ANZ and Westpac are to replace the “SecurID” electronic keys of customers after a string of cyber attacks on companies.
Citigroup has became the latest company and first bank to disclose a major breach, saying that hackers had accessed data of about 200,000 bank card holders in North America.
While Citigroup insisted the breach had been limited, experts called it the largest direct attack on a major US financial institution, and said it could prompt an overhaul of the banking industry’s data security measures.
“Most other banks will be taking note because if it can happen to Citi, it can probably happen to them,” said Arun Chandrasekaran, research director of Frost and Sullivan’s Asia-Pacific ICT practice.
“Citi is one of the largest spenders on security which makes the whole situation scary - if this can happen to Citi then imagine possible the plight of other banks which spend significantly less.”
Australia’s No.3 lender Westpac Banking, and Australia and New Zealand Banking Group (ANZ) said they were replacing the electronic keys although their systems have not been compromised. The keys issued by EMC’s Ltd RSA Security division are primarily used by institutional and corporate clients.
ANZ said it has 50,000 such keys with 4,000 used internally. EMC has offered to replace millions of the electronic keys after hackers used data stolen from its RSA division to break into Lockheed Martin's network.
In Singapore, Southeast Asia’s largest lender DBS said they were waiting to hear more details on the causes of Citi’s breach but do have a process in place to regularly review their security controls.
“While we have a robust framework in place, technology is changing rapidly with new threats appearing on the scene, which may require different approaches,” said a spokeswoman for the bank.
Citigroup has not disclosed how the hackers accessed customer information including names, account numbers and contact information. Internet security at other top companies has come under threat after successful raids on other firms such as Sony’s PlayStation Network and Google embolden hackers.
The recent breaches have prompted calls for tougher security measures and better disclosures in cases where sensitive customer data has been compromised.
“The banks have to be cognisant of the fact that the hackers are getting really, really smart,” said Frost and Sullivan’s Chandrasekaran. “Security is always a moving target, banks have to be at the forefront of guarding themselves against breaches like this.”
Spokesmen at Westpac and ANZ said the replacement was pre-emptive action and scrutiny of their systems has not revealed any breach.
“Although we do not believe that our customers are at risk, we have initiated a token replacement to alleviate any residual concern that our customers may have,” said Westpac’s general manager for online and customer service, Harry Wendt.
A spokeswoman for top lender National Australia Bank said the bank was not immediately planning to replace any electronic keys but will monitor its systems closely. An HSBC spokeswoman in Hong Kong said the bank did not use any RSA products.
The widely used electronic keys use a two-pronged approach to identify a person trying to access a computer system and are designed to thwart hackers who might use key-logging viruses by constantly generating new passwords.
The SecurID generates new strings of digits on a minute-by-minute basis that the user must enter along with a secret PIN before they can access the network.