Fraudsters Change Web URLs To Match Account Numbers and Hack Citi Bank

It’s this easy for hackers now days huh? As the Saturday Night Live News anchor would say, “Really?!”

An unnamed security expert said to The New York Times that the thousands of Citi’s credit card customers that had their account information compromised last week, was due to hackers changing a few numbers in the web page URL string after logging into a valid account.

Wow. If it’s true, that’s really embarrassing for Citi. Changing a URL is about the lowest level hack there is. That’s hacker elementary school stuff. This could highlight, again if it’s true, how careless or oblivious Citi Bank is when it comes to IT and systems security.

This type of vulnerability is known as “Insecure Direct Object References” and it’s so common that it ranks as the fourth most critical vulnerability on the Open Web Application Security Project’s top ten list of security risks in 2010.

Essentially the process went like this: first, hackers logged into the accountholder website. From there, the attackers used some type of script that allowed them to automatically jump from account to account and harvest any identifiable information merely by changing a portion of the URL. It’s not exactly known how the hackers knew to exploit this vulnerability.

A browser and the ability to change the URL string was all that was needed to open hundreds of thousands of accounts to attackers. Yep, that makes me feel good about signing up for that Citi Credit Card.


Fraudsters Change Web URLs To Match Account Numbers and Hack Citi Bank

{ 0 comments… add one now }

Leave a Comment

Previous post:

Next post: