Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Citigroup Hackers Easily Gained Access

Posted by CmdrTaco on from the all-kinds-of-fail dept.

Endoflow2010 writes "Hackers who stole the personal details of more than 200,000 Citigroup customers 'broke in through the front door' using an extremely simple technique. It has been called 'one of the most brazen bank hacking attacks' in recent years. And for the first time it has been revealed how the sophisticated cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories. They simply logged on to the part of the group's site reserved for credit card customers and substituted their account numbers — which appeared in the browser's address bar — with other numbers. It allowed them to leapfrog into the accounts of other customers, with an automatic computer program letting them repeat the trick tens of thousands of times."

16 of 371 comments (clear)

  1. Seriously, what the fuck! by jandrese · · Score: 5, Insightful

    There is no facepalm big enough to express my feeling at that hack. I'm sure they paid good money to "security professionals" to set that up too.

    --

    I read the internet for the articles.
    1. Re:Seriously, what the fuck! by HeckRuler · · Score: 4, Insightful
      Agreed. And this:

      'broke in through the front door'

      It was an unlatched SCREEN DOOR with a missing hinge!
      I wouldn't consider it hacking even by the media's definition. It's akin to asking the teller for someone else's information, and coming back 200,000 times to do it again.

      Whiskey
      Tango
      Foxtrot

    2. Re:Seriously, what the fuck! by Anonymous Coward · · Score: 5, Insightful

      And yet FTFA:

              One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.

              He said: 'It would have been hard to prepare for this type of vulnerability.'

      Wow. Yes, I can see how making accounts accessible via an unhashed URL is really something no one would have guessed would be a problem. Especially when the same technique is referenced explicitly in a recent blockbuster (The Social Network).

    3. Re:Seriously, what the fuck! by CharlyFoxtrot · · Score: 4, Insightful

      There's a reason that "expert" is anonymous: it's a PR flunky that has to feed ass-covering statements to the press. Something for the masses who don't know any better to swallow.

      --
      If all else fails, immortality can always be assured by spectacular error.
    4. Re:Seriously, what the fuck! by blair1q · · Score: 4, Insightful

      Account numbers don't need to be secret. In fact, you hand them out when you write checks.

      It's the access using the account number that has to be protected by more than "is the rest of the URI formatted correctly and does the browser have a cookie we issued to it?"

      Hashing the account number (and other info) into an identifier in that cookie, then using that as the session ID, and only allowing access to that one account from that port until another session was authenticated on it, would be more proper.

      It's not just the URI that is screwy, it's the whole lifecycle design of the session, and a failure to partition the data in any meaningful way.

  2. Seriously... by Frosty+Piss · · Score: 4, Insightful

    Heads need to roll for this one... Amazing. Words escape me.

    --
    If you want news from today, you have to come back tomorrow.
  3. Re:I did something similar by Volante3192 · · Score: 4, Insightful

    Be thankful your manager wasn't a complete idiot; playing the odds, that would normally get you fired, arrested and pilloried...

  4. If you don't know, ask. by chaboud · · Score: 3, Insightful

    If you don't understand how a secure negotiation protocol (and the protocol for the session after the fact) works, admit it and either ask someone or read several books until you recognize that you should still go ask someone. I've read more than my fair share of crypto books and papers, but, being an application developer who does only trivial personal server-side development, you can be damned sure that I'd ask for help when working on a username/password system. This goes double if it involves banking.

    That any session allows them to go digging around willy nilly is so unbelievably stupid, I can't even find the words.

  5. WTF by itchythebear · · Score: 5, Insightful

    From TFA:

    One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. He said: 'It would have been hard to prepare for this type of vulnerability.'

    /epic facepalm

    First, this is NOT a hard vulnerability to prepare for. If the only method of user authentication you are doing is based off a string of characters received from the URL your not even qualified to build an ecommerce site for some mom-and-pop 2-sales-a-week company, let alone a bank.

    Second, why is this a surprise to this security "expert"? Anyone who has done development for a website with dynamic content would be familiar with passing information through the url. This is like web design 101. If I logged into my credit card account and saw my CC number in the URL bar the FIRST thing I would think of would be: "what would happen if I typed in another number in there." Security expert my ass, no wonder why some companies have this happen to them, look at the people they hire to test and investigate their systems!

    /rant

    --
    If what I just said sounded like a troll, it was probably just a failed attempt at humor.
  6. The "Expert" by overunderunderdone · · Score: 4, Insightful

    One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.

    He said: 'It would have been hard to prepare for this type of vulnerability.

    IF the article is correct about the nature of the vulnerability this quote is the single stupidest and most frightening things I have ever read on the internet.

  7. I won't stop short... the coders were idiots by sirwired · · Score: 3, Insightful

    It doesn't matter WHAT time or money constraints they were under. This is simply not something that would be acceptable out of somebody that codes for money. To call this a "beginners mistake" is an insult to Web Development 101 students everywhere. If you have to be TOLD that maintaining authentication to a secure website based on the contents of the URL bar is a bad idea, then you do not deserve to be coding for anybody. I haven't EVER coded a website (I haven't written anything longer than a ten-line shell script in 13 years) and I could have told you this was a mind-bogglingly stupid mistake. This is not 20/20 hindsight at work here... it really is that stupid.

    Heads should roll, including the programmer(s) responsible for this travesty, and two levels of management above him/her. And the remaining employees in the department should all have to apply for their jobs again (by the new management team), as their suitability as programmers could not have been properly evaluated before if the original moron managed to keep his job longer than a week.

    I'm actually willing to cut the testers some mild slack... maybe they chose not to test for the developer having the IQ of a turnip. (Just a little slack... a tester should NEVER assume the developer has the least clue what they are doing when figuring out what needs testing.)

  8. Seriously, who are these "security experts"? by cultiv8 · · Score: 5, Insightful

    One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. He said: 'It would have been hard to prepare for this type of vulnerability.'

    Are you *really* trying to label this as a browser vulnerability issue?

    You're either *really* incompetent or paid very well to say shit like that.

    --
    sysadmins and parents of newborns get the same amount of sleep.
  9. OMFG by Checkered+Daemon · · Score: 4, Insightful

    "In conclusion, the main thing we did wrong when designing ATM security systems in the early to mid-1980s was to worry about criminals being clever; we should rather have worried about our customers - the banks' system designers, implementers, and testers - being stupid."
                    Ross Anderson, "Security Engineering"

  10. Re:you have got to be kidding me by sortadan · · Score: 4, Insightful

    This is super basic stuff in the web world. What they did in this debacle is let you into the bank (citigroup.com), talk to you one-on-one at the teller station (SSL), have you swipe your card and enter your pin (login/password), then let you fill out a withdrawal form for anyone's account and give you the money!!

    "Uh... yeah, I'd like to get the money from my account number +1... oh, that one's closed, how about my account number +2, nope, well then +3? Ah, yes, that one please... all the money, yes."

    I don't bank with citigroup, and I certainly never will knowing how little effort they put into their security practices.

  11. Same vulnerability as Hotmail 10 years ago by inject_hotmail.com · · Score: 3, Insightful

    Anyone remember? You could gain access to anyone else's mailbox by replacing your own address with theirs in the URL bar...10 years later, a bank still can't figure that out? These are the jackasses we "trust" with all of our money and assets, too.

  12. Re:you have got to be kiddinbg me by turbidostato · · Score: 3, Insightful

    But "the lowest bidder" is the spirit of corporate America!

    Obvisouly it is not that Citibank were criminal morons with absolut disregard about their customers, but that the attackers were sophisticate terrorists (and paedophyles, now that we are talking about it).