Thieves Found Citigroup Site an Easy Entry. "In the Citi breach, the data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers. Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data."
The title of the article is correct, the body of the article makes it sound like it was a sophisticated attack. It looks like CitiBank had the account number in the URL and only did validation on the first hit of the session. That's rather stupid of them. It would have been stupid to do this at any time in the last ten years. For a bank to structure a system this way should have been criminal. There's no excuse.
No comments:
Post a Comment