Citibank Hacked – Time to Stuff the Mattress

by on 06/09/2011 in Security, Vulnerabilities

Is it time to declare anarchy of sorts by taking our hard earned money from the bank and stuffing it in our mattresses? Today, more and more banks are being targeted by cyber crimnals and there is no end in sight.Hiding Money in a Mattress

You can bet that Citibank is now back peddling because of their recent attack by a group of hackers that resulted in a loss of Personally Identifiable Information for more 200,000 customers. They say it only affected 1% of all its customers and only customers’ names, account numbers, contact details and email addresses were stolen in this breach. I feel better already, NOT! Even one person is too much, but 200,000, come on!

I dislike it when big corporations play down the significant of this attack. I also think Citibank is holding back the truth. Citibank is the world’s largest credit card provider (150,000,000) worldwide. This means that at least 1.5 million customer accounts were compromised. Do the math – 1 percentage of 150 million. You would think a bank would get the math right.

I wouldn’t feel to secure being a customer at Citibank right now. The security hole was found during routine checking in early May. If this is the case, why did the bank wait so long to inform its customers? A communication should have been sent immediately after the assessment of the breach. It looks as though Citibank was covering it up so that the press didn’t get wind of this breach.

It makes me wonder how safe my information and money is in this day and age. One day, and soon, we all may be stuffing our money in our mattresses.

12 Responses to “Citibank Hacked – Time to Stuff the Mattress”

  1. James

    Jun 10th, 2011

    If the big banks are not adequately protecting consumers credit card information, then it makes you wonder how safe your credit card info is at even the larger online stores such as amazon, ebay or processors like paypal.

    I just got through dealing with a stolen credit card purchase, hope there is not a round two. Even if they reimburse for the fraudulent payment, they may have dinged your credit as many people do not realize that once a person uses more than half of their credit limit, it negatively impacts their credit score which can then affect a home purchase or other important pending loan application.

    • Frank Jovine

      Jun 10th, 2011

      James,

      It is scary that these banks are not as secure as most people think.

  2. Jhonny

    Jun 11th, 2011

    This shows hackers are smarter than the developers !
    I hope someday the developers make a complete secure system so that hackers get a boot.

  3. Social Media Marketing

    Jun 12th, 2011

    You are right Frank, this is very scary. We are not sure if it is still safe.

    • Frank Jovine

      Jun 13th, 2011

      Douglas,

      Just be careful with what you share on the net.

  4. Jack Nicholson

    Jun 14th, 2011

    It is scary that these banks are not as secure as most people think.

  5. Aşk

    Jun 14th, 2011

    When hackers will end

    • Frank Jovine

      Jun 14th, 2011

      Ask,

      It will never end or at least not in my life time.

  6. Evadman

    Jun 15th, 2011

    This hack was done by simply the oldest trick in the book. I can’t believe that a programmer could make such a boneheaded move. It was done by changing the GET string to a different account. The GET string is the part of the URL after the question mark. For example, below is the url to google to search for ‘techjaws’.

    http://www.google.com/search?q=techjaws

    Changing the ‘techjaws’ to something else, searches for something else. Like this one for ‘tech’

    http://www.google.com/search?q=tech

    The breach required changing the part of the URL that had your account number to someone elses account number. I’m too lazy to look up the actual URL string, but here’s an example: changing

    http://citi.com/account.aspx?account=12345

    to

    http://citi.com/account.aspx?account=12346

    Would display the next account information. Citi wasn’t checking that the logged in user was actually logged into that specific account, just that the user was logged into ANY account. That means something as simple as an incorrectly entered bookmark by any person would put that person into someone else’s account. It’s mindbogglingly stupid that this hole would exist; on a major banking site no less.

    So all someone had to do was go though trying numbers in sequence, downloading data all the way. A simple script could download hundreds of thousands of accounts in a few minutes.

    I would bet that Citi noticed when a log showed 1 IP accessing thousands of accounts. Then, when citi figured it out, they didn’t notify anyone right away because they needed to fix the security hole.

    • Frank Jovine

      Jun 15th, 2011

      Evadman,

      Very nice write up and it’s the simplest things that these sites overlook that puts us all in harms way. Nice write up and one that could be used as an article follow up.

  7. John

    Jun 27th, 2011

    I think the banks should be looking at getting the hackers on thier payrole!

    • Frank Jovine

      Jun 27th, 2011

      John,

      I have said that before and I am sure many sophisticated hackers are on the governments payroll today.