There are 47 pages of regulations for Department of Defense personnel using Citigroup credit cards while traveling.
Pentagon confirms hack attempt against Defense Department credit card holders
- The Pentagon on Thursday confirmed that there was a hacking attempt against an online financial services portal that Citigroup manages for the Defense Department.
- Citigroup had told CNBC that a “malicious actor” attempted to gain access to several Citi credit card accounts tied to the Department of Defense.
- The attack, which included 1.3 million attempts, occurred over this past weekend.
The Pentagon on Thursday confirmed that there was a hacking attempt this past weekend against an online financial services portal that Citigroup manages for Defense Department credit card holders.
The confirmation comes a day after Citigroup told CNBC that a “malicious actor” attempted to gain access to information for Pentagon-linked credit card accounts.
The bank had responded to CNBC’s inquiry regarding an attempted hack this past weekend. The Pentagon, citing information from Citigroup, confirmed to CNBC on Thursday that there was an attack over the weekend of March 10.
The bank told the Defense Department that the attack came from a computer system that was randomly guessing cardholder account usernames and passwords.
The program hit Citigroup’s Pentagon online account application more than 1.3 million times. The hackers did successfully guess 318 Pentagon cardholders’ usernames and passwords, but they did not get past a secondary layer of account authentication.
“No data compromise occurred,” Citi told the Pentagon.
Citi provides financial services for the Government Travel Charge Card, or GTCC, which is used by Department of Defense personnel to pay for authorized expenses when on official travel.
CitiManager is the online portal used by the Defense Department to view statements online, make payments and confirm account balances.
The Pentagon’s Defense Travel Management Office oversees the processing of the GTCC.
*** Back in 2016, there was a hacker contest held by the Pentagon under Secretary Ash Carter….guess they missed that payment portal vulnerability possibility.
According to Defense Secretary Ash Carter, more than 250 participants out of the 1,400 submitted at least one vulnerability report, with 138 of those vulnerabilities determined to be “legitimate, unique and eligible for a bounty,” he said. The bounties ranged per person from $100 to around $15,000 if someone submitted multiple bugs.
The pilot program, which ran from April 18 to May 12, cost about $150,000, with around half of that going to participants. The results were released on Friday, according to the Department of Defense’s website.
“Hack the Pentagon” was deemed a cost-effective way to scour five of the US defense departments’ websites (defense.gov, dodlive.mil, dvidshub.net, myafn.net and dimoc.mil, according to a DoD spokesman) for security bugs. Instead of going to outside security firms, which would’ve cost upwards of $1 million, the government instead recruited amateur hackers to do it for much less, some who were only in high school.
In addition to reporting on the number of bugs, Carter also said that the government has worked with HackerOne, a bug bounty platform, to fix the vulnerabilities and that the department has “built stronger bridges to innovative citizens who want to make a difference to our defense mission.” Carter wants the “bug bounty” program to extend to other areas of the government and wants to ensure that hackers and researchers can report bugs without a dedicated program.
“When it comes to information and technology, the defense establishment usually relies on closed systems,” he said. “But the more friendly eyes we have on some of our systems and websites, the more gaps we can find, the more vulnerabilities we can fix, and the greater security we can provide to our warfighters.”
Many websites already have bug bounty programs in place, but it was the first time the federal government had come up with such a program. It’s good experience for young hackers and security fiends who want to try and hack a government agency, although that’s a small amount of money for their time.
Want more BFT? Leave us a voicemail on our page or follow us on Twitter @BFT_Podcast and Facebook @BluntForceTruthPodcast. We want to hear from you! There’s no better place to get the #BluntForceTruth.