Basically, Citibank is a bunch of morons. Apparently your credit card number appears in your browser's address bar, so they would type in another number and that account's information would come up.
So it sounds like they validated the account number once, then when the hackers changed the account number, it was never revalidated and Citi's system assumed all future page accesses were valid. VERY bad form when dealing with money.
It is not difficult to pass information back and forth through secure sessions. In fact, it's pretty darn fundamental. I don't understand why a megacorp like Citi couldn't properly implement something like that.
http://www.dailymail.co.uk/news/article-2003393/How-Citigroup-hackers-broke-door-using-banks-website.htmlhttp://it.slashdot.org/story/11/06/14/2046216/How-Citigroup-Hackers-Easily-Gained-Access