If you’ve ever been exploring the Web and manually altered part of the URL in your browser’s address bar—say, to access a different folder on Flickr, or a different friend’s profile on Facebook—you’ve performed the simple technique that hackers recently used to compromise more than 360,000 bank accounts from Citigroup.
This spring, according to the New York Times, hackers with legitimate Citi credit card accounts logged in to the website and noticed that the URLs displayed data unique to each account. By changing a few digits in the URL, the hackers found themselves inside other people’s accounts without ever having to log in as those people. From there, they used custom software to automatically substitute account numbers, enabling them to access many accounts in a short time, the Times reported. (Citigroup declined to comment beyond a statement acknowledging that the hackers obtained names, account numbers, e-mail addresses, and transaction histories.)
Bruce Schneier, chief technologist for the telecommunications company BT, says that preventing the URL from displaying account-specific information is “kindergarten security.” Security researcher L. Jean Camp of Indiana University agrees that the hack was remarkably simple. “Can you believe it?” she says.
Which raises a question: How could a sophisticated financial institution—one that has been hacked before—let something like this happen? Essentially, it built a vault of solid steel and used balsa wood for the door.
Balkanization inside Citigroup may have played a part. Large organizations, Camp says, usually have separate groups for customer service and network security. In a typical company, employees know that certain tasks must always go through certain departments—all personnel changes through Human Resources, for instance. But such a “gatekeeping” role does not always exist for security. This means that a customer service group might design a Web page for credit card holders without necessarily running it past security first. Camp has consulted with at least one major company in which the user interface team said, regarding its design, “If we add security, we’ll break it.” Security is usually called in only in response to a threat or breach, Camp notes.