Feeds

Citigroup hack exploited easy-to-detect web flaw

Brute force attack exposes 200,000 accounts

3 Big data security analytics techniques

Hackers who stole bank account details for 200,000 Citigroup customers infiltrated the company's system by exploiting a garden-variety security hole in the company's website for credit card users, according to a report citing an unnamed security investigator.

The New York Times reported that the technique allowed the hackers to leapfrog from account to account on the Citi website by changing the numbers in the URLs that appeared after customers had entered valid usernames and passwords. The hackers wrote a script that automatically repeated the exercise tens of thousands of times, the NYT said in an article published Monday.

“Think of it as a mansion with a high-tech security system – that the front door wasn't locked tight,” reporters Nelson D. Schwartz and Eric Dash wrote.

The underlying vulnerability, known as an insecure direct object reference, is so common that it's included in the Top 10 Risks list compiled by the Open Web Application Security Project. It results when developers expose direct references to confidential account numbers instead of using substitute characters to ensure the account numbers are kept private.

“That's an easy attack to detect, and they just didn't do it,” Jeff Williams, the CEO of Aspect Security and the OWASP chair, told The Reg. “It's a really common flaw.”

In addition to rewriting apps so accounts are never referenced directly, Citi could have detected the hack attack as it was commenced by employing code that automatically reported users who repeatedly fed suspicious characters into website URLs.

A Citigroup spokesman told the NYT the breach was discovered in early May and “rectified immediately.” There was no mention of whether, or how often, the site was subjected to audits by outside security experts.

With the proliferation of high-profile attacks hitting Sony, RSA Security, Lockheed Martin and more than a dozen other companies in the past year, it's worth remembering that many exploited simple flaws that were easy to spot. For example, Albert Gonzalez, the hacker who stole data for hundreds of millions of credit card users, pierced the defenses of some of the world's biggest payment processors by wielding SQL-injection attacks that exploited simple flaws in web applications.

Latvian hackers did much the same thing against US brokerage D.A. Davidson in 2007.

Unfortunately, easy to detect or exploit doesn't necessarily mean inexpensive to fix, so many companies have little incentive to find and correct the bugs until it's too late.

The Citi hackers also took advantage of a flaw in the Java programming framework to access information stored in an Oracle database maintained by the bank, The Financial Times reported Tuesday. An unnamed investigator told the FT the situation was “alarming,” given the wide use of Java and the database software, which are both offered by Oracle.

US authorities are demanding information from Citigroup in the wake of the epic blunder, which exposed the names, account numbers, email addresses and transaction histories of more than 200,000 customers, the FT added. Here's hoping the officials make the Owasp top 10 list required reading for all Citi developers. ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
Reddit users discover iOS malware threat
'Unflod Baby Panda' looks to snatch Apple IDs
prev story

Whitepapers

Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.