How stupid could Citi be?
In what is an embarrassing oversight for Citigroup, attackers that got away with information on over 200,000 credit card holders only needed to make a change in the string of the URL itself. This means that as long as you had the account number, you would be able to access all personal data associated with that particular account.
Citigroup should consider itself lucky that more customers did not have their accounts compromised. How the hackers got the credit card numbers themselves is not clear yet, but the vulnerability allowed them to jump among accounts automatically by just being logged in and running a script.
Essentially the process went like this: first, hackers logged into the accountholder website. From there, the attackers used some type of script that allowed them to automatically jump from account to account and harvest any identifiable information merely by changing a portion of the URL. It's not exactly known how the hackers knew to exploit this vulnerability.
A browser and the ability to change the URL string was all that was needed to open hundreds of thousands of accounts to attackers. Oh wonderful.
Obviously banking hacks constitute the most dangerous of all, since they deal with a person's financial life. Getting your Facebook hacked is one thing -- the damage is more to your pride -- but having your financial life opened to the world is potentially catastrophic.
For that reason, we deserve to have an expectation of rock-solid security when it comes to banks. It's for this reason Citigroup's misstep is even more maddening: any coder knows these days not to put any identifiable information in the URL itself. It's one of the easiest ways for a hacker to waltz in and take whatever they want.
Simply put, how could Citigroup be that stupid?
Banks better get ready too: according to a story in the New York Times a significant number of stolen credit card information first obtained in 2008 is about to expire. Once that does, it's likely that the value of such information will skyrocket, giving hackers impetus to attempt new hacks.
Add to this the fact that hackers seem to be working overtime right now -- the torrent of news reports on LulzSec's and Anonymous' work just the tip of the iceberg -- and it seems like it's only a matter of time before another major bank hack occurs again.
The only thing going for those affected by the Citi hack may be the fact that the attackers do not have expiration dates or security numbers found on the back of the card. This may protect those attacked from serious identity theft, although a lot of other personal information has been disclosed.
Hopefully, the IT departments of banks take the lessons from the Citigroup hack and learn from them, so that others do not become victims due to mistakes like this. Banks carry a bigger burden in protecting our online identities, and their IT workers need to step up to the plate accordingly.