Slashdot Mirror
How Citigroup Hackers Easily Gained Access
Endoflow2010 writes "Hackers who stole the personal details of more than 200,000 Citigroup customers 'broke in through the front door' using an extremely simple technique. It has been called 'one of the most brazen bank hacking attacks' in recent years. And for the first time it has been revealed how the sophisticated cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories. They simply logged on to the part of the group's site reserved for credit card customers and substituted their account numbers — which appeared in the browser's address bar — with other numbers. It allowed them to leapfrog into the accounts of other customers, with an automatic computer program letting them repeat the trick tens of thousands of times."
they were asking for it ( now watch them store the account number in a unencrypted cookie ) gl with the future javascript injection
There is no facepalm big enough to express my feeling at that hack. I'm sure they paid good money to "security professionals" to set that up too.
I read the internet for the articles.
Heads need to roll for this one... Amazing. Words escape me.
If you want news from today, you have to come back tomorrow.
I did that at a bank I was working with. It was actually a hidden form variable with the institutions username/password, but grabbing that page before it auto-submitted allowed me to pull anyone's statement. I showed it to my manager, and eventually got a promotion out of it. :-)
When writing our rest services the first thing we considered was how to prevent users from accessing other users data. I don't understand how this could happen to a bank with credit card data. It's ridiculous.
Dealing with credit card information I know for a fact that security implementation is 100% illegal if the allegations are true. Citibank will be fined hundreds of millions of dollars if they follow the law ($100,000 per incident). I mean base level security for this would be only allow that user access to that specific account. If they were able to simply change URL numbers to see other account holders info... wow... just wow.
Seems like the website required to have *some* authenticated sessions. Even though they probably used some stolen credentials (at least one would hope), they must have used their own when they *discovered* it. So the way to find them is to look at the logs and find people who accessed diff acct urls under the same auth token prior to this massive theft. I bet there are not going to be that many of them.
Mind numbingly so.
Really makes me wonder wtf is up with some banks and their incompetence. I registered for online banking with my bank some time ago, and they only allow [a-z][A-z][0-9] for passwords. no ~!@#$%^&*(. In the 21st century. Shame.
Sent from my PDP-11
This is web security 101. I can respect being SQL injection, or even a clever cross site scripting attack to fish users. But changing the account number in the url bar; words escape me.
If you don't understand how a secure negotiation protocol (and the protocol for the session after the fact) works, admit it and either ask someone or read several books until you recognize that you should still go ask someone. I've read more than my fair share of crypto books and papers, but, being an application developer who does only trivial personal server-side development, you can be damned sure that I'd ask for help when working on a username/password system. This goes double if it involves banking.
That any session allows them to go digging around willy nilly is so unbelievably stupid, I can't even find the words.
My favorite quote:
Yes, it would have been hard. For example, one would have had to take a security course, where this type of attack would have been discussed in the first 10 minutes.</sarcasm>
Good fucking god. This can't be true.
I could be misunderstanding something, but shouldn't something as simple as an ISAPI filter have prevented this?
From TFA:
One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. He said: 'It would have been hard to prepare for this type of vulnerability.'
/epic facepalm
First, this is NOT a hard vulnerability to prepare for. If the only method of user authentication you are doing is based off a string of characters received from the URL your not even qualified to build an ecommerce site for some mom-and-pop 2-sales-a-week company, let alone a bank.
Second, why is this a surprise to this security "expert"? Anyone who has done development for a website with dynamic content would be familiar with passing information through the url. This is like web design 101. If I logged into my credit card account and saw my CC number in the URL bar the FIRST thing I would think of would be: "what would happen if I typed in another number in there." Security expert my ass, no wonder why some companies have this happen to them, look at the people they hire to test and investigate their systems!
/rant
If what I just said sounded like a troll, it was probably just a failed attempt at humor.
<NICE>
This is what you get when important functions are written by people who do not have the slightest inkling of what network security is about. You can put loads of $$$ into planning and design into specifying authentication, and it all falls down because the grunt who actually does the work doesn't have a clue.
</NICE>
<REALISTIC>
Probably the grunt without a clue is the smartest guy over there.
I know, redundant. But fuck. you've got to be kidding me! I think you are kidding. Nice lulz. This is a joke. Right?
From TFA:
If this kind of "expertise" is used for the investigation, no wonder they are not getting it. First, the vulnerability was in the server-side, not client-side. Secondly, comparing requests for information against the authorization level of the current user is SOP. It's axiomatic that you need to "prepare" for such checks.
Just need to check something...
It's a good thing our foresightful federal government nobly resisted the public in '08-'09 and wisely chose to bail out and backstop this vital financial instution, on whom we are so ever reliant for their irreplaceable expertise!
*jerk off gesture*
Information theory is life. The rest is just the KL divergence.
So..which is it? Simple or sophisticated? Or simple?
Is it really that much trouble to add a secure hash of the id to the URL or check against the session if the user has access to that record? Come on, that is BASIC security.
WTF!!!
This is a failure in programming (I'll stop short of calling the coders idiots, since I don't know what pressures and time constraints they were under) and testing (this should be caught within 10 minutes with a half-hearted Selenium script). The mistake they made: if user is authenticated, they belong, and everything gets happily processed. Pretty typical, especially for beginning programmers. They failed to check individual resources against what was being param'ed in.
The best thing about a boolean is even if you are wrong, you are only off by a bit.
Since when did requesting a different page from server-side script become a 'sophisticated hacking technique' that would be hard to prepare for? This is unreal.
It's the security solution for Citigroup!
What? I mean, WHAT? Teenie-bopper web developers, tired of having their Star Wars fansites hacked, stopped putting account info in GET strings back in the nineties! What kind of crap programmers... the mind boggles... What BANK would pay for such crap code, and what enterprise-class design team would make such a horrible mistake? This is not a cute little hack, it's a fundamental coding... no, design... no, sorry, CONCEPTUAL flaw.
Everyone involved with this project; design, management, QA, and most especially whomever at Citigroup signed off on the project, should be immediately fired and never work again in this field.
Oliver's law of assumed responsibility: If you're seen fixing it, you will be blamed for breaking it.
Citigroup is VERY dysfunctional, according to recent books and articles. But Citigroup makes billions because the U.S. government is even more corrupt.
The CEO should be fired, in my opinion. Instead he will be paid $23.2 million.
IF the article is correct about the nature of the vulnerability this quote is the single stupidest and most frightening things I have ever read on the internet.
Either I totally misunderstand what I just read, or it's the stupidest thing I ever heard of. This week anyhow.
because this is epic fail.
Never let a lack of data get in the way of a good rant.
Has anybody done some sort of audit of various bank's online security procedures to find which, if any, have a decent setup?
Another big gigantic bank based here the in the US of A who has received hundreds of billions of dollars in "aid" from the Government, off-shores much of their development overseas - I'm not sure if it's a captive company or if it's an independent firm.
Friend interviewed as a BA and was told that the dev staff were all in India - least for the department in that particular division for BOA.
... for which they'll immediately pass the cost to their customers. Do you REALLY think it costs them two bucks to let you use other institutions' ATM? Do you really think it costs them fifty bucks to stop payment on a check? Until we're talking about serious jail time in the pound-me-in-the-ass prison for officers of the corporation, nothing will change. But knowing how congress critters in Washington are all already bought and paid for, I think we have a better chance getting a snow storm in hell.
ELOI, ELOI, LAMA SABACHTHANI!?
This is because, according to a report by Verizon and the Secret Service, the demand for data is on the rise. In 2008 the underground market for data was flooded with more than 360 million stolen personal records, compared to just 3.8 million in 2010.
How is that a rise?
Dailymail and Citi bank apparently use the same QA department.
I was just reading this post where the blogger rants about how dumb and simple these attacks are getting:
http://penguinpetes.com/b2evo/index.php?title=does_the_recent_rash_of_cyber_attacks_on&more=1&c=1&tb=1&pb=1
And then today, they post a STUPIDER one!
Yes, the car is locked, but all the cars use the same key. It would have been hard to prepare for this type of vulnerability.
"One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.
He said: 'It would have been hard to prepare for this type of vulnerability.'"
Really? They were passing a credit card account number in the clear through a GET parameter, without validating it against which session the page load was authenticated on, and that was "hard to prepare for"? Really?
I could have done it better than that. So I guess that makes me an expert, right? (Hint: No. It makes the "expert" a flaming idiot.)
What about substituting account numbers is bold and without shame?
This kind of negligence should be criminal.
....to breach security by focusing on the vulnerability in the browser. I see what you did here! It is not a vulnerability in the browser. It is a vulnerability in the code and the whole system behind it. You cannot escape your liability with this nonsense.
If you're a baseball fan you'll get the connection here (um, get the name of the stadium): this is so Mets-like an event and an outcome. I recall Casey Stengel's immortal words from when he had the helm in Flushing: "can't anyone play this here game?"
Development is programmable; Discovery is not programmable. (Fuller)
http://slashdot.org/~CmdrTaco
Dear God....
Please remember this story next time your boss thinks it's okay to hire or use just anyone to do QA. PMs and Customer Service agents are not testers! Nor can you do effective testing with only kids straight out of school.
Imagine if buildings got built with no architects, no engineers, just construction workers. Or no construction workers, just engineers. Would you feel safe on the top floor?
It doesn't matter WHAT time or money constraints they were under. This is simply not something that would be acceptable out of somebody that codes for money. To call this a "beginners mistake" is an insult to Web Development 101 students everywhere. If you have to be TOLD that maintaining authentication to a secure website based on the contents of the URL bar is a bad idea, then you do not deserve to be coding for anybody. I haven't EVER coded a website (I haven't written anything longer than a ten-line shell script in 13 years) and I could have told you this was a mind-bogglingly stupid mistake. This is not 20/20 hindsight at work here... it really is that stupid.
Heads should roll, including the programmer(s) responsible for this travesty, and two levels of management above him/her. And the remaining employees in the department should all have to apply for their jobs again (by the new management team), as their suitability as programmers could not have been properly evaluated before if the original moron managed to keep his job longer than a week.
I'm actually willing to cut the testers some mild slack... maybe they chose not to test for the developer having the IQ of a turnip. (Just a little slack... a tester should NEVER assume the developer has the least clue what they are doing when figuring out what needs testing.)
That made me laugh, codepigeon.
One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. He said: 'It would have been hard to prepare for this type of vulnerability.'
Are you *really* trying to label this as a browser vulnerability issue?
You're either *really* incompetent or paid very well to say shit like that.
sysadmins and parents of newborns get the same amount of sleep.
Should CERT issue an advisory on outsourcing as a hot new attack vector?
"In conclusion, the main thing we did wrong when designing ATM security systems in the early to mid-1980s was to worry about criminals being clever; we should rather have worried about our customers - the banks' system designers, implementers, and testers - being stupid."
Ross Anderson, "Security Engineering"
This is super basic stuff in the web world. What they did in this debacle is let you into the bank (citigroup.com), talk to you one-on-one at the teller station (SSL), have you swipe your card and enter your pin (login/password), then let you fill out a withdrawal form for anyone's account and give you the money!!
"Uh... yeah, I'd like to get the money from my account number +1... oh, that one's closed, how about my account number +2, nope, well then +3? Ah, yes, that one please... all the money, yes."
I don't bank with citigroup, and I certainly never will knowing how little effort they put into their security practices.
You could have gotten retirement out of it...
This would be the Data Breach Investigations Report.
How is that a rise?
Basic economics would dictate that with supply being signicantly lower in 2010 than in 2008 (less data available on the black market), the demand for said data has gone up.
I believe it was Herman Finkers who as joking about telephone service coming to his village. Only a few people had it, so they had single digit telephone numbers.
It went something like this: the mayor, since he was the mayor, had telephone number 1. the notary had number 2, the priest had number 3, the owner of the factory had telephone number 4, the constable number 5, and the librarian number 7. The Johnsons also had telephone but they had an unlisted number.
ANY website that uses www.anysite.com/info.pgp?type=info&account=012345 that allows you to change account= and then displays the information for that account holder should be held liable.
I disagree. There's got to be a cutoff point below which it ceases to be fail and emerges into some sort of parallel universe.
It's a small world and it smells funny; I'd buy another if it wasn't for the money; Take back what I paid (SoM)
Actually, if you just read the sentence after that it says:
As the credit cards, whose numbers were stolen in 2008, expire, there is a rush to find new accounts.
So it is (or should be) on the rise now.
This kind of attack is what they teach in the first term of their ethical hacking and countermeasures course.
What kind of morons don't programme against something that's so basic ?
They can't pass the cost to their customers. Or rather, they have already ensured that their price is the maximum their customers can give.
If you have a bank account with Citi, you are probably earning 0.05% interest, and paying for all activities you perform through the bank.
Time to let Citi crash and burn, and move their customers' assets to a bank that isn't completely corrupted by profiteering and shitty service.
It's cheaper for Citigroup to spin its way out of this mess than for it to pay for real security. Because real security requires people with some sense throughout the chain with access to the organization. And that kind of person is a threat to the entire way of doing business that banks like Citigroup do it.
Remember that Citigroup is exactly the bank for which Senator Phil Gramm (R-TX) wrote the 1998 bank deregulation bill that left the global economy exposed to exactly the kind of collapse the 1934 regulations had protected us from since the last time the banks gave unregulated credit until they collapsed. They have learned from the 2008 Crash that they will be given only more money when they fail, so they don't work hard to avoid the risk. The kind of "moral hazard" that banks use to excuse paying their insurance obligations, but which define their own businesses now.
--
make install -not war
Anyone remember? You could gain access to anyone else's mailbox by replacing your own address with theirs in the URL bar...10 years later, a bank still can't figure that out? These are the jackasses we "trust" with all of our money and assets, too.
who immediately went and checked their own bank website for the same vulnerability?
It's getting to the point we should just give up on the web. If a bank can't understand the notion of security then we're pretty much hosed.
Don't worry though; they're probably insured against their own stupidity.
"One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser."
Anybody know what company this investigations team is? I'd like to submit a resume... I'm even willing to move presuming wherever it is pays at least 55K + differences in rent in a decent neighborhood.
Kinda feel like a job I can sit around jacking off for 4 hours a day, look at a problem for thirty seconds, write up a better report than this guy, and then go home while building my own security credentials up to 'expert'
Hell, I'll even attend cons and training seminars, and bring in a few kids from IRC that are brighter than the aforementioned schmuck...
good job!thanks very much for sahring! http://www.edhardychothing.com/ ed hardy cheap ed hardy ed hardy clothes ed hardy sale
Seriously, Who was it this time?
but it was cheap!
The webmonkeys should be beaten
When I was 12 I used that method to hack into people hotmail accounts (non microsoft hotmail back then). Too funny.
to a bank that isn't completely corrupted by profiteering and shitty service.
Huh? Is there such a thing nowadays?
Questions raise, answers kill. Raise questions to stay alive.
This doesn't even qualify as a hack. It's more like a tactic a curious script kiddie would try just to see how something worked, and suddenly being pleasantly surprised when some other user's data was handed to them on a silver platter as a reward for bothering.
Sadly, I'm willing to bet this kind of "exploit" is probably far more common than anyone is willing to admit. Like those of us who have ever "left the water running" and only coming to realize it 50 miles down the road.
It's something so stupid, most developers wouldn't bother checking their own work for such a "rookie mistake", simply because they're just that good.
8==8 Bones 8==8
Things like this are an inevitable consequence of commoditizing development and outsourcing it to India & China or onshoring it via H1B holders whose certifications and degrees are printed on tissue paper. As an IT manager for years the quality of candidates I have seen coming from those sources is laughable--they code by flowchart. But those are exactly the kind of 'programmers' banks love to hire, because they work cheap and never complain when you work them to death because you can fire them and they get sent back to the old country. Do they do crap work? Yes, absolutely. But that's not the MBA-holding, PHB manager's problem, because they get to claim cost savings and a promotion for it and push like hell to get as far away from the inevitable consequences as they can before it blows up.
If you are an IT manager, please do yourself a favor and hire experienced natives who really know what they're doing. They will cost you a couple 10G's more, but the difference in the product will save you millions it would cost to fix crappy code and the tens of millions more in liability when your customers learn the hard way how lightly you treated the confidentiality and security of their data.
Do what you can, with what you have, where you are.
All this time I've just been using that trick to get free porn.
Dear Slashdot: next time you want to mess with the site, add a rich-text editor for comments.
I disagree. There's got to be a cutoff point below which it ceases to be fail and emerges into some sort of parallel universe.
Problem is, it's pretty much the same universe as ours, but they have cool hats.
Jesus was all right but his disciples were thick and ordinary. -John Lennon
Seriously, all Americans, regardless of what bank they use, should write their Congressmen about this and urge the banking committee to subpoena executives from all the major banks for a hearing. Citigroup breached its fiduciary responsibility on a massive scale and with breathtaking stupidity, and this on the heels of a bailout needed because of stupidity and a lack of responsibility. This is especially important after the recent US court ruling on what kind of password protection satisfies the legal requirements for safeguarding accounts: Congress may well need to step in and impose on the banks a sense of responsibility towards depositors. There's no reason that a WoW account should have more security than a bank account, and the failure of American banks to increase security as part of market-driven competition only makes manifest a nearly collusive sense of inertia and collective disdain for depositors' wishes and wellbeing.
Comment removed based on user account deletion
That is probably the most stupid comment I have ever seen. Supply was lower in 2010 compared to 2008. So that explains an increase in demand? That is not how "basic economics" works. Demands lead Supplies.
He said: 'It would have been hard to prepare for this type of vulnerability.'
Well, yes, actually. It's not saying "it would have been hard to prevent this type of vulnerability", it's saying it would be hard to prepare for hundreds of thousands of customers' information getting stolen. That does sound hard to prepare for.
One expert [...] told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.
Maybe he's just being horribly misquoted here. The vulnerability can apparently be triggered using a browser in a very standard way, which to a journalist might sound an awful lot like a "vulnerability in the browser". Still, if it's just shoving different numbers in a query string (which the article really, really makes it sound like it is), there's nothing to wonder at.
Yet again, faced with a news article on a topic I'm somewhat familiar with, shoddy reporting shines through. Disgusting.
I'm sorry, I just don't believe this. Either the reporting of this article is incompetent in describing the technical aspects, or the so called quoted expert and every dev on the project are utter morons. I call BS.
It seems inconceivable to me that the account number was in the clear in the address bar, much less that simply changing an account number in the URL would pull up someone else's account. If you were a dev on that project, that is something the most basic newbie knows is a no no.
For the quoted expert to say "It would have been hard to prepare for this type of vulnerability" is just absurd. A 3 yr old could "hack" the vulnerability described.
Something doesn't add up.
At the very least, maybe actual hackers used rainbow tables to figure out simple unsalted hashed account numbers. But to not re-validate on the server with each request on a bank level system is unimaginable.
Whiskey. Tango. Foxtrot.
I can just imagine the guys trying it out laughing their asses off when it actually worked.
I understand that on the web, state transaction require either cookies or sessions, and if security is an issue, use sessions. It allows stateful transactions (so you need a valid ID/password combination in order to get to credit information page), and of course with salted transmission of data, eavesdropping becomes a pain. So where was all of this? This hack isn't just trivial, its obscenely trivial. A first-time code monkey could spot this disaster looming. Banks have lots of money. Surely they could have hired someone competent instead of the cheapest idiot they could find. I'm shaking my head now. Lulzsec is seen as this big bad haxor group, where in fact, all they have to do is trip over some really stupid code, and with barely any work, take advantage of really stupid people (with lots of other peoples money). I keep shaking my head. How could they be this careless and stupid? Do they want people to sue them for all the money they have?
This is the same technique I used to find my actual girlfriend on a dating site (and I don't consider that as "hacking" at all).
Wow. Yes, I can see how making accounts accessible via an unhashed URL is really something no one would have guessed would be a problem.
The URL was not the problem (URLs should be readable and uniquely identify a resource, they are not really related to security) - the access control (non-existant) was the problem. Relying on hashes alone would just be security through obscurity. Although they are public information might have been advisable not to use bank account nos in the url, even on a secured connection, but hashed urls do not provide proper access control (which is what they should have had, to check that yes user a really can not look at user b's account, or 1000 others).
They had authentication but not authorization, that's the problem
I don't bank with citigroup, and I certainly never will knowing how little effort they put into their security practices.
What makes you think that other banks are any better?
People used to think that RSA and SecurID were secure a couple of months ago...
Personally i'd rather see hackers publish information like this where the company is forced to admit to the hack, rather than serious organised criminals systematically stealing money and keeping it under the radar so the bank can continue denying the hack.
http://spamdecoy.net - free throwaway anonymous email - avoid spam!
Apparently there is no security whatsoever on the internet. It's a wonder how the bad guys manage to crawl all the way to the bank while rolling on the floor laughing.
Queue Super-Spy music for this amazing hack...
Doesn't surprise me, I found a website where you can spam a Telco's entire userbase if you set up a nice script to simply advance mobile numbers. We often over-estimate the quality of people they have developing, and I doubt there is very much in the way of security testing/auditing going on in a lot of cases.
For the past 3 years, I've been getting emails from another Citibank customer of the same name as me on my gmail account. First it started with "offers" but has escalated to PDF account statements.
Despite all attempts to stop this "spam", they are unable to fix the issue because "I'm not the owner of the account".
So, they happilly let customers set email addresses without verification. And continue the sending of personal information despite being told otherwise.
Time to close my account. This was the final straw.
From the article: "One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. He said: 'It would have been hard to prepare for this type of vulnerability.'" Someone who says this is not an expert.
Never ever trust the browser!
Epic fail, but of course we would not expect any less from Citibank.
A quote from the troll gmhowell says it all:
"I do whatever amuses me at the moment. Sometimes that is trolling. As far as AC? I only do that to avoid undoing moderations." - by gmhowell (26755) on Wednesday April 20, @12:49AM (#35877174) Homepage
Your own words prove to us that you're online trash gmhowell, you scumbag troll.
This IS why nobody here takes you seriously, or pays you any heed: You're a troll!
The above not enough? Well, here's more from you:
http://slashdot.org/comments.pl?sid=1907528&cid=34543612
And here also:
http://slashdot.org/comments.pl?sid=2087330&cid=35846218
("3 strikes, & you're out" - And, there's NO DENYING you are a troll, gmhowell. (Especially when you admitted it there in the links above, literally, in your own words!))
A quote from the troll gmhowell says it all:
"I do whatever amuses me at the moment. Sometimes that is trolling. As far as AC? I only do that to avoid undoing moderations." - by gmhowell (26755) on Wednesday April 20, @12:49AM (#35877174) Homepage
Your own words prove to us that you're online trash gmhowell, you scumbag troll.
This IS why nobody here takes you seriously, or pays you any heed: You're a troll!
The above not enough? Well, here's more from you:
http://slashdot.org/comments.pl?sid=1907528&cid=34543612
And here also:
http://slashdot.org/comments.pl?sid=2087330&cid=35846218
("3 strikes, & you're out" - And, there's NO DENYING you are a troll, gmhowell. (Especially when you admitted it there in the links above, literally, in your own words!))
Just like in the Sub-Prime pyramid scandal, the wicked and lazy in Citibank shall be punished too!!
.
.
.
/crickets
The difference, is that with the RSA hack, while badly handled nothing was completely compromised. They only got a free pass on the extra security, but most if not all of these systems also have good password policy enforcement, which is why the threat was identified and stopped. It is pretty pointless to count on just the SecureID for security, as it can be physically stolen, it is just an extra layer of protection like properly implemented biometric checks.
Get a web developer
Other stupidities the Citibank online banking site that I have seen, that long ago left me without confidence in its implementation:
And probably more; those are just what come immediately to mind.
The Citibank online banking site is simply an incompetent piece of work. If the characterisation of its "security" implementation is correct in the FA, then this clearly has crossed the line into criminal incompetence. The contractor should be blacklisted. Those at Citibank who hired the contractor should be fired, disciplined and demoted.
It seems very plausible that kickbacks were involved; there's almost no doubt that a large chunk of it found its way back into the pockets of the people who selected the contractor. These schemes are absolutely rampant.
That isn't a hack that's shoddy programming... Just wow, how could you not see that being exploited??!!
This is the kind of problem you have when you totally code with entry level or outsourced programmers. ANY programmer with a few years of experience would see that one coming.
âoeIn theory, theory and practice are the same. In practice, they are not." â Albert Einstein
Banks make all their money through debt now anyway, why should they give a flying fsck about personal banking security? Heck they should have less security, so that "hackers" (I use that word liberally) can take out fake loans and money in other people's name, and than city bank can sell those debts to another back for big profits. What could possibly go wrong?
Should CERT issue an advisory on outsourcing as a hot new attack vector?
where's the 'like' button when you need one!
Once you are logged in to a Citibank credit card account you can generate a virtual account number, complete with expiration date and cvv. That would have been an easy way to exploit the compromised accounts, without knowing the password, expiration date or cvv.
I sent the link to a friend who unfortunately didn't have popups disabled in the browser.
His laptop was immediately infected with malware; and McAfee didn't catch it......
THAT is interesting!
there was, but Ally Bank is letting its interest rates decay (3% a tear ago, 0.5-1.0% today). fee hikes come next, then they get a Close notice from me.
Ever heard of a credit union? It's curious how much service changes when you remove shareholders from the equation...
Note: I was 13 when I wrote most of this. Take with several grains of salt.