How Citigroup Hackers Easily Gained Access

← Back to Stories (view on slashdot.org)

How Citigroup Hackers Easily Gained Access

Posted by CmdrTaco on Tuesday June 14, 2011 @09:54AM from the all-kinds-of-fail dept.

Endoflow2010 writes "Hackers who stole the personal details of more than 200,000 Citigroup customers 'broke in through the front door' using an extremely simple technique. It has been called 'one of the most brazen bank hacking attacks' in recent years. And for the first time it has been revealed how the sophisticated cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories. They simply logged on to the part of the group's site reserved for credit card customers and substituted their account numbers — which appeared in the browser's address bar — with other numbers. It allowed them to leapfrog into the accounts of other customers, with an automatic computer program letting them repeat the trick tens of thousands of times."

20 of 371 comments (clear)

Min score:

Reason:

Sort:

Seriously, what the fuck! by jandrese · 2011-06-14 09:58 · Score: 5, Insightful

There is no facepalm big enough to express my feeling at that hack. I'm sure they paid good money to "security professionals" to set that up too.

--

I read the internet for the articles.
1. Re:Seriously, what the fuck! by MozeeToby · 2011-06-14 10:00 · Score: 5, Funny
  
  Makes Sony's security setup look like Fort Knox. And that's saying something.
2. Re:Seriously, what the fuck! by HeckRuler · 2011-06-14 10:13 · Score: 4, Insightful
  
  Agreed. And this:
  
  'broke in through the front door'
  It was an unlatched SCREEN DOOR with a missing hinge!
  I wouldn't consider it hacking even by the media's definition. It's akin to asking the teller for someone else's information, and coming back 200,000 times to do it again.
  
  Whiskey
  Tango
  Foxtrot
3. Re:Seriously, what the fuck! by swanzilla · 2011-06-14 10:17 · Score: 4, Funny
  
  I can make the same argument for my luggage.
  
  --
  0 = 1 + e^(Alt something)
4. Re:Seriously, what the fuck! by Anonymous Coward · 2011-06-14 10:19 · Score: 5, Insightful
  
  And yet FTFA:
  One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.
  He said: 'It would have been hard to prepare for this type of vulnerability.'
  Wow. Yes, I can see how making accounts accessible via an unhashed URL is really something no one would have guessed would be a problem. Especially when the same technique is referenced explicitly in a recent blockbuster (The Social Network).
5. Re:Seriously, what the fuck! by demonbug · 2011-06-14 10:32 · Score: 4, Funny
  
  And yet FTFA:
  One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.
  He said: 'It would have been hard to prepare for this type of vulnerability.'
  Wow. Yes, I can see how making accounts accessible via an unhashed URL is really something no one would have guessed would be a problem. Especially when the same technique is referenced explicitly in a recent blockbuster (The Social Network).
  See, this is the real reason Firefox wants to get rid of the URL bar. Only hackers would directly enter a URL. Legitimate consumers will just follow the link to their account from their Facebook page.
6. Re:Seriously, what the fuck! by CharlyFoxtrot · 2011-06-14 10:48 · Score: 4, Insightful
  
  There's a reason that "expert" is anonymous: it's a PR flunky that has to feed ass-covering statements to the press. Something for the masses who don't know any better to swallow.
  
  --
  If all else fails, immortality can always be assured by spectacular error.
7. Re:Seriously, what the fuck! by blair1q · 2011-06-14 11:31 · Score: 4, Insightful
  
  Account numbers don't need to be secret. In fact, you hand them out when you write checks.
  It's the access using the account number that has to be protected by more than "is the rest of the URI formatted correctly and does the browser have a cookie we issued to it?"
  Hashing the account number (and other info) into an identifier in that cookie, then using that as the session ID, and only allowing access to that one account from that port until another session was authenticated on it, would be more proper.
  It's not just the URI that is screwy, it's the whole lifecycle design of the session, and a failure to partition the data in any meaningful way.
8. Re:Seriously, what the fuck! by EdIII · 2011-06-14 12:31 · Score: 5, Interesting
  
  Yeah...... this was not hacking. That word has been expanded entirely way too much in much the same way Schizophrenia was used a dump bucket for psychological disorders we just did not understand yet.
  Hacking, even in this context, implies there was security to begin with.
  This was not a SQL injection attack. If they were posting stuff in the URL bar then that means that Citigroup's website was programmed to take the $_GET (or whatever non-PHP equivalent) and just return the data.
  No validation, or even a comparison against the user profile held in the session data? Seriously?
  Everything we do is AJAX with JQuery. We authenticate a user and from that point on their user profile information is stored in the session. Every API call from that point forward passes their unique ID along with the action request (even just informational requests) that get validated by our own security processes at the API level, especially before a database call is made in the first place to return data from the appropriate database for that customer/process/application. We validate who you are, what you are accessing, and what rights have been assigned to you, before you get an XML/JSON response document back from us.
  Anything else, is just unwise and unprofessional. By no means, am I or the people I work with superstars. This is just the basics of anybody that approaches a project with security first, application second mentality.
  According to this article, Citigroup was just wide wide WIDE the $*$%(# open. It's not hacking when asking the "question" of the web server does not initiate authentication. Citigroup literally allowed anonymous requests for information by design .
  I would not even prosecute the group. Seriously.... for what? Walking into a bakery where a mentally challenged person was just freely giving away cherry pies? Was it unethical to take advantage of the poor idiot and take the cherry pie when you know that normally it cost $5? Probably. Was it stealing? I don't think so.
  If anything, there should be class action suit against Citigroup by all of the members for gross negligence. How ironic is it that huge groups like this, with tons of money (some of it stolen through mortgage fraud) pay hundreds of thousands or millions of dollars and get less value than a small time development group that charges 15k-20k for a small site ?
  It's deliciously stupid that the biggest groups are programmed by morons, and that the smaller websites are actually programmed to be more secure.
  I'd like to say I can't believe it, but I know too many stories where half million dollar websites are running on $50k worth of hardware, with IT budgets that allow judicious use of hookers and blow, and yet they can't program themselves out of a wet cardboard box, let alone prevent SQL injection attacks.
  The wonderful stupidity....
Seriously... by Frosty+Piss · 2011-06-14 09:58 · Score: 4, Insightful

Heads need to roll for this one... Amazing. Words escape me.

--
If you want news from today, you have to come back tomorrow.
I did something similar by aardwolf64 · 2011-06-14 09:59 · Score: 4, Interesting

I did that at a bank I was working with. It was actually a hidden form variable with the institutions username/password, but grabbing that page before it auto-submitted allowed me to pull anyone's statement. I showed it to my manager, and eventually got a promotion out of it. :-)
1. Re:I did something similar by Volante3192 · 2011-06-14 10:05 · Score: 4, Insightful
  
  Be thankful your manager wasn't a complete idiot; playing the odds, that would normally get you fired, arrested and pilloried...
2. Re:I did something similar by dkleinsc · 2011-06-14 10:05 · Score: 5, Funny
  
  The part of the story aardwolf64's not explaining: The reason he got the promotion was not because of the obvious security problem but because of the payment to whipsandhandcuffs.com he found on his manager's statement.
  
  --
  I am officially gone from /. Long live http://www.soylentnews.com/
WTF by itchythebear · 2011-06-14 10:08 · Score: 5, Insightful

From TFA:

One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. He said: 'It would have been hard to prepare for this type of vulnerability.'
/epic facepalm
First, this is NOT a hard vulnerability to prepare for. If the only method of user authentication you are doing is based off a string of characters received from the URL your not even qualified to build an ecommerce site for some mom-and-pop 2-sales-a-week company, let alone a bank.
Second, why is this a surprise to this security "expert"? Anyone who has done development for a website with dynamic content would be familiar with passing information through the url. This is like web design 101. If I logged into my credit card account and saw my CC number in the URL bar the FIRST thing I would think of would be: "what would happen if I typed in another number in there." Security expert my ass, no wonder why some companies have this happen to them, look at the people they hire to test and investigate their systems!
/rant

--
If what I just said sounded like a troll, it was probably just a failed attempt at humor.
The "Expert" by overunderunderdone · 2011-06-14 10:26 · Score: 4, Insightful

One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.

He said: 'It would have been hard to prepare for this type of vulnerability.
IF the article is correct about the nature of the vulnerability this quote is the single stupidest and most frightening things I have ever read on the internet.
Re:you have got to be kiddinbg me by icebike · 2011-06-14 10:43 · Score: 4, Informative

Sending the account number out in a URL over SSL should not be that big of a hole.
(Ok, not smart, but the risk lies mostly in the person looking over the user's sholder).
The problem was allowing the change in the URL without going thru re-validation of credentials.
Apparently they set a session flag indicating that validation had been passed, and never bothered
to match that with the change in the account number.

--
Sig Battery depleted. Reverting to safe mode.
Seriously, who are these "security experts"? by cultiv8 · 2011-06-14 11:00 · Score: 5, Insightful

One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. He said: 'It would have been hard to prepare for this type of vulnerability.'
Are you *really* trying to label this as a browser vulnerability issue?

You're either *really* incompetent or paid very well to say shit like that.

--
sysadmins and parents of newborns get the same amount of sleep.
Re:you have got to be kiddinbg me by uberjack · 2011-06-14 11:01 · Score: 4, Informative

Sending the account number out in a URL over SSL should not be that big of a hole
Exposing an internal ID in such fashion is not only foolish, but very much a beginner error. I would expect this from some half-assed forum software - not a bank. That said, I've worked for the government before, and seen the same stupid mistake repeated time and time again. A salted hash would have been a lot less idiotic. The fact that there was no authorization performed makes compounds the issue, however, and one wonder who these people hired to write their infrastructure.
OMFG by Checkered+Daemon · 2011-06-14 11:06 · Score: 4, Insightful

"In conclusion, the main thing we did wrong when designing ATM security systems in the early to mid-1980s was to worry about criminals being clever; we should rather have worried about our customers - the banks' system designers, implementers, and testers - being stupid."
Ross Anderson, "Security Engineering"
Re:you have got to be kidding me by sortadan · 2011-06-14 11:08 · Score: 4, Insightful

This is super basic stuff in the web world. What they did in this debacle is let you into the bank (citigroup.com), talk to you one-on-one at the teller station (SSL), have you swipe your card and enter your pin (login/password), then let you fill out a withdrawal form for anyone's account and give you the money!!

"Uh... yeah, I'd like to get the money from my account number +1... oh, that one's closed, how about my account number +2, nope, well then +3? Ah, yes, that one please... all the money, yes."

I don't bank with citigroup, and I certainly never will knowing how little effort they put into their security practices.