Citibank hacked using a technique that would leave a 5 year old unimpressed

So in May it was noticed during a routine review that the personal details of 200000 citibank customers had been stolen by means of, it was assumed some amazingly sophisticated hacking technique,

Well the news is out on how this was achieved and here it is

They simply logged on to the part of the group's site reserved for credit card customers - and substituted their account numbers which appeared in the browser's address bar with other numbers.

They even have the nerve to call this a browser vulnerability, instead a complete lack of security on their web site.

One expert, who is part of the investigation and wants to remain anonymous because the inquiry is at an early stage, told The New York Times he wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.

So is this level of security common among internet banking sites? I just can't that it's is a one off.
Can internet banking ever be trusted after this?

Link to article

I could've done that! Jesus, lord knows if I had to have used a virus! That would be a no-no!
So sorry for the people that had their privacy disrespected.

Creepy, already this is scary. To think that such a simple hacking skill was used to do this is sad. I figured some form of complex code breaking, firewall trojan horse was used. But simple coding? Wow.

Security is getting worse, you are right. I will never trust these accounts now.

Not a browser vulnerability at all. Sounds like some sort of simple PHP injection where they passed their code through the URL like a bunch of morons. This is the kind of stuff that script kiddies are capable of. My grandma could have initiated this attack for all I know. Glad I don't have any accounts with these imbeciles. More people should be cognizant of this sort of security breach and protest by shutting down their accounts at any banks that prove to be lacking. These banks bring in truckloads of cash from money that they lend that only has to be backed up with real money at a 1:10 ratio and yet they still seem to be failing and unwilling to spend money on proper security. And by "proper" I mean ACTUAL security. Not something that a 7th grader would write for an introductory CIS class to pass the phrase "Hello World" from a form on one page to a variable that would display as text on the second page. I mean honestly?

reply to post by davespanners

Omg citibank that's some badass security!! Are you serious? A browser vulnerability.. I loled hard. Can this even really be called a hack

Wow, pretty sad. Possible law suits to come! If other companies are that cheap and lax on real security. Sure other 'hackings' will happen all over, since the simple secret is out now.

So Citibank is claiming that their best security was overcome by a vulnerability in--what?--an unpatched browser? Damn, people--what's the matter with you dummies? If you'd keep your browser security up-to-date Citibank would never have had such a serious breach! It's everybody else's fault but theirs....

The stupidity of this security fail by CitiBank reminds of the two guys that hacked a bunch of Cisco switches at various telcom companies and ran a business netting over a million dollars. They bought GO style phones, used the hacked routers to set up service plans and sold them to people.
How? The network admins forgot to change the Cisco default login & password before deploying the routers.

This is what is known as an extreme I-D-10-T error on their part.

How could CitiBank's cyber security not catch this? The account numbers in the URL? Really? Not encoded or encrypted, just openly and plainly right there. Even Google encrypts your email account information in the URL.

I just logged into my online bank account to see if my bank does this. Whew! Thankfully, two brain cells were rubbed together that sparked an actual thought and they do not do this.

It's not even "hacking", it is exactly the same as going to a social site, and deleting your name from the address bar, and replacing it with someone else's.

Example:

www.abovetopsecret.com/bank/account/SyphonX
>
www.abovetopsecret.com/bank/account/...........
>
www.abovetopsecret.com/bank/account/davespanners
>
Press Enter
>

Access granted to davespanners $$

That is all. It is not 'hacking', it is a staggeringly ignorant absence of competence on behalf of Citi.

Yes they are just stupid. I don't like to throw that word around but I think it fits this situation.

But I have a fool-proof way to ensure my account is not drained by hackers..........I'm broke!

I am somewhat on the fence as to this really even being a crime. I guess since the intent was theft, it is. But in the end, this is more about Citibank not protecting their property. If you can get in trouble for typing words into your address bar, then most of ATS is screwed. That is a tried and true practice of "soft hacking" that we all have used at one time or another (even if it was just removing the last word/phrase to get to a root folder or something).

This is akin to the RIAA attempts to use legal means as a substitute for creating a model/process that protects their property. I know that if an unbranded horse of mine is wandering the countryside for a few weeks, someone can lay claim to it as theirs. As well as the victim of a car theft getting a citation when they leave their keys in the ignition. People should be expected to enact reasonable measures to protect property before legal measures of reclamation can be attempted. And those should require civil victory before criminal proceedings can begin.

Otherwise, Citibank should share in the criminal liability with the "hackers".

reply to post by SyphonX


Exactly. It's absolutely amazing that a banking site should work like this, a cat walking across your keyboard could achieve the same "hack"
I notice that they didn't even say if they have fixed the issue or not

I work with security for applications and the most common rationale for NOT securing access is: "Nobody would think to do that."

Yea, good strategy.

Oh wow, unencrypted URLs made of people's account numbers. Who on earth wrote the code for that thing? I would love to give him a pair of foresight goggles.

Originally posted by CommunistCapitalist
Creepy, already this is scary. To think that such a simple hacking skill was used to do this is sad. I figured some form of complex code breaking, firewall trojan horse was used. But simple coding? Wow.

Security is getting worse, you are right. I will never trust these accounts now.

This was NOT a hack. Hack implies skill.
This was like an easter egg. A bad one. Many people try to change their GET/POST information to trick the system, it's common and any developer with ANY skill knows this and mitigates it.

This was NOT a hack. It was a serious oversight. They probably got a designer to program the site, it happens all the time and they always screw it up.

Originally posted by wheresthetruth
The stupidity of this security fail by CitiBank reminds of the two guys that hacked a bunch of Cisco switches at various telcom companies and ran a business netting over a million dollars. They bought GO style phones, used the hacked routers to set up service plans and sold them to people.
How? The network admins forgot to change the Cisco default login & password before deploying the routers.

This is what is known as an extreme I-D-10-T error on their part.

How could CitiBank's cyber security not catch this? The account numbers in the URL? Really? Not encoded or encrypted, just openly and plainly right there. Even Google encrypts your email account information in the URL.

I just logged into my online bank account to see if my bank does this. Whew! Thankfully, two brain cells were rubbed together that sparked an actual thought and they do not do this.

Maybe it is not in the browsers address bar, perhaps it's in a session cookie, maybe a localized cookie, or in some Variable Data that's easily retrieved...the only way to find out is to have white-hat hackers have a go at her...which i bet Citibank never did. They should be fined for having such a lapse in reasoning when dealing with users information.

My my my... I guess Citibank's programmers haven't heard the use of HTML forms to encapsulate sensitive data and make to where it can be encrypted and is only accessible by the business logic that requires it... Well even that isn't 100% secure and can be hacked, but c'mon you can't even call replacing numbers in the address bar a hack!!!

I agree with the OP, how in the world was this a "browser vulnerability?" The browser was just doing its job by displaying the URL and parameters in the address bar... Its the job of the application developer to secure such parameters. Why would you even display unencrypted account numbers in the URL in the first place; better yet why even put the account number in the URL at all?

If this is true, then Citibank should be fined for such carelessness. If they allow simple goofs like this, imagine the damage that could be done via SQL injection. Oh let me not give anyone ideas!

reply to post by EspyderMan

Originally posted by davespanners

They simply logged on to the part of the group's site reserved for credit card customers - and substituted their account numbers which appeared in the browser's address bar with other numbers.

Yes, as hard as it is to believe, the account numbers were in the address bar according the OP. I have a hard time wrapping my mind around it too.

man if I'd known that it was that easy to hack I'd have started years ago!

What are they hoping to achieve by hacking a bank's website? I mean what's the point? All they are doing is legitimizing locking down the internet or completely restricting use of it.

They really think acts of violence stop corporate acts of violence. No it doesn't. These guys need to wake up.

I bet these "hackers" are a nwo shill created to legitimize more authoritarian policies.