Citigroup hackers broke in through the public Website - NYTimes

The hackers who made off with the personal account data of 200,000 Citigroup customers allegedly broke into the bank via its public Website, focussing on a simple vulnerability in the browser address bar.

  0 Be the first to comment

Citigroup hackers broke in through the public Website - NYTimes

Editorial

This content has been selected, created and edited by the Finextra editorial team based upon its relevance and interest to our community.

One of the investigators working on the breach has told the New York Times that the attack was both simple and ingenious.

The NYTimes source, billed as a "security expert familiar with the investigation", said the attackers logged on to the part of the bank's site reserved for credit card customers - and substituted their own account numbers which appeared in the browser's address bar with other numbers. Using a computer-based random number generator, the hackers created tens of thousands of possible account numbers, which opened the door to the profiles of other customers.

Citi confirmed the breach last week, saying that names, account numbers and e-mail addresses had been compromised but not birth dates, social security numbers and card security codes, which are held elsewhere.

Thieves found Citigroup site an easy entry - New York Times

Finextra verdict: If true - and the NYTimes is careful to mask its source - this a truly embarrassing security failure for Citi. Inserting customer account numbers into the visible display bar on the browser is a basic error. Heads must roll.

Sponsored [On-Demand Webinar] AI in Banking: Building Compliant and Safe Enterprise AI at Scale

Related Company

Comments: (0)

[Webinar] Reaping the benefits of Hyper-Personalisation with AI and Application ModernisationFinextra Promoted[Webinar] Reaping the benefits of Hyper-Personalisation with AI and Application Modernisation