By Ross Kerber and Jim Finkle
BOSTON (Reuters) - The cyber attack on Citigroup Inc may force U.S. banks to adopt tougher security measures that they have put off for years because of the cost and fears that tighter security would inconvenience customers.
Most U.S. banks currently allow customers to easily access their accounts online or on mobile devices without jumping through too many security hurdles to confirm their identities.
But with the news on Wednesday that hackers had managed to break into Citigroup's network and get data on about 200,000 credit-card holders in North America, pressure will likely mount on banks to get tougher on security.
The Citigroup breach is the largest direct attack on a major U.S. bank to date, security experts said. It has already prompted banking regulator Sheila Bair to call on banks to "strengthen their authentication when a customer logs onto online accounts.
Gartner Research analyst Avivah Litan said banks should adopt more stringent security measures, such as issuing security tokens to customers or requiring them to use more robust browser software to log in to banking websites.
Security tokens generate strings of numbers on a minute-to-minute basis that users must enter along with a personal identification number to verify their identity. A token can cost $5 a piece, so that could top $100 million for Citigroup's 21 million North American customers.
"Up until now the banking industry has really been untouched in terms of attacks, from what we know," Litan said.
Beefing up security would be cumbersome, she added, but unavoidable given the need to secure payment systems. The Citi breach, coupled with other recent incidents, "adds up to a really bad picture," Litan said.
Banks so far have had a better record than retailers and other companies at protecting data from hackers.
Financial industry security experts said that balance may shift as hackers work their way up the security food chain. The attack on Citi follows ones on Lockheed Martin Inc, Sony Corp and Google Inc.
Banks and credit card companies have tolerated a certain amount of fraud in their systems because the cost of additional security would not justify the potential savings, according to David Robertson, publisher of The Nilson Report, which follows the payment industry.
He said typical payment-card fraud can average $1,000 to $1,500 per incident -- relatively low amounts because criminals do not want to raise red flags.
But hackers with direct access to bank accounts would pose a much bigger threat as they can seek out much bigger one-time heists. "The potential for fraud in an online banking environment is monumentally different than with payment cards," he said.
Robertson said he expects banks to move to security tokens and ultimately to biometric identification such as fingerprints to validate customers. These might only be worth it for clients with the largest accounts or transactions, however.
BANK BREACHES RARE
Payment card numbers are commonly hacked through attacks on retailers that tend to spend less on security than banks. Such attacks have become almost commonplace -- Michaels Stores Inc last month for instance reported a large attack engineered by hackers who compromised PIN pads at its stores.
In contrast, reports of breaches at banks and other financial institutions are far less frequent. When they do occur they have led to major consequences. Notable was the case of Heartland Payment Systems, which in 2010 agreed to pay up to $60 million to fund a program to settle claims against banks whose customers' cards were compromised by an intrusion into Heartland's systems.
"Banks like Citi put a lot of money into building robust security -- that's the scary thing about this," said Allan Trosclair, a payment card consultant in Richmond, Virginia.
If banks fail to step up their game when it comes to security, there may be more breaches.
Attacks on prominent companies are becoming more frequent because potential targets are not moving quickly enough to protect themselves against increasingly sophisticated hackers, said Anup Ghosh, chief executive of security software maker Invincia and a scientist who formerly helped develop cyber weapons for the U.S. military.
"With the security industry we are seeing a failure on a massive scale," he said. "It is getting worse. The adversaries are figuring out just how easy it is to get into the network."
(Reporting by Ross Kerber and Jim Finkle, editing by Tiffany Wu; Editing by Gary Hill)