I don’t mean to beat up on Citigroup.  But there’s an important lesson that’s just evidenced itself.  I’m also very surprised at what I’ve just learned about the breach.

As we discussed a couple days ago, the breach resulted in the exposure of 200,000+ names, account numbers, and e-mail addresses of Citigroup credit card holders.  That number has now been revised upward – to over 360,000.  That is not the surprising element of the story, however.

Now comes word of how these “sophisticated” hackers did the trick.  They simply logged in to the site – that’s all.  Then, they noticed that the browser’s address bar contained the credit card number of the account that was logged in, as part of the URL.

A quick test for the hackers in these circumstances is to simply alter the number – one digit or a couple – hit refresh – and presto!  You’re in another account.  By the way – this is a very old trick for web pages, apps and programs that are dumb enough to use critical content, such as account numbers, Social Security Numbers, Customer IDs, etc., as part of the URL.  The idea that a major credit card company was doing this in 2011 is scary.

Once the exposure was noted, the hackers merely wrote a simple program to automate the spin of numbers through the URL, with an interim step such that each resulting page could be stripped of the critical information – again, names, account numbers, and e-mail addresses.  Upon that strip, a command for a simple refresh with new number, strip – and repeat…

That is, repeat 360,000 times – before Citigroup happened to catch what was happening through a routine security check.  In other words, it wasn’t even a proactive, interactive, monitor that watched for suspicious activity, and caught what was happening based on unusual activity:  It was a routine, cyclical, check.

According to London’s The Daily Mail, an “expert” who is on the investigation team actually speculated how hackers would have thought to focus on the vulnerability in the browser.  Words almost fail here… hackers are imaginative and adept – and pretty much always catch what’s right in front of their face.  But, as stated, URL vulnerabilities have been long known.  It sounds like we’re discussing something in 1995.

This unnamed expert, who wishes anonymity, stated, “It would have been hard to prepare for this type of vulnerability in the browser.”

On the contrary:  This type of flaw and hack potential has been long-known, and NO responsible programmer, web-developer, applications designer, or provider goes anywhere near making an old-school exposure such as this, whereby a “key” is displayed in a URL, such that simple random substitutions unlock virtually unlimited access to other pages and related entities’ data.

Being that Citigroup had a flaw such as this, what else is lurking as extreme vulnerabilities in their systems?  I would say that their overall judgment and security measures are very suspect.

Consumers:  Beware.

On this day:  In 1937, “A Day at the Races” starring The Marx Brothers opened in LA.

According to eWeek and others, approximately 200,000 card members’ accounts were accessed.  The specific information compromised were names, card numbers, and e-mail addresses – perhaps other contact info depending on what you read.

Fortunately, other critical information, such as birth dates, social security numbers, card security numbers (typically on the back of your card) and card expiration dates were not compromised, as they are stored elsewhere.

It’s heartening to know that there’s a discretionary storage of critical data:  That is, there is a separate repository for one set of data, but another repository (or repositories) for a complimentary set of data necessary for the “whole record” view of any one entity – in this case, person and associated credit data.  This separation of data, into separate “secured” (ahem) areas makes it a little more difficult, at least, to assemble the critical info necessary to make bogus charges or acquisitions of cash at the expense of card holders.

It’s disheartening to know, however, that any measure of breach occurred to any measure of system at Citigroup.  This isn’t to pick on them – for a little perspective, access the Privacy Rights Clearinghouse and their Chronology of Data Breaches.  That list isn’t even comprehensive – there are far more breaches, both reported and unreported, transpiring.

Citi is going to establish “enhanced procedures” according to Sean Kevelighan, spokesman for the North American Consumer Banking Division of Citi, in order to prevent future breaches.  Well, that’s all well and good, but I’m curious to know if these “enhanced procedures” are general industry established and known procedures – and if so, why were they not already instituted?  Also, the word “procedure” is an interesting choice.  It almost makes it sound as if internal human error compounded an insecure situation. 

And, I characterize the human failing of neglect, in keeping systems updated for latest security threats and actions, to be human error:  Whether someone is simply not approving budget for protections, or someone is lax in surveying for risk and matched solutions. 

Security solutions must be extremely aggressive.  They must constantly lead threats – by a wide margin. 

It doesn’t take much for a business to lose the faith of customers.  In fact, it can happen at just about the speed of a button push on a keyboard…

NP:  John Coltrane with the Red Garland Trio, original Prestige vinyl LP… what more needs to be said?