I’ve seen a lot of security breaches, as well as a lot of potentials for breach (which were happily sewn shut ahead of any bad outcomes). But even I’m surprised at what I’ve just heard about the recent Citigroup breach.
As we discussed a couple days ago, the breach resulted in the exposure of 200,000+ names, account numbers, and e-mail addresses of Citigroup credit card holders.
Now comes word of how these “sophisticated” hackers did the trick. They simply logged in to the site – that’s all. Then, they noticed that the browser’s address bar contained the credit card number of the account that was logged in, as part of the URL.
A quick test for the hackers in these circumstances is to simply alter the number – one digit or a couple – hit refresh – and presto! You’re in another account. By the way – this is a very old trick for web pages, apps and programs that are dumb enough to use critical content, such as account numbers, Social Security Numbers, Customer IDs, etc., as part of the URL. The idea that a major credit card company was doing this in 2011 is scary.
Once the exposure was noted, the hackers merely wrote a simple program to automate the spin of numbers through the URL, with an interim step such that each resulting page could be stripped of the critical information – again, names, account numbers, and e-mail addresses. Upon that strip, a command for a simple refresh with new number, strip – and repeat…
That is, repeat 200,000 times – before Citigroup happened to catch what was happening through a routine security check. In other words, it wasn’t even a proactive, interactive monitor that watched for suspicious activity, and caught what was happening based on unusual activity: It was a routine, cyclical, check.
According to London’s The Daily Mail, an “expert” who is on the investigation team actually speculated how hackers would have thought to focus on the vulnerability in the browser. Words almost fail here… hackers are imaginative and adept – and pretty much always catch what’s right in front of their face. But, as stated, URL vulnerabilities have been long known. It sounds like we’re discussing something in 1995.
This unnamed expert, who wishes anonymity, stated, “It would have been hard to prepare for this type of vulnerability in the browser.”
On the contrary: This type of flaw and hack potential has been long-known, and NO responsible programmer, web-developer, applications designer, or provider goes anywhere near making an old-school exposure such as this, whereby a “key” is displayed in a URL, such that simple random substitutions unlock virtually unlimited access to other pages and related entities’ data.
Being that Citigroup had a flaw such as this, what else is lurking as extreme vulnerabilities in their systems? I would say that their overall judgment and security measures are very suspect.
By: David Scott is a CIO/Fortune 100 IT professional and author of I.T. Wars: Managing the Business-Technology Weave in the New Millennium which was selected as an MBA text at the University of Wisconsin. David is the sole-proprietor of BTW Consulting: Business writing, policies and plans. His comments have appeared in InfoWeek, Capitol Weekly (CA), and on the DC television show Communicating Today. You can connect with David on LinkedIn or on Twitter by following @davidscott999.