How Citigroup Hackers Easily Gained Access 371
Endoflow2010 writes "Hackers who stole the personal details of more than 200,000 Citigroup customers 'broke in through the front door' using an extremely simple technique. It has been called 'one of the most brazen bank hacking attacks' in recent years. And for the first time it has been revealed how the sophisticated cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories. They simply logged on to the part of the group's site reserved for credit card customers and substituted their account numbers — which appeared in the browser's address bar — with other numbers. It allowed them to leapfrog into the accounts of other customers, with an automatic computer program letting them repeat the trick tens of thousands of times."
Re:Seriously, what the fuck! (Score:5, Funny)
Makes Sony's security setup look like Fort Knox. And that's saying something.
Re:I did something similar (Score:5, Funny)
The part of the story aardwolf64's not explaining: The reason he got the promotion was not because of the obvious security problem but because of the payment to whipsandhandcuffs.com he found on his manager's statement.
Lowest bidder? (Score:2, Funny)
This is what you get when important functions are written by people who do not have the slightest inkling of what network security is about. You can put loads of $$$ into planning and design into specifying authentication, and it all falls down because the grunt who actually does the work doesn't have a clue.
</NICE>
<REALISTIC>
Probably the grunt without a clue is the smartest guy over there.
Re:Seriously, what the fuck! (Score:5, Funny)
Why Chrome is dropping the address bar.... (Score:3, Funny)
Re:Seriously, what the fuck! (Score:4, Funny)
Think of the great employment opportunities now that you know that anyone can be a "security professional!"
Well, I did stay at a Holiday Inn last night....
Re:Seriously, what the fuck! (Score:2, Funny)
Re:Seriously, what the fuck! (Score:5, Funny)
And yet FTFA:
One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.
He said: 'It would have been hard to prepare for this type of vulnerability.'
Wow. Yes, I can see how making accounts accessible via an unhashed URL is really something no one would have guessed would be a problem. Especially when the same technique is referenced explicitly in a recent blockbuster (The Social Network).
See, this is the real reason Firefox wants to get rid of the URL bar. Only hackers would directly enter a URL. Legitimate consumers will just follow the link to their account from their Facebook page.
Re:Seriously, what the fuck! (Score:3, Funny)
You mean Google. Firefox just wants to do it because Google is doing it.
Re:you have got to be kiddinbg me (Score:3, Funny)