Home / Security / Citibank Hacked – Time to Stuff the Mattress


Is it time to declare anarchy of sorts by taking our hard earned money from the bank and stuffing it in our mattresses? Today, more and more banks are being targeted by cyber crimnals and there is no end in sight.Hiding Money in a Mattress

You can bet that Citibank is now back peddling because of their recent attack by a group of hackers that resulted in a loss of Personally Identifiable Information for more 200,000 customers. They say it only affected 1% of all its customers and only customers’ names, account numbers, contact details and email addresses were stolen in this breach. I feel better already, NOT! Even one person is too much, but 200,000, come on!

I dislike it when big corporations play down the significant of this attack. I also think Citibank is holding back the truth. Citibank is the world’s largest credit card provider (150,000,000) worldwide. This means that at least 1.5 million customer accounts were compromised. Do the math – 1 percentage of 150 million. You would think a bank would get the math right.

I wouldn’t feel to secure being a customer at Citibank right now. The security hole was found during routine checking in early May. If this is the case, why did the bank wait so long to inform its customers? A communication should have been sent immediately after the assessment of the breach. It looks as though Citibank was covering it up so that the press didn’t get wind of this breach.

It makes me wonder how safe my information and money is in this day and age. One day, and soon, we all may be stuffing our money in our mattresses.


About the author: Frank Jovine


The idea for Tech Jaws and most of the look of the site came from Frank’s mind – a place you wouldn’t want to vacation. Frank takes his run of the waters up North, and has been building successful web sites for years. He’s a regular within social communities like Facebook, Twitter, StumbleUpon, Reddit and Digg. His favorite appetite for tech savvy web sites include, TechCrunch, ZDNet, and helping members in Yahoo Answers in the Computer category.


Recent posts in Security



  1. If the big banks are not adequately protecting consumers credit card information, then it makes you wonder how safe your credit card info is at even the larger online stores such as amazon, ebay or processors like paypal.

    I just got through dealing with a stolen credit card purchase, hope there is not a round two. Even if they reimburse for the fraudulent payment, they may have dinged your credit as many people do not realize that once a person uses more than half of their credit limit, it negatively impacts their credit score which can then affect a home purchase or other important pending loan application.

  2. This shows hackers are smarter than the developers !
    I hope someday the developers make a complete secure system so that hackers get a boot.

  3. You are right Frank, this is very scary. We are not sure if it is still safe.

  4. It is scary that these banks are not as secure as most people think.

  5. When hackers will end

  6. This hack was done by simply the oldest trick in the book. I can’t believe that a programmer could make such a boneheaded move. It was done by changing the GET string to a different account. The GET string is the part of the URL after the question mark. For example, below is the url to google to search for ‘techjaws’.


    Changing the ‘techjaws’ to something else, searches for something else. Like this one for ‘tech’


    The breach required changing the part of the URL that had your account number to someone elses account number. I’m too lazy to look up the actual URL string, but here’s an example: changing




    Would display the next account information. Citi wasn’t checking that the logged in user was actually logged into that specific account, just that the user was logged into ANY account. That means something as simple as an incorrectly entered bookmark by any person would put that person into someone else’s account. It’s mindbogglingly stupid that this hole would exist; on a major banking site no less.

    So all someone had to do was go though trying numbers in sequence, downloading data all the way. A simple script could download hundreds of thousands of accounts in a few minutes.

    I would bet that Citi noticed when a log showed 1 IP accessing thousands of accounts. Then, when citi figured it out, they didn’t notify anyone right away because they needed to fix the security hole.

    • Evadman,

      Very nice write up and it’s the simplest things that these sites overlook that puts us all in harms way. Nice write up and one that could be used as an article follow up.

  7. I think the banks should be looking at getting the hackers on thier payrole!