It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

Citibank hacked using a technique that would leave a 5 year old unimpressed

page: 1
19
<<   2 >>

log in

join
share:

posted on Jun, 14 2011 @ 08:57 PM
link   
So in May it was noticed during a routine review that the personal details of 200000 citibank customers had been stolen by means of, it was assumed some amazingly sophisticated hacking technique,

Well the news is out on how this was achieved and here it is


They simply logged on to the part of the group's site reserved for credit card customers - and substituted their account numbers which appeared in the browser's address bar with other numbers.


They even have the nerve to call this a browser vulnerability, instead a complete lack of security on their web site.


One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.


So is this level of security common among internet banking sites? I just can't that it's is a one off.
Can internet banking ever be trusted after this?

Link to article


edit on 14-6-2011 by davespanners because: (no reason given)




posted on Jun, 14 2011 @ 09:11 PM
link   
I could've done that! Jesus, lord knows if I had to have used a virus! That would be a no-no!

So sorry for the people that had their privacy disrespected.



posted on Jun, 14 2011 @ 09:13 PM
link   
Creepy, already this is scary. To think that such a simple hacking skill was used to do this is sad. I figured some form of complex code breaking, firewall trojan horse was used. But simple coding? Wow.

Security is getting worse, you are right. I will never trust these accounts now.



posted on Jun, 14 2011 @ 09:16 PM
link   
Not a browser vulnerability at all. Sounds like some sort of simple PHP injection where they passed their code through the URL like a bunch of morons. This is the kind of stuff that script kiddies are capable of. My grandma could have initiated this attack for all I know. Glad I don't have any accounts with these imbeciles. More people should be cognizant of this sort of security breach and protest by shutting down their accounts at any banks that prove to be lacking. These banks bring in truckloads of cash from money that they lend that only has to be backed up with real money at a 1:10 ratio and yet they still seem to be failing and unwilling to spend money on proper security. And by "proper" I mean ACTUAL security. Not something that a 7th grader would write for an introductory CIS class to pass the phrase "Hello World" from a form on one page to a variable that would display as text on the second page. I mean honestly?



posted on Jun, 14 2011 @ 09:31 PM
link   
reply to post by davespanners
 

Omg citibank that's some badass security!! Are you serious? A browser vulnerability.. I loled hard. Can this even really be called a hack



posted on Jun, 14 2011 @ 09:50 PM
link   
Wow, pretty sad. Possible law suits to come! If other companies are that cheap and lax on real security. Sure other 'hackings' will happen all over, since the simple secret is out now.
edit on 14-6-2011 by dreamingawake because: fixed



posted on Jun, 14 2011 @ 10:14 PM
link   
So Citibank is claiming that their best security was overcome by a vulnerability in--what?--an unpatched browser? Damn, people--what's the matter with you dummies? If you'd keep your browser security up-to-date Citibank would never have had such a serious breach! It's everybody else's fault but theirs....



posted on Jun, 14 2011 @ 10:34 PM
link   
The stupidity of this security fail by CitiBank reminds of the two guys that hacked a bunch of Cisco switches at various telcom companies and ran a business netting over a million dollars. They bought GO style phones, used the hacked routers to set up service plans and sold them to people.
How? The network admins forgot to change the Cisco default login & password before deploying the routers.

This is what is known as an extreme I-D-10-T error on their part.

How could CitiBank's cyber security not catch this? The account numbers in the URL? Really? Not encoded or encrypted, just openly and plainly right there. Even Google encrypts your email account information in the URL.

I just logged into my online bank account to see if my bank does this. Whew! Thankfully, two brain cells were rubbed together that sparked an actual thought and they do not do this.



posted on Jun, 14 2011 @ 10:41 PM
link   
It's not even "hacking", it is exactly the same as going to a social site, and deleting your name from the address bar, and replacing it with someone else's.

Example:

www.abovetopsecret.com/bank/account/SyphonX
>
www.abovetopsecret.com/bank/account/...........
>
www.abovetopsecret.com/bank/account/davespanners
>
Press Enter
>

Access granted to davespanners $$

That is all. It is not 'hacking', it is a staggeringly ignorant absence of competence on behalf of Citi.
edit on 14-6-2011 by SyphonX because: (no reason given)



posted on Jun, 14 2011 @ 10:46 PM
link   
Yes they are just stupid. I don't like to throw that word around but I think it fits this situation.

But I have a fool-proof way to ensure my account is not drained by hackers..........I'm broke!



posted on Jun, 14 2011 @ 11:32 PM
link   
I am somewhat on the fence as to this really even being a crime. I guess since the intent was theft, it is. But in the end, this is more about Citibank not protecting their property. If you can get in trouble for typing words into your address bar, then most of ATS is screwed. That is a tried and true practice of "soft hacking" that we all have used at one time or another (even if it was just removing the last word/phrase to get to a root folder or something).

This is akin to the RIAA attempts to use legal means as a substitute for creating a model/process that protects their property. I know that if an unbranded horse of mine is wandering the countryside for a few weeks, someone can lay claim to it as theirs. As well as the victim of a car theft getting a citation when they leave their keys in the ignition. People should be expected to enact reasonable measures to protect property before legal measures of reclamation can be attempted. And those should require civil victory before criminal proceedings can begin.

Otherwise, Citibank should share in the criminal liability with the "hackers".



posted on Jun, 14 2011 @ 11:34 PM
link   
reply to post by SyphonX
 


Exactly. It's absolutely amazing that a banking site should work like this, a cat walking across your keyboard could achieve the same "hack"
I notice that they didn't even say if they have fixed the issue or not



posted on Jun, 15 2011 @ 12:15 AM
link   
I work with security for applications and the most common rationale for NOT securing access is: "Nobody would think to do that."

Yea, good strategy.




posted on Jun, 15 2011 @ 05:21 AM
link   
Oh wow, unencrypted URLs made of people's account numbers. Who on earth wrote the code for that thing? I would love to give him a pair of foresight goggles.



posted on Jun, 15 2011 @ 12:12 PM
link   

Originally posted by CommunistCapitalist
Creepy, already this is scary. To think that such a simple hacking skill was used to do this is sad. I figured some form of complex code breaking, firewall trojan horse was used. But simple coding? Wow.

Security is getting worse, you are right. I will never trust these accounts now.


This was NOT a hack. Hack implies skill.
This was like an easter egg. A bad one. Many people try to change their GET/POST information to trick the system, it's common and any developer with ANY skill knows this and mitigates it.

This was NOT a hack. It was a serious oversight. They probably got a designer to program the site, it happens all the time and they always screw it up.



posted on Jun, 15 2011 @ 12:15 PM
link   

Originally posted by wheresthetruth
The stupidity of this security fail by CitiBank reminds of the two guys that hacked a bunch of Cisco switches at various telcom companies and ran a business netting over a million dollars. They bought GO style phones, used the hacked routers to set up service plans and sold them to people.
How? The network admins forgot to change the Cisco default login & password before deploying the routers.

This is what is known as an extreme I-D-10-T error on their part.

How could CitiBank's cyber security not catch this? The account numbers in the URL? Really? Not encoded or encrypted, just openly and plainly right there. Even Google encrypts your email account information in the URL.

I just logged into my online bank account to see if my bank does this. Whew! Thankfully, two brain cells were rubbed together that sparked an actual thought and they do not do this.


Maybe it is not in the browsers address bar, perhaps it's in a session cookie, maybe a localized cookie, or in some Variable Data that's easily retrieved...the only way to find out is to have white-hat hackers have a go at her...which i bet Citibank never did. They should be fined for having such a lapse in reasoning when dealing with users information.



posted on Jun, 15 2011 @ 12:42 PM
link   
My my my... I guess Citibank's programmers haven't heard the use of HTML forms to encapsulate sensitive data and make to where it can be encrypted and is only accessible by the business logic that requires it... Well even that isn't 100% secure and can be hacked, but c'mon you can't even call replacing numbers in the address bar a hack!!!

I agree with the OP, how in the world was this a "browser vulnerability?" The browser was just doing its job by displaying the URL and parameters in the address bar... Its the job of the application developer to secure such parameters. Why would you even display unencrypted account numbers in the URL in the first place; better yet why even put the account number in the URL at all?

If this is true, then Citibank should be fined for such carelessness. If they allow simple goofs like this, imagine the damage that could be done via SQL injection. Oh let me not give anyone ideas!

edit on 15-6-2011 by majesticgent because: (no reason given)



posted on Jun, 15 2011 @ 12:45 PM
link   
reply to post by EspyderMan
 




Originally posted by davespanners


They simply logged on to the part of the group's site reserved for credit card customers - and substituted their account numbers which appeared in the browser's address bar with other numbers.



Yes, as hard as it is to believe, the account numbers were in the address bar according the OP. I have a hard time wrapping my mind around it too.

edit on 15-6-2011 by majesticgent because: (no reason given)



posted on Jun, 15 2011 @ 12:54 PM
link   


man if I'd known that it was that easy to hack I'd have started years ago!



posted on Jun, 15 2011 @ 12:56 PM
link   
What are they hoping to achieve by hacking a bank's website? I mean what's the point? All they are doing is legitimizing locking down the internet or completely restricting use of it.

They really think acts of violence stop corporate acts of violence. No it doesn't. These guys need to wake up.

I bet these "hackers" are a nwo shill created to legitimize more authoritarian policies.



new topics

top topics



 
19
<<   2 >>

log in

join