back to article Citigroup hack exploited easy-to-detect web flaw

Hackers who stole bank account details for 200,000 Citigroup customers infiltrated the company's system by exploiting a garden-variety security hole in the company's website for credit card users, according to a report citing an unnamed security investigator. The New York Times reported that the technique allowed the hackers to …

COMMENTS

This topic is closed for new posts.
  1. pj3090

    Taking candy from a baby

    Maybe they wouldn't have had such a glaring vulnerability if they submitted themselves to the same PCI compliance extortion they inflict on my small vendor clients

    1. Ian Michael Gumby
      Holmes

      @pj3090 you seem confused.

      PCI compliance is really watered down of what should be in place.

      You can still be PCI compliant and still leak like a sieve.

      Not that I disagree with your sentiment.

      1. Anonymous Coward
        FAIL

        Reply to post: @pj3090 you seem confused.

        Yes, and conversely you can have a secure setup that doesn't meet PCI complicance rules, which I think is what pj3090 was getting at.

        There are a number of things that are taken as gospel requirements by PCI vetting people with no real knowledge of why or if they are in fact such a good idea. Such gems as blocking all ICMP packets (every wonder why PMTUD doesn't work?), NAT=secure (no it doesn't) - the list is endless.

    2. joe.user
      FAIL

      Seriously. One Qualys scan would've detected this...

      Seriously. One Qualys scan would've detected this...

  2. Ian Michael Gumby
    Trollface

    Just curious...

    When a pointy haired management type decides to go for the lowest cost consultant or the off shore resource (uhm they call it global sourcing these days...) One has to wonder if they calculated the costs and loss of good will when someone doesn't do their jobs and secure the site?

    Just a curious question about expectations of top notch software from sub par developers. Doesn't that mean that the management chain is also sub par?

  3. Anonymous Coward
    FAIL

    Testing is not part of the...

    developers contract, obviously - along with competence and project management.

    What you get when you buy the cheapest-written-in-elbonia software.

  4. Steve Evans

    Not sure about the analogy...

    “Think of it as a mansion with a high-tech security system – that the front door wasn't locked tight,”

    Given that a valid login session was required, I think it might be better described as given a new resident the keys to their house, which happens to fit every other lock in the city if they care to go and try!

    However you describe it, it's a pitifully bad way of securing any website, let alone a financial one!

    1. doperative
      Big Brother

      re: Not sure about the analogy

      Dear anonymous mod troll, what was wrong with the above comment?

      1. Sarah Bee (Written by Reg staff)

        Re: re: Not sure about the analogy

        Above comment?

        Mod troll?

      2. Steve Evans

        @doperative

        I have no idea, I notice even the most innocent comment can attracts down votes on here.

        I probably upset someone on here and they now have some kind of petty down voting vengeance going on! Oh well, if it keeps them off the streets. :-)

        Thanks for coming to my defence though :-)

        1. Ian Michael Gumby

          @Steve

          Welcome to the club.

  5. Anonymous Coward
    Anonymous Coward

    The cheapest point to fix vulnerabilities

    is in dev, before go-live. A few quid on pen testing now saves a million in fines later. Why is it so difficult to convince people of this simple risk mitigation? I have to say a big thanks to Citi as, thanks to this glaring example, it will now be much easier to make the case for testing.

  6. Naich
    WTF?

    The article is wrong too

    The problem here is not that the account numbers were unencrypted - after all, account numbers are public knowledge once you write a cheque or do a bank transfer. The problem is that the account details could be requested by an unauthenticated person. This is gobsmackingly, unbelievably stupid.

    1. Anonymous Coward
      WTF?

      @Naich.. Public Knowledge?

      I don't think you quite understand what is meant by public knowledge.

      Public knowledge refers to something that is available to all of the public or easily obtained information that one could obtain publicly.

      When you do a transfer or transaction only the parties involved in the transaction know your account numbers. Unencrypted account numbers *is* a problem.

      You are correct that the ability of anyone to be able to query the back end database about any other information also a major problem.

      Either problem is a critical flaw, and neither would be a violation of the PCI spec.

  7. Anonymous Coward
    Anonymous Coward

    FT changed their article

    The Financial Times article referenced here has been changed to remove any reference to Java or Oracle. Wonder if they were asked to remove it or it was inaccurate. Certainly would help explain how full account numbers were captured if it is true.

  8. Mike Pellatt
    FAIL

    Things just don't change

    I remember the same basic mistakes being made repeatedly in UART (and their discrete predecessors) drivers, especially in the handling of multiple interrupts on noisy RS232 lines and XON/XOFF handling.

    DecSystem10, RSX-11M, Olivetti's S6000 mini, Unix Sys V.....

    It was clear that knowledge about this was kicking around, but the people who wrote the next OS were a set of new college grads without this previous experience.

    Seems we have the same lack of knowledge transfer to the people who Really Count today. Quelle surprise.

  9. Big Al
    Facepalm

    Ironically...

    Citibank is listed on OWASP's list of big name adopters.

    Oops!

  10. doperative
    Boffin

    flaw in the Java framework?

    > the Citi hackers also took advantage of a flaw in the Java programming framework to access information stored in an Oracle database maintained by the bank ..

    What flaw? (I preemptively mod me down first)

This topic is closed for new posts.

Other stories you might like