Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security

How Citigroup Hackers Easily Gained Access 371

Posted by CmdrTaco from the all-kinds-of-fail dept.
Endoflow2010 writes "Hackers who stole the personal details of more than 200,000 Citigroup customers 'broke in through the front door' using an extremely simple technique. It has been called 'one of the most brazen bank hacking attacks' in recent years. And for the first time it has been revealed how the sophisticated cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories. They simply logged on to the part of the group's site reserved for credit card customers and substituted their account numbers — which appeared in the browser's address bar — with other numbers. It allowed them to leapfrog into the accounts of other customers, with an automatic computer program letting them repeat the trick tens of thousands of times."
This discussion has been archived. No new comments can be posted.

How Citigroup Hackers Easily Gained Access More

How Citigroup Hackers Easily Gained Access

Comments Filter:

  • Wow, that's negligence on their part (Score:2, Informative)

    by Anonymous Coward on Tuesday June 14, 2011 @06:02PM (#36442774)

    Dealing with credit card information I know for a fact that security implementation is 100% illegal if the allegations are true. Citibank will be fined hundreds of millions of dollars if they follow the law ($100,000 per incident). I mean base level security for this would be only allow that user access to that specific account. If they were able to simply change URL numbers to see other account holders info... wow... just wow.

  • Re:you have got to be kiddinbg me (Score:5, Informative)

    by icebike ( 68054 ) on Tuesday June 14, 2011 @06:43PM (#36443424)

    Sending the account number out in a URL over SSL should not be that big of a hole.
    (Ok, not smart, but the risk lies mostly in the person looking over the user's sholder).

    The problem was allowing the change in the URL without going thru re-validation of credentials.
    Apparently they set a session flag indicating that validation had been passed, and never bothered
    to match that with the change in the account number.

  • Re:you have got to be kiddinbg me (Score:5, Informative)

    by uberjack ( 1311219 ) on Tuesday June 14, 2011 @07:01PM (#36443654)

    Sending the account number out in a URL over SSL should not be that big of a hole

    Exposing an internal ID in such fashion is not only foolish, but very much a beginner error. I would expect this from some half-assed forum software - not a bank. That said, I've worked for the government before, and seen the same stupid mistake repeated time and time again. A salted hash would have been a lot less idiotic. The fact that there was no authorization performed makes compounds the issue, however, and one wonder who these people hired to write their infrastructure.

  • Comment removed (Score:4, Informative)

    by account_deleted ( 4530225 ) on Wednesday June 15, 2011 @12:01AM (#36445898)
    Comment removed based on user account deletion

Slashdot Top Deals

"I've seen it. It's rubbish." -- Marvin the Paranoid Android

Close