Slashdot Mirror

← Back to Stories (view on slashdot.org)

How Citigroup Hackers Easily Gained Access

Posted by CmdrTaco on from the all-kinds-of-fail dept.

Endoflow2010 writes "Hackers who stole the personal details of more than 200,000 Citigroup customers 'broke in through the front door' using an extremely simple technique. It has been called 'one of the most brazen bank hacking attacks' in recent years. And for the first time it has been revealed how the sophisticated cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories. They simply logged on to the part of the group's site reserved for credit card customers and substituted their account numbers — which appeared in the browser's address bar — with other numbers. It allowed them to leapfrog into the accounts of other customers, with an automatic computer program letting them repeat the trick tens of thousands of times."

2 of 371 comments (clear)

  1. Re:Seriously, what the fuck! by t33jster · · Score: 1, Redundant

    I can make the same argument for my luggage.

    Wait - is the combination 1, 2, 3, 4, 5?

    --
    Take off every 'sig' for great justice.
  2. Re:you have got to be kiddinbg me by oPless · · Score: 1, Redundant

    It's hard to even get management to acknowledge the problem, even when you spot them.

    1) Spot an Id that's obscure, but knowing that Id means something to the framework that you're using.
    2) Report it to project manager, and in this case it's the Technical Director of the company(!)
    3) Get told in no uncertain terms that you're spouting rubbish, as a 'tiger team' employed by the customer has done a security audit.
    4) Repeat that given a reasonably short amount of time that I could manipulate the framework to drop into an administrative mode with full control.
    5) Get told my PM/TD that I am not to waste my time on such nonsense, and get on with whatever it was I was doing at the time.
    6) Mention a methodology to my colleagues that I might try, if I had been given time (hint hint)
    7) Take a few days off sick leave, after discussing things further with an interested peer.
    8) While away peer follows up on my ideas, and demonstrates it on live app, with a manager who has an account at said institution
    9) Shit hits fan.
    10) Find out that I'm sacked when I return
    11) Profit, sued for unfair dismissal. (Yes it's more complicated than the above summary)

    Summary; People are stupid, PM want the job done as quickly as possible and Directors want profit as soon as possible - results corners are cut. News at 11