Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

How Citigroup Hackers Easily Gained Access

CmdrTaco posted more than 3 years ago | from the all-kinds-of-fail dept.

Security 371

Endoflow2010 writes "Hackers who stole the personal details of more than 200,000 Citigroup customers 'broke in through the front door' using an extremely simple technique. It has been called 'one of the most brazen bank hacking attacks' in recent years. And for the first time it has been revealed how the sophisticated cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories. They simply logged on to the part of the group's site reserved for credit card customers and substituted their account numbers — which appeared in the browser's address bar — with other numbers. It allowed them to leapfrog into the accounts of other customers, with an automatic computer program letting them repeat the trick tens of thousands of times."

cancel ×

371 comments

Sorry! There are no comments related to the filter you selected.

you have got to be kiddinbg me (0)

Anonymous Coward | more than 3 years ago | (#36442658)

they were asking for it ( now watch them store the account number in a unencrypted cookie ) gl with the future javascript injection

Re:you have got to be kiddinbg me (4, Informative)

icebike (68054) | more than 3 years ago | (#36443424)

Sending the account number out in a URL over SSL should not be that big of a hole.
(Ok, not smart, but the risk lies mostly in the person looking over the user's sholder).

The problem was allowing the change in the URL without going thru re-validation of credentials.
Apparently they set a session flag indicating that validation had been passed, and never bothered
to match that with the change in the account number.

I'm not gay (-1)

Anonymous Coward | more than 3 years ago | (#36442670)

I'M NOT GAY!
I don't use MAC!
My anus doesn't look like wadded up bologna!

Re:I'm not gay (-1)

Anonymous Coward | more than 3 years ago | (#36443146)

I'M NOT GAY!

You're not very original, either.

I don't use MAC!

Good for you! Too many people use cosmetics these days.

My anus doesn't look like wadded up bologna!

No, but I'll bet your mom does...

Seriously, what the fuck! (5, Insightful)

jandrese (485) | more than 3 years ago | (#36442680)

There is no facepalm big enough to express my feeling at that hack. I'm sure they paid good money to "security professionals" to set that up too.

Re:Seriously, what the fuck! (5, Funny)

MozeeToby (1163751) | more than 3 years ago | (#36442738)

Makes Sony's security setup look like Fort Knox. And that's saying something.

Re:Seriously, what the fuck! (4, Funny)

swanzilla (1458281) | more than 3 years ago | (#36443062)

I can make the same argument for my luggage.

Re:Seriously, what the fuck! (1, Redundant)

t33jster (1239616) | more than 3 years ago | (#36443100)

I can make the same argument for my luggage.

Wait - is the combination 1, 2, 3, 4, 5?

Re:Seriously, what the fuck! (2, Funny)

WhoseSideAreWeOn (1916768) | more than 3 years ago | (#36443204)

That's the stupidest combination I've ever heard!

Re:Seriously, what the fuck! (2)

MozeeToby (1163751) | more than 3 years ago | (#36443282)

That's the stupidest combination I've ever heard!

It sounds like something an idiot would put on his planetary air shield. Wait... I think we got this joke backwards somehow.

Re:Seriously, what the fuck! (2)

Sulphur (1548251) | more than 3 years ago | (#36443350)

That's the stupidest combination I've ever heard!

It sounds like something an idiot would put on his planetary air shield. Wait... I think we got this joke backwards somehow.

It worked great for his luggage.

Re:Seriously, what the fuck! (1)

pixelpusher220 (529617) | more than 3 years ago | (#36443372)

Well it used too, before the TSA just busted that lock...

Re:Seriously, what the fuck! (0)

Anonymous Coward | more than 3 years ago | (#36443472)

Sony's problems were down to exploits in open source packages, which they failed to patch. I.e. they were using an out of data distro. Blame buggy open source developers and lazy admins (or the beancounters that wouldn't let them upgrade) for Sony's mess, this however, shows the people that put this together were typical web-weenies, completely ignoring the decades of previous knowledge on how to handle sessions.

Re:Seriously, what the fuck! (2)

Squiddie (1942230) | more than 3 years ago | (#36442780)

Think of the great employment opportunities now that you know that anyone can be a "security professional!"

Re:Seriously, what the fuck! (2)

NoNonAlphaCharsHere (2201864) | more than 3 years ago | (#36443012)

Yup. Every bit as valuable as being an "HTML programmer" in 2000. And, obviously, about the same skill levels.

Re:Seriously, what the fuck! (3, Funny)

UncleTogie (1004853) | more than 3 years ago | (#36443156)

Think of the great employment opportunities now that you know that anyone can be a "security professional!"

Well, I did stay at a Holiday Inn last night....

Re:Seriously, what the fuck! (1)

danlip (737336) | more than 3 years ago | (#36442946)

I wonder if the management actually understands how big a screw up this is. I'm sure they understand that "stolen data = bad" but not what a ridiculously easy exploit this was. If they did understand it probably wouldn't have happened.

Re:Seriously, what the fuck! (2)

maxwell demon (590494) | more than 3 years ago | (#36443190)

In a radio broadcast in Germany not long ago, the online security of banks was described to be the equivalent of putting the money in a carton box on the street (if you understand German: Here's a transcript [web.ard.de] as PDF).

After reading this story, I think the carton box would actually provide more safety.

Re:Seriously, what the fuck! (1)

Sulphur (1548251) | more than 3 years ago | (#36443446)

In a radio broadcast in Germany not long ago, the online security of banks was described to be the equivalent of putting the money in a carton box on the street (if you understand German: Here's a transcript [web.ard.de] as PDF).

After reading this story, I think the carton box would actually provide more safety.

It would. If you allow plastic bags, then the box could contain coffee grounds. This would be especially true if one has a few trial runs to convince the crooks that the box is worthless.

Citigroup is VERY dysfunctional. (0)

Anonymous Coward | more than 3 years ago | (#36443202)

Citigroup is VERY dysfunctional, according to recent books and articles. But Citigroup makes billions because the U.S. government is even more corrupt.

The CEO should be fired, in my opinion. Instead he will be paid $23.2 million. [wikipedia.org]

Re:Seriously, what the fuck! (4, Insightful)

HeckRuler (1369601) | more than 3 years ago | (#36442990)

Agreed. And this:

'broke in through the front door'

It was an unlatched SCREEN DOOR with a missing hinge!
I wouldn't consider it hacking even by the media's definition. It's akin to asking the teller for someone else's information, and coming back 200,000 times to do it again.

Whiskey
Tango
Foxtrot

Re:Seriously, what the fuck! (5, Insightful)

Anonymous Coward | more than 3 years ago | (#36443084)

And yet FTFA:

        One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.

        He said: 'It would have been hard to prepare for this type of vulnerability.'

Wow. Yes, I can see how making accounts accessible via an unhashed URL is really something no one would have guessed would be a problem. Especially when the same technique is referenced explicitly in a recent blockbuster (The Social Network).

Re:Seriously, what the fuck! (2)

Yvan256 (722131) | more than 3 years ago | (#36443266)

That so-called expert should be fired immediately for these two incredibly starter-level errors:
1. that was not a "vulnerability in the browser" at all.
2. any idiot worth his lines of code would have seen this type of vulnerability coming from a lightyear away.

Re:Seriously, what the fuck! (1)

Yvan256 (722131) | more than 3 years ago | (#36443300)

... my comment is only valid if TFS is right about simply changing a parameter in the URL to access other accounts. No I didn't RTFA.

Re:Seriously, what the fuck! (4, Funny)

demonbug (309515) | more than 3 years ago | (#36443284)

And yet FTFA:

        One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.

        He said: 'It would have been hard to prepare for this type of vulnerability.'

Wow. Yes, I can see how making accounts accessible via an unhashed URL is really something no one would have guessed would be a problem. Especially when the same technique is referenced explicitly in a recent blockbuster (The Social Network).

See, this is the real reason Firefox wants to get rid of the URL bar. Only hackers would directly enter a URL. Legitimate consumers will just follow the link to their account from their Facebook page.

Re:Seriously, what the fuck! (1)

GameboyRMH (1153867) | more than 3 years ago | (#36443322)

They call idiot an expert!? Holy shit.

Also Zuckerberg's high-speed-technobabble in The Social Network was meant only to show most viewers that he's supposed to be a computer genius. They have little or no idea what he's talking about. Someone with as little knowledge as this "expert" wouldn't have understood it.

Re:Seriously, what the fuck! (4, Insightful)

CharlyFoxtrot (1607527) | more than 3 years ago | (#36443484)

There's a reason that "expert" is anonymous: it's a PR flunky that has to feed ass-covering statements to the press. Something for the masses who don't know any better to swallow.

Re:Seriously, what the fuck! (1)

GameboyRMH (1153867) | more than 3 years ago | (#36443142)

Whoever made this should be forbidden from working with computers ever again. Is there any legal process that can do this?

Not surprising. (0)

Anonymous Coward | more than 3 years ago | (#36443314)

Another big gigantic bank based here the in the US of A who has received hundreds of billions of dollars in "aid" from the Government, off-shores much of their development overseas - I'm not sure if it's a captive company or if it's an independent firm.

Friend interviewed as a BA and was told that the dev staff were all in India - least for the department in that particular division for BOA.

Re:Seriously, what the fuck! (1)

religious freak (1005821) | more than 3 years ago | (#36443488)

Correct me if I'm wrong UK based folks, but isn't the Daily Mail famous for BS... or am I thinking of a different British mag? Anyone else have any other sources which corroborate this story? On a quick search, I cannot find any.

This is literally unbelievable to me.

First Hack: +4, Useful (-1)

Anonymous Coward | more than 3 years ago | (#36442684)

  My first guess is SQL injection" [microsoft.com] .

Yours In Samarqand,
Kilgore T.

Seriously... (4, Insightful)

Frosty Piss (770223) | more than 3 years ago | (#36442692)

Heads need to roll for this one... Amazing. Words escape me.

Re:Seriously... (0)

Anonymous Coward | more than 3 years ago | (#36443128)

roll> surely it's criminal negligence at the least?

Re:Seriously... (1)

sarysa (1089739) | more than 3 years ago | (#36443220)

I tend to agree. I'm not a fan of the ten degrees of litigation that have somewhat wrecked U.S. society, but whoever coded that site needs to not be protected from said litigation. Webmasters of sites hosting animated GIFs of dancing deities and lolcats know better than that, and said idiot(s) is(are) responsible for safeguarding the finances of millions worldwide?!

I did something similar (4, Interesting)

aardwolf64 (160070) | more than 3 years ago | (#36442718)

I did that at a bank I was working with. It was actually a hidden form variable with the institutions username/password, but grabbing that page before it auto-submitted allowed me to pull anyone's statement. I showed it to my manager, and eventually got a promotion out of it. :-)

Re:I did something similar (4, Insightful)

Volante3192 (953645) | more than 3 years ago | (#36442820)

Be thankful your manager wasn't a complete idiot; playing the odds, that would normally get you fired, arrested and pilloried...

Re:I did something similar (5, Funny)

dkleinsc (563838) | more than 3 years ago | (#36442828)

The part of the story aardwolf64's not explaining: The reason he got the promotion was not because of the obvious security problem but because of the payment to whipsandhandcuffs.com he found on his manager's statement.

Re:I did something similar (1)

phobos512 (766371) | more than 3 years ago | (#36442880)

"The part of the story aardwolf64's not explaining: The reason he got the promotion was so that he wouldn't blow the whistle and they could go on with the status quo..." FTFY.

Re:I did something similar (2)

jcoy42 (412359) | more than 3 years ago | (#36443170)

Who else was disappointed when whipsandhandcuffs.com didn't resolve?

So stupid (2)

locallyunscene (1000523) | more than 3 years ago | (#36442768)

When writing our rest services the first thing we considered was how to prevent users from accessing other users data. I don't understand how this could happen to a bank with credit card data. It's ridiculous.

Re:So stupid (1)

Dunbal (464142) | more than 3 years ago | (#36442934)

I don't understand how this could happen to a bank with credit card data.

Didn't you read the summary? It's Citigroup. The guys who keep calling me to offer me a credit card despite me having repeatedly told them not to call me anymore and to remove me from their call list. Somehow they think calling me again will make me change my mind and give them business. I guess it's easy to do what you want when the federal government is willing to bail you out.

Re:So stupid (0)

Red Flayer (890720) | more than 3 years ago | (#36443316)

Blah blah blah blah big banks blah blah anti-government rant that has nothing to do withthe subhect at hand other than a tangential connection because the subject of the article happens to be a bank. You do know that Citi isn't actually the company calling you, right?

As for them calling you... telling them to take you off their list is not enough.

You need to ask them what company is calling on behalf of Citigroup. Then you need to ask to be taken off both their list and Citi's list. Finally, make sure you get the ID# or name of the person calling. Take detailed notes.

If they call again, fill out a complaint form with the FCC, the form is available at their website and extremely easy to file. I suggest grabbing the form first so you know what specific information to note when they call. This course of action may be unpalatable to someone who hates the idea of big government, so I'll understand if instead you just want to waste energy griping about it.

Wow, that's negligence on their part (2, Informative)

Anonymous Coward | more than 3 years ago | (#36442774)

Dealing with credit card information I know for a fact that security implementation is 100% illegal if the allegations are true. Citibank will be fined hundreds of millions of dollars if they follow the law ($100,000 per incident). I mean base level security for this would be only allow that user access to that specific account. If they were able to simply change URL numbers to see other account holders info... wow... just wow.

Re:Wow, that's negligence on their part (1)

Verdatum (1257828) | more than 3 years ago | (#36442976)

That's my understanding. In order to be allowed to handle credit card transactions, you enter into an agreement with Visa/Mastercard/etc promising that you won't do things like send account numbers via URLs. Every infraction is a specific, and very large fine. Multiple infractions results in loosing your license with that credit entity. At least, that's on the Point Of Sale level. I can't imagine how it works on the bank level.

Re:Wow, that's negligence on their part (1)

NoNonAlphaCharsHere (2201864) | more than 3 years ago | (#36443072)

Luckily for all of us who will eventually end up paying the fines for them, Citibank is Too Big To Fail.

you think citibank gives a flying fuck because..? (1)

Lead Butthead (321013) | more than 3 years ago | (#36443318)

Citibank will be fined hundreds of millions of dollars if they follow the law ($100,000 per incident).

... for which they'll immediately pass the cost to their customers. Do you REALLY think it costs them two bucks to let you use other institutions' ATM? Do you really think it costs them fifty bucks to stop payment on a check? Until we're talking about serious jail time in the pound-me-in-the-ass prison for officers of the corporation, nothing will change. But knowing how congress critters in Washington are all already bought and paid for, I think we have a better chance getting a snow storm in hell.

Should be easy to find them (2)

bezpredel6 (1796620) | more than 3 years ago | (#36442798)

Seems like the website required to have *some* authenticated sessions. Even though they probably used some stolen credentials (at least one would hope), they must have used their own when they *discovered* it. So the way to find them is to look at the logs and find people who accessed diff acct urls under the same auth token prior to this massive theft. I bet there are not going to be that many of them.

Re:Should be easy to find them (0)

Anonymous Coward | more than 3 years ago | (#36443298)

i'm assuming any system dumb enough to be susceptible to this attack doesn't have logs like that

Pathetic (1)

mirix (1649853) | more than 3 years ago | (#36442808)

Mind numbingly so.

Really makes me wonder wtf is up with some banks and their incompetence. I registered for online banking with my bank some time ago, and they only allow [a-z][A-z][0-9] for passwords. no ~!@#$%^&*(. In the 21st century. Shame.

Re:Pathetic (1)

Dunbal (464142) | more than 3 years ago | (#36442988)

Really makes me wonder wtf is up with some banks and their incompetence.

Too. Big. To Fail. There simply are no consequences anymore. Fines? OK we'll jack the fees. Losing money? Borrow it at 0% interest from the fed. Going bankrupt? Doesn't matter, the shareholders get wiped out and Uncle Sam will bail us out. Yeah we'll get fired, but we already have our multi-million dollar bonuses. We'll just work for another bank...

Re:Pathetic (0)

Anonymous Coward | more than 3 years ago | (#36443114)

Yeah, American Express *requires* you to have less than eight characters in your password. Whose great idea was that?

Re:Pathetic (1)

sabt-pestnu (967671) | more than 3 years ago | (#36443458)

One thing puzzles me...

Password security is rated on difficulty, sure. But once you eliminate the dictionary search, you're down to brute force testing each key in turn.

[a-z][A-Z][0-9] = 62 values
[a-z][A-Z][0-9][~!#$%^&*(] = 71 values

So which of these increase the keyspace better...

pow(62, n) to pow(71, n)
or pow(62, n) to pow(62, n+1)

I suspect the answer is "n to n+1". To which the only limit is password size.

If you're arguing about "these keys are not common in passwords" as security, aren't you arguing "security by obscurity" ... and if you succeed in convincing folks to use non-alphanumerics, aren't you eroding that very obscurity?

You might as well say "they don't let me type in Unicode values that aren't in the standard alphabet". Anyone got stats for cracking the unicode character space? Is there any particular reason it would be more or less secure than using just alphanumerics, for any given key size?

Wow, just wow (0)

Anonymous Coward | more than 3 years ago | (#36442832)

This is web security 101. I can respect being SQL injection, or even a clever cross site scripting attack to fish users. But changing the account number in the url bar; words escape me.

If you don't know, ask. (3, Insightful)

chaboud (231590) | more than 3 years ago | (#36442860)

If you don't understand how a secure negotiation protocol (and the protocol for the session after the fact) works, admit it and either ask someone or read several books until you recognize that you should still go ask someone. I've read more than my fair share of crypto books and papers, but, being an application developer who does only trivial personal server-side development, you can be damned sure that I'd ask for help when working on a username/password system. This goes double if it involves banking.

That any session allows them to go digging around willy nilly is so unbelievably stupid, I can't even find the words.

Hard to prepare for? (0)

Anonymous Coward | more than 3 years ago | (#36442870)

My favorite quote:

One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. ,
 
He said: 'It would have been hard to prepare for this type of vulnerability.'

Yes, it would have been hard. For example, one would have had to take a security course, where this type of attack would have been discussed in the first 10 minutes.</sarcasm>

Re:Hard to prepare for? (1)

Iron Chef Unix (582472) | more than 3 years ago | (#36442982)

This was exactly my thought... "Hmm, we would have never thought of changing the account number. That must be some dark haX0rs voodoo magic."

Re:Hard to prepare for? (1)

Ruke (857276) | more than 3 years ago | (#36443090)

Saying one would have to take a security course might be pushing it a little. Honestly, it seems like, in order to pull off this attack, one simply needs to notice that your own account ID in in the location bar. This is "hacking" that a twelve-year-old could figure out. In fact I'm pretty sure that I did try this sort of thing trying to "hack" a Pokemon BBS when I was 12 or 13. (It didn't work.)

Can't be real (0)

Anonymous Coward | more than 3 years ago | (#36442872)

Good fucking god. This can't be true.

Won't an ISAPI filter prevent this? (0)

Anonymous Coward | more than 3 years ago | (#36442886)

I could be misunderstanding something, but shouldn't something as simple as an ISAPI filter have prevented this?

Re:Won't an ISAPI filter prevent this? (1)

GameboyRMH (1153867) | more than 3 years ago | (#36443462)

Something as simple as common fucking sense could have prevented this, no filters of any kind needed. He obviously allowed all users to log in with the same credentials at a lower level, and made it dead simple to switch users with a URL hack.

WTF (5, Insightful)

itchythebear (2198688) | more than 3 years ago | (#36442894)

From TFA:

One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. He said: 'It would have been hard to prepare for this type of vulnerability.'

/epic facepalm

First, this is NOT a hard vulnerability to prepare for. If the only method of user authentication you are doing is based off a string of characters received from the URL your not even qualified to build an ecommerce site for some mom-and-pop 2-sales-a-week company, let alone a bank.

Second, why is this a surprise to this security "expert"? Anyone who has done development for a website with dynamic content would be familiar with passing information through the url. This is like web design 101. If I logged into my credit card account and saw my CC number in the URL bar the FIRST thing I would think of would be: "what would happen if I typed in another number in there." Security expert my ass, no wonder why some companies have this happen to them, look at the people they hire to test and investigate their systems!

/rant

Re:WTF (1)

itchythebear (2198688) | more than 3 years ago | (#36443030)

erm, when i say CC number, I mean account number. I was temporarily blinded by the text quoted in my above post...

Re:WTF (1)

Lifyre (960576) | more than 3 years ago | (#36443110)

It isn't like this a new type of attack either. Just look at people sharing pictures. If they post a bunch of pictures with default names you can very often just change the numbers to find more pictures, frequently ones they didn't intend to share for various often entertaining reasons.

Hell the first year of college I was able to do something like this. The class registration method was primitive and putting the wrong numbers in when registering would often register someone else for that class. They fixed it for the next registration period but it did make things very interesting for the start of the winter session.

Some day people will actually learn from history instead of just reading it. This was in no way a sophisticated attack, it was a simple script kiddie method that shouldn't have been open on any system to begin with much less a banking system...

Re:WTF (1)

GameboyRMH (1153867) | more than 3 years ago | (#36443496)

It isn't like this a new type of attack either. Just look at people sharing pictures. If they post a bunch of pictures with default names you can very often just change the numbers to find more pictures, frequently ones they didn't intend to share for various often entertaining reasons.

I assume this is on Facebook?

Re:WTF (1)

LastDawnOfMan (1851550) | more than 3 years ago | (#36443178)

"Security expert" is probably about the same level of expertise as Jen of The IT Crowd. It seems to me that anyone with any technical expertise has been run out of every corporation and government position. That's how it was in the company that laid me off, anyway. By the end, you couldn't even say the word "network" or "computer" in a management meeting without peoples' eyes glazing over, because the only people left after the massive layoffs were all incompetent butt-kissers who were so technically challenged they thought those were Hard Words to Understand. Thus the talk about a "sophisticated attack" which is only sophisticated if you're completely ignorant of anything technology-related. And, of course, there's this scramble to make the attack sound really unfair and It's Not Citibank's Fault At All That Such Clever Bad Guys Attacked Them.

Re:WTF (3)

DeadCatX2 (950953) | more than 3 years ago | (#36443514)

If I saw my CC or Account number in the URL bar...the first thing I would do is cancel my account and look for another service.

Lowest bidder? (1, Funny)

Lorens (597774) | more than 3 years ago | (#36442918)

<NICE>
This is what you get when important functions are written by people who do not have the slightest inkling of what network security is about. You can put loads of $$$ into planning and design into specifying authentication, and it all falls down because the grunt who actually does the work doesn't have a clue.
</NICE>
<REALISTIC>
Probably the grunt without a clue is the smartest guy over there.

Re:Lowest bidder? (1)

Lifyre (960576) | more than 3 years ago | (#36443132)

+1 Insightful for both comments.

You have GOT to be shitting me (2)

Slutticus (1237534) | more than 3 years ago | (#36442920)

I know, redundant. But fuck. you've got to be kidding me! I think you are kidding. Nice lulz. This is a joke. Right?

BTW, i'm logging into my WF account now (1)

Slutticus (1237534) | more than 3 years ago | (#36442970)

Just need to check something...

They still don't get it (0)

l2718 (514756) | more than 3 years ago | (#36442930)

From TFA:

One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. He said: 'It would have been hard to prepare for this type of vulnerability.'

If this kind of "expertise" is used for the investigation, no wonder they are not getting it. First, the vulnerability was in the server-side, not client-side. Secondly, comparing requests for information against the authorization level of the current user is SOP. It's axiomatic that you need to "prepare" for such checks.

And they were deemed vital because... (1)

DriedClexler (814907) | more than 3 years ago | (#36443016)

It's a good thing our foresightful federal government nobly resisted the public in '08-'09 and wisely chose to bail out and backstop this vital financial instution, on whom we are so ever reliant for their irreplaceable expertise!

*jerk off gesture*

Daily Fail (1)

adamofgreyskull (640712) | more than 3 years ago | (#36443018)

Hackers who stole the personal details of more than 200,000 Citigroup customers 'broke in through the front door' using an extremely simple technique.

And for the first time it has been revealed how the sophisticated cyber criminals made off with the staggering bounty of names, account numbers, email addresses and transaction histories

They simply logged on to the part of the group's site reserved for credit card customers - and substituted their account numbers which appeared in the browser's address bar with other numbers.

So..which is it? Simple or sophisticated? Or simple?

Re:Daily Fail (0)

Anonymous Coward | more than 3 years ago | (#36443122)

Simple.

Re:Daily Fail (1)

maxwell demon (590494) | more than 3 years ago | (#36443254)

The cyber criminals were sophisticated, but they couldn't use their sophistication because the bank made it depressingly simple for them.

Secure hash? (1)

thebra (707939) | more than 3 years ago | (#36443038)

Is it really that much trouble to add a secure hash of the id to the URL or check against the session if the user has access to that record? Come on, that is BASIC security.

And I'm out of a job? (0)

Anonymous Coward | more than 3 years ago | (#36443058)

WTF!!!

Basic Security = Authentication + Authorization (1)

devleopard (317515) | more than 3 years ago | (#36443064)

This is a failure in programming (I'll stop short of calling the coders idiots, since I don't know what pressures and time constraints they were under) and testing (this should be caught within 10 minutes with a half-hearted Selenium script). The mistake they made: if user is authenticated, they belong, and everything gets happily processed. Pretty typical, especially for beginning programmers. They failed to check individual resources against what was being param'ed in.

Do they know what a URL is? (0)

Anonymous Coward | more than 3 years ago | (#36443112)

One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.

He said: 'It would have been hard to prepare for this type of vulnerability.'

Law enforcement officials said the expertise behind the attack was a 'sign of what is likely to be a wave of more and more sophisticated breaches' by high-tech thieves.

Since when did requesting a different page from server-side script become a 'sophisticated hacking technique' that would be hard to prepare for? This is unreal.

Why Chrome is dropping the address bar.... (3, Funny)

unil_1005 (1790334) | more than 3 years ago | (#36443124)

It's the security solution for Citigroup!

You have got to be kidding me... (1)

roc97007 (608802) | more than 3 years ago | (#36443168)

What? I mean, WHAT? Teenie-bopper web developers, tired of having their Star Wars fansites hacked, stopped putting account info in GET strings back in the nineties! What kind of crap programmers... the mind boggles... What BANK would pay for such crap code, and what enterprise-class design team would make such a horrible mistake? This is not a cute little hack, it's a fundamental coding... no, design... no, sorry, CONCEPTUAL flaw.

Everyone involved with this project; design, management, QA, and most especially whomever at Citigroup signed off on the project, should be immediately fired and never work again in this field.

Re:You have got to be kidding me... (0)

Anonymous Coward | more than 3 years ago | (#36443426)

Who do you think does the coding for Citi?

Surely you're aware that most of their coders never touched a computer outside of their "college" until they entered the workforce, some barely even touched them then.

The "Expert" (4, Insightful)

overunderunderdone (521462) | more than 3 years ago | (#36443206)

One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.

He said: 'It would have been hard to prepare for this type of vulnerability.

IF the article is correct about the nature of the vulnerability this quote is the single stupidest and most frightening things I have ever read on the internet.

Re:The "Expert" (0)

Anonymous Coward | more than 3 years ago | (#36443326)

One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.

He said: 'It would have been hard to prepare for this type of vulnerability.

IF the article is correct about the nature of the vulnerability this quote is the single stupidest and most frightening things I have ever read on the internet.

Assuming it is a correct quote, I completely agree. That anyone credits him as an expert in anything even vaguely tech related is truly baffling.

Re:The "Expert" (0)

Anonymous Coward | more than 3 years ago | (#36443494)

I can see why this "Expert" would like to remain anonymous.

Huh? (0)

Anonymous Coward | more than 3 years ago | (#36443210)

Either I totally misunderstand what I just read, or it's the stupidest thing I ever heard of. This week anyhow.

Apparently Citi isn't Too Big To Fail after all... (2)

Radical Moderate (563286) | more than 3 years ago | (#36443248)

because this is epic fail.

Good banks? (1)

djirk (763517) | more than 3 years ago | (#36443294)

Has anybody done some sort of audit of various bank's online security procedures to find which, if any, have a decent setup?

Re:Good banks? (0)

Anonymous Coward | more than 3 years ago | (#36443410)

Has anybody done some sort of audit of various bank's online security procedures to find which, if any, have a decent setup?

Yes, various criminal organizations have done audits of banks' online security procedures. Unfortunately, they're too busy making millions of dollars from the stolen data they acquire to write a report about how bad the security is, so they have to rely on "experts" like the one in this article.

Article subjected to same testing as citi (1)

codepigeon (1202896) | more than 3 years ago | (#36443338)

From the article:

This is because, according to a report by Verizon and the Secret Service, the demand for data is on the rise. In 2008 the underground market for data was flooded with more than 360 million stolen personal records, compared to just 3.8 million in 2010.

How is that a rise?
Dailymail and Citi bank apparently use the same QA department.

Man, This guy was dead on! (0)

Anonymous Coward | more than 3 years ago | (#36443354)

I was just reading this post where the blogger rants about how dumb and simple these attacks are getting:

http://penguinpetes.com/b2evo/index.php?title=does_the_recent_rash_of_cyber_attacks_on&more=1&c=1&tb=1&pb=1

And then today, they post a STUPIDER one!

car analogy (1)

Khashishi (775369) | more than 3 years ago | (#36443358)

Yes, the car is locked, but all the cars use the same key. It would have been hard to prepare for this type of vulnerability.

"Hard to prepare for" a simple GET injection?! (2)

n5vb (587569) | more than 3 years ago | (#36443390)

"One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.

He said: 'It would have been hard to prepare for this type of vulnerability.'"

Really? They were passing a credit card account number in the clear through a GET parameter, without validating it against which session the page load was authenticated on, and that was "hard to prepare for"? Really?

I could have done it better than that. So I guess that makes me an expert, right? (Hint: No. It makes the "expert" a flaming idiot.)

But how is it "brazen"? (0)

Anonymous Coward | more than 3 years ago | (#36443404)

What about substituting account numbers is bold and without shame?

anyone with a citigroup account should be suing (1)

Khashishi (775369) | more than 3 years ago | (#36443418)

This kind of negligence should be criminal.

to breach security (1)

prikkebeen (980529) | more than 3 years ago | (#36443434)

....to breach security by focusing on the vulnerability in the browser. I see what you did here! It is not a vulnerability in the browser. It is a vulnerability in the code and the whole system behind it. You cannot escape your liability with this nonsense.

Casey Stengel's Prophetic Words (1)

nightcats (1114677) | more than 3 years ago | (#36443448)

If you're a baseball fan you'll get the connection here (um, get the name of the stadium): this is so Mets-like an event and an outcome. I recall Casey Stengel's immortal words from when he had the helm in Flushing: "can't anyone play this here game?"

Haha, who would ever leave such a vunerability? (1)

makubesu (1910402) | more than 3 years ago | (#36443470)

http://slashdot.org/~CmdrTaco [slashdot.org]
Dear God....
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>