The Inquirer-Home

Citibank was hacked by altering URLs

World's largest payroll processor reveals a data breach
Thu Jun 16 2011, 11:25

THE HACKING of Citibank that led to the exposure of 360,000 customers' credit card details was made by simply altering the bank's URL.

When users log into the Citi Account Online system the URL changes to include a series of numbers relevant to the user's account. However, it was discovered that someone could access another's account by simply changing those numbers, according to The New York Times.

The hackers used this remarkably simple technique to hop from account to account and they even developed a script to automate the hack for them. It's difficult to even call it a hack, as it's like copying and slightly changing a key and using it on a neighbour's front door.

Details that were stolen included names, account numbers and email addresses, but credit card security codes, social security numbers and birth dates remained safe.

It's one thing having this major flaw on a commercial web site, but for a bank, where online banking is supposed to require enhanced security, this is mind-boggling.

Surely changing the numbers would force users back to a login screen, one would think, but it seems that this was not the case and any average user could have accessed another user's account unwittingly by altering a number here or there just like the hackers, who are believed to be from Eastern Europe.

If that were not enough hacking of monetary services, the world's largest payroll processor, Automatic Data Processing (ADP), has revealed it was the victim of a data breach.

The company, which has over half a million payroll clients, said that it has launched an investigation into the hacking and is taking measures to address the impact of the breach. It did not reveal any specific details about the attack.

It is estimated that half of the employees of major US corporations have their pay processed by ADP, according to Reuters, making this a potentially very devastating and disruptive incident.

It appears that a number of financial services, including the International Monetary Fund, have been targeted by hackers recently in what has become an increasing trend.

These targets were generally off the radar of Anonymous and Lulzsec, who hack for activist and fun reasons respectively, and these attacks might be the work of criminal hackers that are cashing in on the confusion caused by less serious forms of cyber disruption. µ

 

Share this:

blog comments powered by Disqus
Advertisement
Subscribe to INQ newsletters

Sign up for INQbot – a weekly roundup of the best from the INQ

Advertisement
INQ Poll

Masque malware is putting iPad and iPhone user data at risk

Has news of iOS malware made you reconsider getting an iPhone?