Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Citigroup Hackers Easily Gained Access

Posted by CmdrTaco on from the all-kinds-of-fail dept.

Endoflow2010 writes "Hackers who stole the personal details of more than 200,000 Citigroup customers 'broke in through the front door' using an extremely simple technique. It has been called 'one of the most brazen bank hacking attacks' in recent years. And for the first time it has been revealed how the sophisticated cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories. They simply logged on to the part of the group's site reserved for credit card customers and substituted their account numbers — which appeared in the browser's address bar — with other numbers. It allowed them to leapfrog into the accounts of other customers, with an automatic computer program letting them repeat the trick tens of thousands of times."

10 of 371 comments (clear)

  1. Re:Seriously, what the fuck! by MozeeToby · · Score: 5, Funny

    Makes Sony's security setup look like Fort Knox. And that's saying something.

  2. Re:I did something similar by dkleinsc · · Score: 5, Funny

    The part of the story aardwolf64's not explaining: The reason he got the promotion was not because of the obvious security problem but because of the payment to whipsandhandcuffs.com he found on his manager's statement.

    --
    I am officially gone from /. Long live http://www.soylentnews.com/
  3. Lowest bidder? by Lorens · · Score: 1, Funny

    <NICE>
    This is what you get when important functions are written by people who do not have the slightest inkling of what network security is about. You can put loads of $$$ into planning and design into specifying authentication, and it all falls down because the grunt who actually does the work doesn't have a clue.
    </NICE>
    <REALISTIC>
    Probably the grunt without a clue is the smartest guy over there.

  4. Re:Seriously, what the fuck! by swanzilla · · Score: 4, Funny

    I can make the same argument for my luggage.

    --
    0 = 1 + e^(Alt something)
  5. Why Chrome is dropping the address bar.... by unil_1005 · · Score: 3, Funny

    It's the security solution for Citigroup!

  6. Re:Seriously, what the fuck! by UncleTogie · · Score: 3, Funny

    Think of the great employment opportunities now that you know that anyone can be a "security professional!"

    Well, I did stay at a Holiday Inn last night....

    --
    Don't tell me to get a life. I'm a gamer; I have LOTS of lives!
  7. Re:Seriously, what the fuck! by WhoseSideAreWeOn · · Score: 2, Funny

    That's the stupidest combination I've ever heard!

  8. Re:Seriously, what the fuck! by demonbug · · Score: 4, Funny

    And yet FTFA:

            One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.

            He said: 'It would have been hard to prepare for this type of vulnerability.'

    Wow. Yes, I can see how making accounts accessible via an unhashed URL is really something no one would have guessed would be a problem. Especially when the same technique is referenced explicitly in a recent blockbuster (The Social Network).

    See, this is the real reason Firefox wants to get rid of the URL bar. Only hackers would directly enter a URL. Legitimate consumers will just follow the link to their account from their Facebook page.

  9. Re:Seriously, what the fuck! by hedwards · · Score: 2, Funny

    You mean Google. Firefox just wants to do it because Google is doing it.

  10. Re:you have got to be kiddinbg me by skr95062 · · Score: 3, Funny

    The lowest bidder.