Security Weakness

The Security Weakness of Citi Bank

Citi Bank Group (Citi) changed its business model by migrating onto digital platforms to allow customers 24/7 hour access to their banking and account information, through virtual access on all electronic services. However, evidence of Citi’s security weaknesses was exposed in 2011 when its systems were hacked into and financial data of more than 360,000 customers’ credit cards were exposed (Wired, 2011). Citi’s technical vulnerability involved the bank’s Cards’ Account Online Web-based system (Kitten, 2013) making it one out of the many banks that have become victims of cyber fraud. 

Weaknesses

Citi’s network was easily penetrable by hackers using “parameter tampering” against the vulnerability of Citi’s website. It was easy for the hackers to type multiple strings of data onto the address bar tens of thousands times and access account data. Therefore, one key threat to Citi’s Bank’s network was that it was vulnerable to intrusive external activity (Treasury and Trade Solutions, 2016). Essentially, this weakness was related to weak online authentication practices. As stated, the weaknesses of Citi Bank were associated to cyber security and not physical practices. The bank’s physical facilities are well security, but the online platforms were more vulnerable to attacks and security breach.

Vulnerabilities and Threats

A keen evaluation revealed that the ATM infrastructure at Citi Bank was vulnerable as a result of delayed security patches on bank-end-ATM servers, hence rendering them susceptible to attacks. 

The bank was also using Flat-networks, whereby ATM transactions are put on one network segment with other enterprise systems, hence making the ATM data easily accessible by anybody, and this is a serious vulnerability. Furthermore, the ATMs were specifically linked to IP-Based networks, which meant that Transaction and PIN-data that is unencrypted can easily be exposed to spoofing by cyber attackers.

Leadership Awareness and Resource Support

Citi Bank as a global organization has a capable team of leaders able to move forward the organization. However, when it comes to awareness regarding the security threats, few seemed to be competent and they also lacked adequate resources to support the enhancement of security threats and vulnerabilities to their systems. The CISO at Citi Bank Group reports to the Bank Manager. 

Solutions and Security Enhancement

Technological Perspective

Innovation and Adaptation: Having been a victim of online cyber-attacks, my organization has adjusted its models in order to address vulnerabilities associated with digital for protection purposes. Firstly, common-sense and oversight are measures adopted to prevent “insider threats” through control of information access, transaction monitoring, double-approval, and staff training to enable them respond to threat alerts. The second measure is IT discipline, where up-to-date software is in place and vigilance maintained on both end-users and IT. Furthermore, Citi has adopted a triple-pillar approach to defense. Protection of channels, where the bank’s systems block any attempt of entry by attacker through “strong log-in credentials” and encrypted data transfer. Along with that, the bank’s Payment Risk Manager has capacity to detect payment outliers that have capacity to detect any form of compromise to the bank’s systems (Digital Initiative, 2016). Finally the bank has adopted a Data Privacy policy and data governance function, that ensures the bank’s most valuable and confidential data is thoroughly protected through various levels. 

People perspective

Account holders are strongly advised to create strong and unique passwords for their online accounts and change passwords as often as it is practical, and as long as they can remember their passwords (Ilana, 2011). Furthermore, it is critical that users monitor their accounts once they have credit cards, check any suspicious activity that includes withdrawals and purchases. In addition, they are advised to use system’s anti-virus security software. Any suspicious activity should be reported to the bank immediately.

Policy Perspective

Banking regulators should furnish financial institutions with new policies that could improve banking security online and also insist on banks continuously updating their control mechanisms. Banks have a duty of care to provide information and measures to their clients that will help them report any strange incidents, because security is a collective and shared responsibility.

Conclusion

Whereas Citi Bank Group, a global financial institution witnessed weaknesses in its security systems resulting into online breaches, it has successfully modified its approach to security with an aim to prevent further breaches, with considerable success. 

References

Digital Initiative (2016). Citibank: Protecting Against Cyber Threats. Retrieved from https://rctom.hbs.org/submission/citibank-protecting-against-cyber-threats/

Kitten, T. (2013). Was Citi Breach Preventable? Banking Info Security. Retrieved from https://www.bankinfosecurity.com/was-citi-breach-preventable-a-6042.

Liana, G. (2011). Citigroup data breach: a lesson and warning to all. Forbes. Retrieved from https://www.forbes.com/sites/ilanagreene/2011/06/13/citigroup-data-breach-a-lesson-and-warning-for-all/#331b883b4817

Treasury and Trade Solutions (2016). Fighting Cyber Crime: Citi’s Digital Securities. Retrieved from  https://www.citibank.com/tts/sa/emea_marketing/docs/Fighting_Cybercrime_FAQs.pdfWIRED (2016). Citi credit card hack bigger than originally disclosed. Retrieved from https://www.wired.com/2011/06/citibank-hacked/.