back to article Citigroup hack exploited easy-to-detect web flaw

Hackers who stole bank account details for 200,000 Citigroup customers infiltrated the company's system by exploiting a garden-variety security hole in the company's website for credit card users, according to a report citing an unnamed security investigator. The New York Times reported that the technique allowed the hackers to …

COMMENTS

This topic is closed for new posts.

Taking candy from a baby

Maybe they wouldn't have had such a glaring vulnerability if they submitted themselves to the same PCI compliance extortion they inflict on my small vendor clients

2
1
Silver badge
Holmes

@pj3090 you seem confused.

PCI compliance is really watered down of what should be in place.

You can still be PCI compliant and still leak like a sieve.

Not that I disagree with your sentiment.

1
1
FAIL

Reply to post: @pj3090 you seem confused.

Yes, and conversely you can have a secure setup that doesn't meet PCI complicance rules, which I think is what pj3090 was getting at.

There are a number of things that are taken as gospel requirements by PCI vetting people with no real knowledge of why or if they are in fact such a good idea. Such gems as blocking all ICMP packets (every wonder why PMTUD doesn't work?), NAT=secure (no it doesn't) - the list is endless.

1
1
FAIL

Seriously. One Qualys scan would've detected this...

Seriously. One Qualys scan would've detected this...

0
0
Silver badge
Trollface

Just curious...

When a pointy haired management type decides to go for the lowest cost consultant or the off shore resource (uhm they call it global sourcing these days...) One has to wonder if they calculated the costs and loss of good will when someone doesn't do their jobs and secure the site?

Just a curious question about expectations of top notch software from sub par developers. Doesn't that mean that the management chain is also sub par?

5
2
Silver badge

Not sure about the analogy...

“Think of it as a mansion with a high-tech security system – that the front door wasn't locked tight,”

Given that a valid login session was required, I think it might be better described as given a new resident the keys to their house, which happens to fit every other lock in the city if they care to go and try!

However you describe it, it's a pitifully bad way of securing any website, let alone a financial one!

1
1
Big Brother

re: Not sure about the analogy

Dear anonymous mod troll, what was wrong with the above comment?

1
0
(Written by Reg staff)

Re: re: Not sure about the analogy

Above comment?

Mod troll?

0
0
Silver badge

@doperative

I have no idea, I notice even the most innocent comment can attracts down votes on here.

I probably upset someone on here and they now have some kind of petty down voting vengeance going on! Oh well, if it keeps them off the streets. :-)

Thanks for coming to my defence though :-)

1
0
Silver badge

@Steve

Welcome to the club.

0
1
FAIL

Testing is not part of the...

developers contract, obviously - along with competence and project management.

What you get when you buy the cheapest-written-in-elbonia software.

1
1
Anonymous Coward

The cheapest point to fix vulnerabilities

is in dev, before go-live. A few quid on pen testing now saves a million in fines later. Why is it so difficult to convince people of this simple risk mitigation? I have to say a big thanks to Citi as, thanks to this glaring example, it will now be much easier to make the case for testing.

1
1
WTF?

The article is wrong too

The problem here is not that the account numbers were unencrypted - after all, account numbers are public knowledge once you write a cheque or do a bank transfer. The problem is that the account details could be requested by an unauthenticated person. This is gobsmackingly, unbelievably stupid.

0
0
WTF?

@Naich.. Public Knowledge?

I don't think you quite understand what is meant by public knowledge.

Public knowledge refers to something that is available to all of the public or easily obtained information that one could obtain publicly.

When you do a transfer or transaction only the parties involved in the transaction know your account numbers. Unencrypted account numbers *is* a problem.

You are correct that the ability of anyone to be able to query the back end database about any other information also a major problem.

Either problem is a critical flaw, and neither would be a violation of the PCI spec.

0
0
Anonymous Coward

FT changed their article

The Financial Times article referenced here has been changed to remove any reference to Java or Oracle. Wonder if they were asked to remove it or it was inaccurate. Certainly would help explain how full account numbers were captured if it is true.

2
0
FAIL

Things just don't change

I remember the same basic mistakes being made repeatedly in UART (and their discrete predecessors) drivers, especially in the handling of multiple interrupts on noisy RS232 lines and XON/XOFF handling.

DecSystem10, RSX-11M, Olivetti's S6000 mini, Unix Sys V.....

It was clear that knowledge about this was kicking around, but the people who wrote the next OS were a set of new college grads without this previous experience.

Seems we have the same lack of knowledge transfer to the people who Really Count today. Quelle surprise.

0
1
Facepalm

Ironically...

Citibank is listed on OWASP's list of big name adopters.

Oops!

0
1
Boffin

flaw in the Java framework?

> the Citi hackers also took advantage of a flaw in the Java programming framework to access information stored in an Oracle database maintained by the bank ..

What flaw? (I preemptively mod me down first)

0
0
This topic is closed for new posts.

Forums