It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
Citibank hacked using a technique that would leave a 5 year old unimpressed
page: 2share:
Between My banking experience and My web experience I am aghast that such a vulnerability was present at all.
Browser to blame, My butt.
Browser to blame, My butt.
reply to post by bigfatfurrytexan
I agree, I don't know that anyone who actually stole anything in this way should be charged with a crime, but rather the bank itself for allowing it. It's essentially like the banks taking all of your money and putting it on a pile on the sidewalk with a sign saying "don't touch". Of course it's gonna go missing. The bank's responsibility is making a reasonable attempt at keeping that from happening, which was obviously not the case here.
I agree, I don't know that anyone who actually stole anything in this way should be charged with a crime, but rather the bank itself for allowing it. It's essentially like the banks taking all of your money and putting it on a pile on the sidewalk with a sign saying "don't touch". Of course it's gonna go missing. The bank's responsibility is making a reasonable attempt at keeping that from happening, which was obviously not the case here.
Originally posted by trollz
reply to post by bigfatfurrytexan
I agree, I don't know that anyone who actually stole anything in this way should be charged with a crime, but rather the bank itself for allowing it. It's essentially like the banks taking all of your money and putting it on a pile on the sidewalk with a sign saying "don't touch". Of course it's gonna go missing. The bank's responsibility is making a reasonable attempt at keeping that from happening, which was obviously not the case here.
You are right. Some attempt should be made.
Just like the RIAA, and "intellectual property". An attempt should be made to secure your property. It is not the role of LEO/Government to enforce your property rights. It is only their job when you have been made a victim, or when a dispute needs resolution (i.e., civil litigation).
The funny part is, The People are so apathetic that this will barely yield a tick in the Citibank business. Customers will stay with them, and continue to trust in them. Why not? They are too big to fail, afterall.
Originally posted by MaryStillToe
I work with security for applications and the most common rationale for NOT securing access is: "Nobody would think to do that."
Yea, good strategy.
They have a point. How long has Citibank's security been this bad, and it was JUST NOW discovered?
For shame, hackers!
It sounds like the sessions they were using weren't unique to the user. I recently found the exact same flaw at logonerds you can replace your order
ID with an incremented number and it shows the order of the next person, the same for previous. It doesn't give payment details or credit card
details but it shows other information such as name/address etc.
For a bank though, that's a ridiculous flaw and I'm so surprised it wasn't picked up earlier, do they not track where users go once they're logged in?
Madness.
For a bank though, that's a ridiculous flaw and I'm so surprised it wasn't picked up earlier, do they not track where users go once they're logged in?
Madness.
reply to post by mb2591
I would have to say no.
This is about as easy as it could ever get. From what it sounds like, it almost seems as if everyone had the same high level privileges to their customer database, allowing them to see other peoples info, simply by changing numbers found within the URL.
This is one of those mistakes you can't just ignore at the professional level. Wow.
But on the other side, I really hope you people can learn to appreciate IT Security professionals(real ones). Just by looking at the numbers, they face insurmountable odds. A security professional has to be rig 100% of thhe time, whereas a hacker only needs to be right 1% of the time. It's unfortunately is a losing game. Your Beaty bet is to make your security harder to crack than the next guys, so they go after him instead.
I would have to say no.
This is about as easy as it could ever get. From what it sounds like, it almost seems as if everyone had the same high level privileges to their customer database, allowing them to see other peoples info, simply by changing numbers found within the URL.
This is one of those mistakes you can't just ignore at the professional level. Wow.
But on the other side, I really hope you people can learn to appreciate IT Security professionals(real ones). Just by looking at the numbers, they face insurmountable odds. A security professional has to be rig 100% of thhe time, whereas a hacker only needs to be right 1% of the time. It's unfortunately is a losing game. Your Beaty bet is to make your security harder to crack than the next guys, so they go after him instead.
reply to post by Amaterasu
Yes it is certainly not a browser issue. This is a serious flaw in their access/privileges system about what certain users can do and see. The funny part is, this is a huge and glaring responsibility when setting up a network. Setting up proper user privileges.
I would love to see what their IT offices look like, they must be screwing around all day soaking up checks. In all honesty, if I were a hacker, I would try and stay away from such large corporation. With all of their resources, and the information they retain, I would assume they would have top notch security. Which is what im sure their it staff would assume, "who's going to mess with us?"
Yes it is certainly not a browser issue. This is a serious flaw in their access/privileges system about what certain users can do and see. The funny part is, this is a huge and glaring responsibility when setting up a network. Setting up proper user privileges.
I would love to see what their IT offices look like, they must be screwing around all day soaking up checks. In all honesty, if I were a hacker, I would try and stay away from such large corporation. With all of their resources, and the information they retain, I would assume they would have top notch security. Which is what im sure their it staff would assume, "who's going to mess with us?"
No browser shortcoming to speak of
it's piss-poor design. Plain and simple. I'm sure the architect wanted a "stateless" design which would then rely on querystring (the garbage in a URL that comes after a "?") and http:get/posts to flow.
I'd also be willing to bet this was coded at some shop in Bangalore
it's piss-poor design. Plain and simple. I'm sure the architect wanted a "stateless" design which would then rely on querystring (the garbage in a URL that comes after a "?") and http:get/posts to flow.
I'd also be willing to bet this was coded at some shop in Bangalore
Originally posted by monkofmimir
man if I'd known that it was that easy to hack I'd have started years ago!
You couldn't even get into someone's forum account using that method let alone a bank, I think Citibank is a serious one off.
reply to post by Lazyninja
same here, which is why everyones so surprised by this method. any somewhat computer literate person im sure has tried this exact same method in their browser whether they know it or not.
same here, which is why everyones so surprised by this method. any somewhat computer literate person im sure has tried this exact same method in their browser whether they know it or not.
new topics
-
God's Righteousness is Greater than Our Wrath
Religion, Faith, And Theology: 4 hours ago -
Electrical tricks for saving money
Education and Media: 7 hours ago -
VP's Secret Service agent brawls with other agents at Andrews
Mainstream News: 8 hours ago -
Sunak spinning the sickness figures
Other Current Events: 9 hours ago -
Nearly 70% Of Americans Want Talks To End War In Ukraine
Political Issues: 9 hours ago -
Late Night with the Devil - a really good unusual modern horror film.
Movies: 11 hours ago
top topics
-
VP's Secret Service agent brawls with other agents at Andrews
Mainstream News: 8 hours ago, 9 flags -
Cats Used as Live Bait to Train Ferocious Pitbulls in Illegal NYC Dogfighting
Social Issues and Civil Unrest: 12 hours ago, 8 flags -
Electrical tricks for saving money
Education and Media: 7 hours ago, 4 flags -
HORRIBLE !! Russian Soldier Drinking Own Urine To Survive In Battle
World War Three: 16 hours ago, 3 flags -
Nearly 70% Of Americans Want Talks To End War In Ukraine
Political Issues: 9 hours ago, 3 flags -
Sunak spinning the sickness figures
Other Current Events: 9 hours ago, 3 flags -
Late Night with the Devil - a really good unusual modern horror film.
Movies: 11 hours ago, 2 flags -
The Good News According to Jesus - Episode 1
Religion, Faith, And Theology: 14 hours ago, 1 flags -
God's Righteousness is Greater than Our Wrath
Religion, Faith, And Theology: 4 hours ago, 0 flags
active topics
-
SETI chief says US has no evidence for alien technology. 'And we never have'
Aliens and UFOs • 45 • : andy06shake -
Sunak spinning the sickness figures
Other Current Events • 7 • : xWorldxGonexMadx -
HORRIBLE !! Russian Soldier Drinking Own Urine To Survive In Battle
World War Three • 33 • : Degradation33 -
How ageing is" immune deficiency"
Medical Issues & Conspiracies • 34 • : angelchemuel -
Nearly 70% Of Americans Want Talks To End War In Ukraine
Political Issues • 13 • : Freeborn -
Mood Music Part VI
Music • 3101 • : ThatSmellsStrange -
VP's Secret Service agent brawls with other agents at Andrews
Mainstream News • 41 • : ThatSmellsStrange -
New whistleblower Jason Sands speaks on Twitter Spaces last night.
Aliens and UFOs • 55 • : baablacksheep1 -
Cats Used as Live Bait to Train Ferocious Pitbulls in Illegal NYC Dogfighting
Social Issues and Civil Unrest • 20 • : Asher47 -
Electrical tricks for saving money
Education and Media • 4 • : Lumenari