I don’t mean to beat up on Citigroup. But there’s an important lesson that’s just evidenced itself. I’m also very surprised at what I’ve just learned about the breach.
As we discussed a couple days ago, the breach resulted in the exposure of 200,000+ names, account numbers, and e-mail addresses of Citigroup credit card holders. That number has now been revised upward – to over 360,000. That is not the surprising element of the story, however.
Now comes word of how these “sophisticated” hackers did the trick. They simply logged in to the site – that’s all. Then, they noticed that the browser’s address bar contained the credit card number of the account that was logged in, as part of the URL.
A quick test for the hackers in these circumstances is to simply alter the number – one digit or a couple – hit refresh – and presto! You’re in another account. By the way – this is a very old trick for web pages, apps and programs that are dumb enough to use critical content, such as account numbers, Social Security Numbers, Customer IDs, etc., as part of the URL. The idea that a major credit card company was doing this in 2011 is scary.
Once the exposure was noted, the hackers merely wrote a simple program to automate the spin of numbers through the URL, with an interim step such that each resulting page could be stripped of the critical information – again, names, account numbers, and e-mail addresses. Upon that strip, a command for a simple refresh with new number, strip – and repeat…
That is, repeat 360,000 times – before Citigroup happened to catch what was happening through a routine security check. In other words, it wasn’t even a proactive, interactive, monitor that watched for suspicious activity, and caught what was happening based on unusual activity: It was a routine, cyclical, check.
According to London’s The Daily Mail, an “expert” who is on the investigation team actually speculated how hackers would have thought to focus on the vulnerability in the browser. Words almost fail here… hackers are imaginative and adept – and pretty much always catch what’s right in front of their face. But, as stated, URL vulnerabilities have been long known. It sounds like we’re discussing something in 1995.
This unnamed expert, who wishes anonymity, stated, “It would have been hard to prepare for this type of vulnerability in the browser.”
On the contrary: This type of flaw and hack potential has been long-known, and NO responsible programmer, web-developer, applications designer, or provider goes anywhere near making an old-school exposure such as this, whereby a “key” is displayed in a URL, such that simple random substitutions unlock virtually unlimited access to other pages and related entities’ data.
Being that Citigroup had a flaw such as this, what else is lurking as extreme vulnerabilities in their systems? I would say that their overall judgment and security measures are very suspect.
On this day: In 1937, “A Day at the Races” starring The Marx Brothers opened in LA.