How Hackers Easily Stole User Data from Citigroup

  • Share
  • Read Later

Last week we reported that Citigroup was the latest company to suffer a serious security breach when over 200,000 names, emails and account numbers were compromised by hackers. To add insult to injury, the attack presumably happened sometime in early May, indicating that it took nearly three weeks until news of the attacks was actually made public.

Now, to make matters even worse, the New York Times is reporting that the thieves’ method of entry into the Citigroup website was, well, really simple, calling it the equivalent of having a really “high-tech security system,” but “the front door wasn’t locked tight.”

So how’d they do it? Per the Times:

“In the Citi breach, the data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers.

Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.”

In the bank’s defense, the fact that the thieves knew how to expose the site’s particular vulnerability through the address bar would qualify that the nature of the attack was–as quoted by an anonymous security expert–“especially ingenious.”

Citigroup was lambasted by critics for “dragging their feet” after news of the compromise began to surface, but, according to various reports, the company defended its position by stating that it was conducting an investigation and issuing replacement cards.

(via NYT)

More on TIME.com:

“Anonymous” Levels Hacking Threat Against Federal Reserve

The 10 Most Popular iPhone Passwords, Starring “1234”

Turkish Authorities Claim Arrest of 34 Hackers