How the Citibank hack worked
Jun. 17th, 2011 09:37 pm![[personal profile]](https://www.dreamwidth.org/img/silk/identity/user.png){kind=small}
thewayneBasically, Citibank is a bunch of morons. Apparently your credit card number appears in your browser's address bar, so they would type in another number and that account's information would come up.
So it sounds like they validated the account number once, then when the hackers changed the account number, it was never revalidated and Citi's system assumed all future page accesses were valid. VERY bad form when dealing with money.
It is not difficult to pass information back and forth through secure sessions. In fact, it's pretty darn fundamental. I don't understand why a megacorp like Citi couldn't properly implement something like that.
http://www.dailymail.co.uk/news/article-2003393/How-Citigroup-hackers-broke-door-using-banks-website.html
http://it.slashdot.org/story/11/06/14/2046216/How-Citigroup-Hackers-Easily-Gained-Access
So it sounds like they validated the account number once, then when the hackers changed the account number, it was never revalidated and Citi's system assumed all future page accesses were valid. VERY bad form when dealing with money.
It is not difficult to pass information back and forth through secure sessions. In fact, it's pretty darn fundamental. I don't understand why a megacorp like Citi couldn't properly implement something like that.
http://www.dailymail.co.uk/news/article-2003393/How-Citigroup-hackers-broke-door-using-banks-website.html
http://it.slashdot.org/story/11/06/14/2046216/How-Citigroup-Hackers-Easily-Gained-Access
![[identity profile]](https://www.dreamwidth.org/img/silk/identity/openid.png){kind=small}
no subject
Date: 2011-06-18 06:30 pm (UTC)no subject
Date: 2011-06-18 10:41 pm (UTC)no subject
Date: 2011-06-18 11:29 pm (UTC)