As at now, the world continues to experience fast growth rates in the information technology sector. Many people currently have a clear understanding of how to use digital devices such as smartphones, tablets, computers, and laptops to access online data through the utilization of the internet. While this may be beneficial if well utilised, it could also pose great dangers in some situations, especially with the threat of criminal cyber activity (Caviglione, Coccoli & Merlo, 2013; Page, Kaur & Waters, 2017). Mostly thanks to hackers, institutions, both public and private, run the risk of losing confidential information, which may in turn, be put into wrong use to hinder organisational operations or to cause unforetold human damage. That brings us to the topic of cyber security or attacks. Cybercriminal activities have been with us for quite some time now. In line with this, hacking as a culture, could therefore, be traced down to the year 1961, when the first case of hacking was reported. Since then organisations have remained on high alert to make sure that their private networks remain secure from cyber-criminal activities, with the inclusion of hacking ( Page, Kaur & Waters, 2017; Shuchih Ernest Chang & Chin‐Shien Lin, 2007). However, even with all of these efforts, hackers still manage to breach the existing securities to gain access to some of the most highly protected organisational information. Of worthy to remember is that as organisations are applying and installing more details security systems to guard their private data, hackers are also evolving, and each day they are coming up with newer techniques to make sure they gain access to the restricted networks. Given the changing motivations by the hackers, financial institutions are becoming more targets because currently, more hackers want to make money rather than gaining just a little popularity. One of the events that shall form the basis of this paper is the Citibank’s hacking, which took place in the year 2011. In this particular case, reports by the FBI and Verizon, indicate that hackers managed to steal about three hundred and sixty thousand credit cards data belonging to the Citibank’s clients, which worth of approximately 2.7 million dollars ( Caviglione, Coccoli & Merlo, 2013; McEachern & Hofmann, 2017). This represents a substantial loss of the clients and the bank because since then it has not managed to stabilise or regain its customers. Reportedly, the hackers that were involved in this case managed to gain access to Citibank’s private networks via a security hole without, also managing to go undetected, a mistake for which the bank had to bear great public criticism.
Brief Information about the Attack
In May of 2011, hackers managed to gain access to highly protected information of the Citibank (Info Security, 2013). Banks and other financial institutions are now the primary targets for many hackers because at the end the hackers are able to gain monetary benefits even though it is through illegal means. Through this particular hacking incident, the bank lost approximately 2.7 million dollars (Info Security, 2013). It is said that hackers were able to log into Citibank’s website by pretending to be authenticated clients. Having gained this access, they then stole troves of personal information belonging to Citibank’s customers. This included emails, names, transactional histories and account numbers. The method of hacking which enabled them to gain access to such a secured bank network is known as parameter tampering. According to the Open Web Application Security Project (OWASP) parameter tampering is, “attack based on the manipulation of parameters exchanged between client and server in order to modify application data, such as user credentials and permissions, price and quantity of products, etc.” (Kim & Kim, 2014) Essentially, information is kept in cookies, hidden from URL Query Strings, and it is applied to upsurge application control and functionality. These hackers managed to manipulate the account number part of the URL that they stole to gain full access to their credit data information.
Delegate your assignment to our experts and they will do the rest.
Descriptive Labels that Might Apply to this Particular Incident
This event can be marked as Data Diddling, which refers to the access or modification of information without legal authorization. Additionally, data tampering can refer to the manipulation of installed systems by deleting them. These attacks are especially severe when targeted at the administrative systems, which might result in the total shutdown of organizational systems. Also, even if there were no such intentions, the administrator may find it necessary to try recovering the lost information, something that might take days or weeks and therefore affecting the standard organisational operations.
Regarding the Threat Actors
People who would go after the Stolen Information
Bank information is very critical and once it gets leaked many people with bad intentions go for it: willing to buy it at very high cost. In this particular case, the information that had been stolen from Citibank may have been of interest to her competitors and to her detractors’ alike, say in this case, a terrorist outfit. Additionally, some Citibank clients would also be happy to have access to the stolen information.
Reasons why they would go for that Information and what they can do with it
There exist different reasons why the mentioned groups would go for the stolen Citibank information. For example, Citibank clients may want to have access to that information so that they can erase their data more especially if they had loans. On the other hand terrorist groups may have been in getting access to the said personal client information in view of using it to execute their attacks, or to blackmail and threaten their targets (Eshete, Villafiorita & Weldemariam, 2011). Additionally, by selling the credit card data stolen from Citibank, the hackers involved would have stood to fetch a lot of money, which they then might have put to personal use. With other financial institutions, they might want to get hold of the stolen information so as to make use of it in spoiling the name of Citibank and therefore get more clients as opposed to Citibank (Evers, 2005). That can act in their favour especially if they capitalise on the fact that the Citibank’s clients’ personal information isn’t secure anymore and therefore, they need to find for another Bank that guarantees the security of their personal data. By spreading this to as many people as possible, Citibank may lose many potential clients to their competitors.
Ways Interested Parties can get the Stolen Information
To get access to the stolen information, several transactions must take place between the hackers and the interested parties. These operations can occur in terms of monetary exchange, where hackers receive vast sums of money for the information. Also, hackers can exchange information for anything else that is not money but has value and which might satisfy their desires.
Identification of Potential Attackers
Citibank could choose to quickly identify attackers by installing up to date anti- hacking software with advanced features that would allow the ICT department at Citibank to detect threats and attempts of information security breach before they happen. Additionally, training the workers of Citibank on how to operate systems to identify network security breach attempts and the necessary actions to take can assist in the earlier identification hackers.
Reducing Incentives that could attract Hackers
Information security is critical to any organisation. Banks alongside other financial institutions are, particularly speaking, the major targets of hacking activities (Gal-Or & Ghose, 2005). Hackers tend to get attracted to a given network especially if they realise that they can easily get confidential information that could act in their favour. However, organisations have the capability of regulating the type of information they display on their websites because the type of files and contents shown significantly motivate the hackers to try hacking so that they can gain access to that information. Currently, there exists a lot of network protection technologies, which if combined with firewalls that have encryption properties can discourage hackers from stealing information
(Liu, Shahidehpour, Li, Liu, Cao & Li, 2017; US9621569 B1, 2017).
Further in line with this, technologies such as the use of encryption software may also be used to dissuade hacking. Even so, the employees having access to organizational networks need to be trained on how to make sure that they do not leak hints that could result in the discovery of passwords (Shuchih Ernest Chang & Chin‐Shien Lin, 2007). For example, if workers are allowed to log into the Citibank networks using their personal devices such as smartphones and laptops, they should avoid saving the passwords. That helps reduce chances of hacking because for example if a laptop is stolen, it means one can easily retrieve the passwords, which might increase the risk of information loss.
Also, by conducting regular scans, Citibank and other organisations can quickly detection of vulnerabilities, allowing for a quick action and perhaps had that been done the bank could have inhibited that attack. With the current technologies, there exist various mechanisms that can be employed to hinder parameter tampering (Kim & Kim, 2014).
Reducing Damaging Effects due to Attempted Attacks
For Citibank and other organisations to fight hackers and also in order for them to detect any attempts that are made at stealing their business information, they would need to deploy various strategies. First, Citibank could have made it public the possible hacking attempts. That makes people more especially their clients vigilant, usually in such a way that, some of them might even be of help in tracking down the involved hackers. Secondly, organisations must install backup and data recovery systems, as these make room for the recovery of lost or altered information (Gal-Or & Ghose, 2005). This, therefore, assists the organisation to remain operational in the event that there information systems are successfully hacked, causing them to temporarily lose vital pieces of business information. One of the most important things that we need to remember here is that, hackers typically aim at gaining for their actions and affecting or paralysing the institutional operations. Meaning if an organisation isn’t equipped with up to date data recovery and backup systems, the agency could even close down completely if attacked.
Citibank and other agencies also need to install data encryption software as one of the ways of keeping their information safe. This software allows only the authorised individuals to have access to a particular information, reducing the possibility of data storage (Eshete, Villafiorita & Weldemariam, 2011). But, in case the hacker manages to steal the information they fail to open it because they don’t have the authorization to open it. That highly discourages hackers and could help save the organisation from possible problems that could happen if information gets accessed due to lack of encryption.
Another way of protecting data loss is by placing fake information on the Citibank’s websites. That can assist the organisation to determine the safety of their networks, without having to lose crucial information to attackers. This mechanism also acts a discouraging tool, which can make hackers lose their moral in attacking an organisation if at all times they get false information that cannot work in their favour.
Lastly, protecting data loss, an agency is expected to conduct several information security checkups. Perhaps a company could perform these checkups at least twice in every three months. That can aid in the identification of network holes that could act in favour of the attackers. Once these holes have been identified, immediate measures should be taken to ensure that the company network systems are safe and less vulnerable to cyber attacks.
The event of the year 2011, which involved the hacking of Citibank was indeed a game changer insofar as Cybersecurity is concerned. The attack clearly indicates the danger and the extent of damages a single attack could have in the world let alone the Citibank. However, what is important is that there are ways such actions can be avoided including the use of current technologies that ensure network security of private networks. Therefore, all organisations and more especially the financial institutions should work harder to ensure that their systems remain secure at all times to avoid facing similar situations as those witnessed in Citibank.
Caviglione, L., Coccoli, M., & Merlo, A. (2013). Social Network Engineering for Secure Web Data and Services . Idea Group Inc (IGI).
Eshete, B., Villafiorita, A., & Weldemariam, K. (2011). Early Detection of Security Misconfiguration Vulnerabilities in Web Applications. In 2011 Sixth International Conference on Availability, Reliability and Security (pp. 169–174). https://doi.org/10.1109/ARES.2011.31
Evers, J. (2005, July 06). Hacking for dollars. Cnet News, Retrieved from http://news.cnet.com/Hacking-for-dollars/2100-7349_3-5772238.html
Gal-Or, E., & Ghose, A. (2005). The economic incentives for sharing security information. Information Systems Research, 16(2), 186-208. Retrieved from http://people.stern.nyu.edu/aghose/ISR.pdf
Info Security. (2013, September 03). Citi ordered to pay $55k to Connecticut over 2011 data breach. Info security, Retrieved from http://www.infosecuritymagazine.com/view/34328/citi-ordered-to-pay-55k-to-connecticut-over-2011-databreach/
Kim, G., & Kim, S. (2014). OTAKUS: Parameter-Tampering Prevention Techniques using Clean URL. Journal of Internet Computing and Services , 15 (6), 55–64. https://doi.org/10.7472/jksii.2014.15.6.55
Liu, X., Shahidehpour, M., Li, Z., Liu, X., Cao, Y., & Li, Z. (2017). Power System Risk Assessment in Cyber Attacks Considering the Role of Protection Systems. IEEE Transactions on Smart Grid , 8 (2), 572–580. https://doi.org/10.1109/TSG.2016.2545683
McEachern, A., & Hofmann, R. (2017, April 11). US9621569 B1 . Retrieved from http://www.google.com/patents/US9621569
Page, J., Kaur, M., & Waters, E. (2017). Directors’ liability survey: Cyberattacks and data loss — a growing concern. Journal of Data Protection & Privacy , 1 (2), 173–182.
Shuchih Ernest Chang, & Chin‐Shien Lin. (2007). Exploring organisational culture for information security management. Industrial Management & Data Systems , 107 (3), 438–458. https://doi.org/10.1108/0263557071073431