It looks like you're using an Ad Blocker.

Please white-list or disable AboveTopSecret.com in your ad-blocking tool.

Thank you.

 

Some features of ATS will be disabled while you continue to use an ad-blocker.

 

Citibank hacked using a technique that would leave a 5 year old unimpressed

page: 2
19
<< 1   >>

log in

join
share:

posted on Jun, 15 2011 @ 01:06 PM
link   
Between My banking experience and My web experience I am aghast that such a vulnerability was present at all.

Browser to blame, My butt.




posted on Jun, 15 2011 @ 01:25 PM
link   
reply to post by bigfatfurrytexan
 


I agree, I don't know that anyone who actually stole anything in this way should be charged with a crime, but rather the bank itself for allowing it. It's essentially like the banks taking all of your money and putting it on a pile on the sidewalk with a sign saying "don't touch". Of course it's gonna go missing. The bank's responsibility is making a reasonable attempt at keeping that from happening, which was obviously not the case here.



posted on Jun, 15 2011 @ 01:49 PM
link   

Originally posted by trollz
reply to post by bigfatfurrytexan
 


I agree, I don't know that anyone who actually stole anything in this way should be charged with a crime, but rather the bank itself for allowing it. It's essentially like the banks taking all of your money and putting it on a pile on the sidewalk with a sign saying "don't touch". Of course it's gonna go missing. The bank's responsibility is making a reasonable attempt at keeping that from happening, which was obviously not the case here.


You are right. Some attempt should be made.

Just like the RIAA, and "intellectual property". An attempt should be made to secure your property. It is not the role of LEO/Government to enforce your property rights. It is only their job when you have been made a victim, or when a dispute needs resolution (i.e., civil litigation).

The funny part is, The People are so apathetic that this will barely yield a tick in the Citibank business. Customers will stay with them, and continue to trust in them. Why not? They are too big to fail, afterall.



posted on Jun, 15 2011 @ 02:03 PM
link   

Originally posted by MaryStillToe

I work with security for applications and the most common rationale for NOT securing access is: "Nobody would think to do that."

Yea, good strategy.



They have a point. How long has Citibank's security been this bad, and it was JUST NOW discovered?

For shame, hackers!



posted on Jun, 15 2011 @ 02:29 PM
link   
It sounds like the sessions they were using weren't unique to the user. I recently found the exact same flaw at logonerds you can replace your order ID with an incremented number and it shows the order of the next person, the same for previous. It doesn't give payment details or credit card details but it shows other information such as name/address etc.

For a bank though, that's a ridiculous flaw and I'm so surprised it wasn't picked up earlier, do they not track where users go once they're logged in?

Madness.



posted on Jun, 15 2011 @ 03:39 PM
link   
reply to post by mb2591
 


I would have to say no.

This is about as easy as it could ever get. From what it sounds like, it almost seems as if everyone had the same high level privileges to their customer database, allowing them to see other peoples info, simply by changing numbers found within the URL.

This is one of those mistakes you can't just ignore at the professional level. Wow.


But on the other side, I really hope you people can learn to appreciate IT Security professionals(real ones). Just by looking at the numbers, they face insurmountable odds. A security professional has to be rig 100% of thhe time, whereas a hacker only needs to be right 1% of the time. It's unfortunately is a losing game. Your Beaty bet is to make your security harder to crack than the next guys, so they go after him instead.



posted on Jun, 15 2011 @ 03:44 PM
link   
reply to post by Amaterasu
 


Yes it is certainly not a browser issue. This is a serious flaw in their access/privileges system about what certain users can do and see. The funny part is, this is a huge and glaring responsibility when setting up a network. Setting up proper user privileges.

I would love to see what their IT offices look like, they must be screwing around all day soaking up checks. In all honesty, if I were a hacker, I would try and stay away from such large corporation. With all of their resources, and the information they retain, I would assume they would have top notch security. Which is what im sure their it staff would assume, "who's going to mess with us?"



posted on Jun, 15 2011 @ 04:09 PM
link   
No browser shortcoming to speak of

it's piss-poor design. Plain and simple. I'm sure the architect wanted a "stateless" design which would then rely on querystring (the garbage in a URL that comes after a "?") and http:get/posts to flow.

I'd also be willing to bet this was coded at some shop in Bangalore



posted on Jun, 15 2011 @ 07:38 PM
link   

Originally posted by monkofmimir


man if I'd known that it was that easy to hack I'd have started years ago!


You couldn't even get into someone's forum account using that method let alone a bank, I think Citibank is a serious one off.



posted on Jun, 15 2011 @ 08:00 PM
link   
reply to post by Lazyninja
 


same here, which is why everyones so surprised by this method. any somewhat computer literate person im sure has tried this exact same method in their browser whether they know it or not.



new topics

top topics



 
19
<< 1   >>

log in

join