest breaches, but the sheer number of outside breaches are dominating the current trends.
Re: (Score:2)
It's true, and still truer than ever. Insider losses are on the rise,
The difference between insider attacks and outsider attacks are much different than what an outsider obtains through cracking and privilege escalation. Just because you own a system (or all of them), doesn't mean you can do what an insider can.
An insider atta
Re: (Score:3, Insightful)
For the medium-wigs:
Re:WSJ article was misleading (Score:4, Insightful)
2. Last year, Citi lost tens of millions of dollars from skimmers attached to ATMs.
2. Last year, Citi customers lost tens of millions of dollars from skimmers attached to ATMs.
(emphasis mine)
Not individually, but as a group customers always pay the bill for incompetent management / inadequate security.
Re: (Score:3, Insightful)
How exactly would it recoup it's losses from customers? By lowering it's interest rates? If it could increase profits by doing that they would already have done so.
Directly only the investors lose out.
Re: (Score:2)
I think he meant they raise the service prices to cover the difference per transaction, so instead of costing you 1.50$ each time you use your card to access your own money, they now charge you 1.75$
Pretty simple really.
Great points, plover! (Score:5, Informative)
Re:WSJ article was misleading (Flavour mix) (Score:1)
They wouldn't find an elephant in a two-meter square room.
It seems they're hiding info, self interests implicated maybe?
Joe Petro, managing director of Citigroup's Security and Investigative services, said, "We had no breach of the system and there were no losses, no customer losses, no bank losses."
Apparently those tens of millions of dollars would have been on holiday somewhere around Cayman Islands, hehehe!
On the other hand, I've found no mention in WSJ article to child pornography. Where did that come from? It only rests to say these thieves are terrorists and are supposed to be linked to al-qaeda.
Losses to online crime of all types exceeded $260 million in the U.S. last year, the FBI estimates.
At least is much less t
Re: (Score:1, Interesting)
Oh really? Then why did Citibank issue me a replacement card with a completely new number in August?
* Posted Anonymously on purpose.
In other news... (Score:5, Interesting)
... the US and UK public are asking for an investigation into the apparent transfer of billions of dollars of public money to major banks. No-one is probing the case and yet the govt and banks are not denying any breach of the political and economic systems.
Citibank != Russian Gang ? (Score:5, Interesting)
I honestly thought they were one and the same.
Maybe someone can enumerate for me, the differences between Citibank and a Russian Gang . . .
Rips off governments for millions . . . check
Rips off people for millions . . . check
Re: (Score:3, Insightful)
Speak with awesome hardarse Russian gangster accents ... fail
Re: (Score:2)
Just in case folks need a citation for the above [wikipedia.org]
Drop in the bucket (Score:2)
Re: (Score:2)
That's rounding error from the whole fallout from those silly little "off-balance-sheet" [bloomberg.com] activities they were running with up until about a year ago. I mean, you can only get *so* accurate when dealing with numbers like those.
Re: (Score:2)
They probably missed a decimal point. I hear that type of error is common.
Use the chinese software instead (Score:3, Informative)
The Kuang Grade Mark Eleven Penetration Program is the way to go. But you need a live person at the controls. Not a flatline, because Neuromancer knows his every move in advance.
Re: (Score:3, Informative)
Yeah, but not if you're running it on a Ono-Sendai 6 with just tactile feed back. You need full emersion to do it right.
Cash loss is better than trust lost (Score:5, Insightful)
No audits, please! (Score:1, Interesting)
Admitting to the theft would probably trigger in-depth audits and increased scrutiny of Citibank operations. THAT might be very, very bad for Citibank.
Let's just handle it on a modified mark-to-market basis. The money used to be here, and if it was still here we wouldn't have lost anything.
If you prefer QM, think of it as Shrodinger's cat - of course, he's still alive - no need to look in that box.
It ain't funny, McGee!
Re: (Score:1)
The momentum and position of the bucks cannot be known simultaneously to any useful precision. Heisenberg
I for one welcome our new Quantum Economical overlords.
Denial seems to be in this year (Score:3, Insightful)
Citibank representative said the company denied any system breach or losses, according to the report.
My web host provider *cough*inmotion*cough* got hacked a couple months ago and they denied it across the board, tried to turn it back on the users by claiming all the accesses were routine FTP connections.
Makes me wonder if denial is the new trend?
Re: (Score:2)
Best way to deal with this, is host your own site.
Wall Street Journal - lousy reporting at its best (Score:3, Informative)
Re:Wall Street Journal - lousy reporting at its be (Score:3, Informative)
Brian Krebs from Washington Post covered this months ago
On slashdot, it's considered polite to use the anchor tag.
Can the FBI/CIA actually do anything about it? (Score:4, Interesting)
Let's say it actually was a "Russian Gang" operating out of say, Russia. What can US Gov't agencies do against this? Can they do anything within the law besides call up Russia and tell them to 'take care of it.' It's not like we can drop commandos into Russia and go after them, nor can we launch electronic attacks on this gang (act of futility).
According to the US Constitution, Section 8 [usconstitution.net], Congress has the power to provide for the common Defense and general Welfare of the United States.
I see this type of activity as an attack, just because it's two private entities, this IMHO is no different than if SAP tried to hack into Oracle.
Hey Fed, I'm sick of US companies wasting time, money and effort to deal with these people bent on conducting electronic warfare.
As a side note, I wonder how much $$ is wasted in terms of extra capacity (servers, network, CPU, power) is needed by US companies to deal with all this BS (spam, people hacking in etc..) floating around the internet.
I once heard a presentation by a guy at Yahoo who managed a few of their datacenters. When asked about how they deal with DOS attacks his response was that they had more computing capacity then the internet could deliver to them, so they just absorb whatever attacks are sent their way.
Re: (Score:2)
they actually have the diplomatic ties to call whatever justice system there is in Russia that might consider going after these guys
There is a justice system in Russia?
Re: (Score:1)
Re: (Score:3, Insightful)
In related news... (Score:2)
How do these attacks work? (Score:2, Interesting)
So what is the attack system used to get "tens of millions of dollars"?
Do they collect 10,000 user names and passwords from personal computer users?
Do they somehow take over a merchant deposit account and transfer funds out of it?
Do they emulate a bank-to-bank transaction and modify the bank-to-bank back end transaction?
Re: (Score:1)
So what is the attack system used to get "tens of millions of dollars"?
The article ties together many attacks.
Do they collect 10,000 user names and passwords from personal computer users?
One of the attacks was (skimming atm cards)
Do they somehow take over a merchant deposit account and transfer funds out of it?
One was, by apparently key logging.
Do they emulate a bank-to-bank transaction and modify the bank-to-bank back end transaction?
Maybe, doesn't seem to be reported in the article.
I was gonna say something witty about RTFA but I find getting my questions out of commentators is easier as well.
Obligatory (Score:1, Funny)
"Not just another security collapse...
It's Citibank security collapse."
What a kewl way to embezzle! (Score:1)
Gotta love the doublespeak (Score:4, Funny)
The FBI is probing the case, the report said. It was not known whether the money had been recovered and a Citibank representative said the company denied any system breach or losses, according to the report.
There was no system breach! And the money was probably recovered anyways!
Story smells of Occult practices (Score:1)
I find it interesting that the attribute 5 things to this "Russian"
business network.
5 is an occult power number for encumbering the help of Gnosticism's 5
dark evil demi-urges that are accredited with creating this world.
The bankers are masters of deception and occult hand waving. Who else
could conjure up money out of thin air for you to buy your house with
and then enslave you to pay the sum back times 3? May the bankers be
fully exposed and bear the shame and may they seek our forgiveness on
their knees. M