Citibank Breach: 6 Tips to Bank Online Safely

June 9, 2011 — -- Citibank acknowledged that a data security breach has exposed information on about 210,000 of its bankcard customers. While these data breaches seem to be growing more commonplace, experts offer tips to make online banking more secure.

Citi's incident, one of the first known hacking cases at a bank, compromised data including credit card account numbers, names and contact information like email addresses. There have been several other public hacking announcements this year from Sony, Lockheed Martin and Michael's Stores, leaving consumers feeling overwhelmed by security concerns.

Adam Levin, co-founder of Credit.com and former director of the New Jersey Division of Consumer Affairs, said it is best for consumers to carry the mindset that there will be more data breaches in the future.

"The level of sophistication of hacking has grown exponentially," Levin said. "And the bad guys are ahead of the good guys."

Citi told the Financial Times that the incident occurred in early May at Citi Account Online. With over 21 million customers in North America, according to its annual report, the breach may have exposed about one percent of its accountholders. While the bank said information like social security numbers, card security codes and birth dates were not exposed, customers may wonder if secure online banking really exists.

Avivah Litan, security analyst with technology research and advisory firm Gartner, said that for both online banking and online credit card management, consumers have "very good protection" under a rule set forth by the Federal Reserve called Regulation E that limits consumer liability for unauthorized card usage. Though consumers may experience an inconvenience, they will almost always recover financially, she said.

Large businesses usually can afford security protection for their banking.

But Litan said online banking for small businesses is "very risky" because Regulation E does not apply to businesses.

"Businesses are only protected through the fine print with their bank," she said.

To limit the exposure of you or your business in online banking, here are some tips from some security experts:

1. Never accept incoming communications purporting to be from financial institutions you do business with, whether by email or phone call.

"Call them back using only the phone numbers published on your cards or statements," Richard Wang, manager of SophosLabs US, said.

2. Update your security software on your computer.

"Make sure it's malware protection and have the most sophisticated firewalls and anti-intrusion software," Levin said. "Those start screaming at you anytime you're even near something that has a worm on it."

3. Check the security of your mobile device and your mobile banking apps.

Mobile banking and payments are becoming more common, which means hackers may pay more attention in that marketplace also.

Andrew Hoog, chief investigative officer of viaForensics, a digital forensics and security company, found three unencrypted (i.e., less secure) passwords in apps for Foursquare, LinkedIn and Netflix on the Android in a recent round of app security testing. Citibank received a "pass" rating for its app.

4. When logging in to perform online transactions, always enter the website address directly in your browser.

Never click links that claim to take you to banking sites.

"Citi's breach is significant. It's easy enough for a criminal with your credit card number, name and address to make fraudulent charges," Wang said. "Adding in your email address allows them to attack you directly with very convincing phishing emails to try to get even more information from you."