John Leyden at the Register only has to write two stories a day - Paul Hales
|
|
|
Citibank was hacked by altering URLs
THE HACKING of Citibank that led to the exposure of 360,000 customers' credit card details was made by simply altering the bank's URL.
When users log into the Citi Account Online system the URL changes to include a series of numbers relevant to the user's account. However, it was discovered that someone could access another's account by simply changing those numbers, according to The New York Times.
The hackers used this remarkably simple technique to hop from account to account and they even developed a script to automate the hack for them. It's difficult to even call it a hack, as it's like copying and slightly changing a key and using it on a neighbour's front door.
Details that were stolen included names, account numbers and email addresses, but credit card security codes, social security numbers and birth dates remained safe.
It's one thing having this major flaw on a commercial web site, but for a bank, where online banking is supposed to require enhanced security, this is mind-boggling.
Surely changing the numbers would force users back to a login screen, one would think, but it seems that this was not the case and any average user could have accessed another user's account unwittingly by altering a number here or there just like the hackers, who are believed to be from Eastern Europe.
If that were not enough hacking of monetary services, the world's largest payroll processor, Automatic Data Processing (ADP), has revealed it was the victim of a data breach.
The company, which has over half a million payroll clients, said that it has launched an investigation into the hacking and is taking measures to address the impact of the breach. It did not reveal any specific details about the attack.
It is estimated that half of the employees of major US corporations have their pay processed by ADP, according to Reuters, making this a potentially very devastating and disruptive incident.
It appears that a number of financial services, including the International Monetary Fund, have been targeted by hackers recently in what has become an increasing trend.
These targets were generally off the radar of Anonymous and Lulzsec, who hack for activist and fun reasons respectively, and these attacks might be the work of criminal hackers that are cashing in on the confusion caused by less serious forms of cyber disruption. µ
Tags: Security
Share this:
Share
You really can't call this a hack. Calling it a hack gives some credibility to Citi's IT dept in this issue but the reality is that if this is true then this is just pure and simple incompetence.
"It's difficult to even call it a hack, as it's like copying and slightly changing a key and using it on a neighbour's front door."
No, it's more like going into an apartment building with the common front door key and then saying, "Oh, wait! If I choose someone else's apartment number and then try the door handle. Oh, their apartment door opens!"