Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Citigroup Hackers Easily Gained Access

Posted by CmdrTaco on from the all-kinds-of-fail dept.

Endoflow2010 writes "Hackers who stole the personal details of more than 200,000 Citigroup customers 'broke in through the front door' using an extremely simple technique. It has been called 'one of the most brazen bank hacking attacks' in recent years. And for the first time it has been revealed how the sophisticated cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories. They simply logged on to the part of the group's site reserved for credit card customers and substituted their account numbers — which appeared in the browser's address bar — with other numbers. It allowed them to leapfrog into the accounts of other customers, with an automatic computer program letting them repeat the trick tens of thousands of times."

4 of 371 comments (clear)

  1. Seriously, what the fuck! by jandrese · · Score: 5, Insightful

    There is no facepalm big enough to express my feeling at that hack. I'm sure they paid good money to "security professionals" to set that up too.

    --

    I read the internet for the articles.
    1. Re:Seriously, what the fuck! by Anonymous Coward · · Score: 5, Insightful

      And yet FTFA:

              One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.

              He said: 'It would have been hard to prepare for this type of vulnerability.'

      Wow. Yes, I can see how making accounts accessible via an unhashed URL is really something no one would have guessed would be a problem. Especially when the same technique is referenced explicitly in a recent blockbuster (The Social Network).

  2. WTF by itchythebear · · Score: 5, Insightful

    From TFA:

    One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. He said: 'It would have been hard to prepare for this type of vulnerability.'

    /epic facepalm

    First, this is NOT a hard vulnerability to prepare for. If the only method of user authentication you are doing is based off a string of characters received from the URL your not even qualified to build an ecommerce site for some mom-and-pop 2-sales-a-week company, let alone a bank.

    Second, why is this a surprise to this security "expert"? Anyone who has done development for a website with dynamic content would be familiar with passing information through the url. This is like web design 101. If I logged into my credit card account and saw my CC number in the URL bar the FIRST thing I would think of would be: "what would happen if I typed in another number in there." Security expert my ass, no wonder why some companies have this happen to them, look at the people they hire to test and investigate their systems!

    /rant

    --
    If what I just said sounded like a troll, it was probably just a failed attempt at humor.
  3. Seriously, who are these "security experts"? by cultiv8 · · Score: 5, Insightful

    One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. He said: 'It would have been hard to prepare for this type of vulnerability.'

    Are you *really* trying to label this as a browser vulnerability issue?

    You're either *really* incompetent or paid very well to say shit like that.

    --
    sysadmins and parents of newborns get the same amount of sleep.