Tuesday, June 21, 2011

CitiGroup Breached by altering URL, Over 360k accounts hacked.


Citigroup (NYSE: C) officials have revised the number of hacked credit card accounts from the original 210,000 to 360,083. The revised tally was revealed in a letter to customers sent out after Citigroup came under criticism for not revealing enough information about the security breach it discovered last month. As reported by eWeek, the attackers "stole account information including names, account numbers and contact information, such as email addresses," though other sensitive information such as Social Security numbers, dates of birth and card expiration dates was not accessed.

What proved mind-boggling was the revelation that the attackers pulled off the hack by inserting the account numbers into the URL portion of the company's web portal for Citi credit card customers. This was done after logging in with a legitimate account, and it is understood that the use of a script allowed the perpetrators to quickly iterate the many thousands of records in order to steal data.

Having done a few Internet programming projects in the past, I can say that the portal was poorly written and made serious elementary mistakes that a proper peer review should have caught. It seems unbelievable that a bank like a Citi did not have better checks and balances in place here.

No comments:

Post a Comment