Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

If you’ve ever been exploring the Web and manually altered part of the URL in your browser’s address bar—say, to access a different folder on Flickr, or a different friend’s profile on Facebook—you’ve performed the simple technique that hackers recently used to compromise more than 360,000 bank accounts from Citigroup.

This spring, according to the New York Times, hackers with legitimate Citi credit card accounts logged in to the website and noticed that the URLs displayed data unique to each account. By changing a few digits in the URL, the hackers found themselves inside other people’s accounts without ever having to log in as those people. From there, they used custom software to automatically substitute account numbers, enabling them to access many accounts in a short time, the Times reported. (Citigroup declined to comment beyond a statement acknowledging that the hackers obtained names, account numbers, e-mail addresses, and transaction histories.)

Bruce Schneier, chief technologist for the telecommunications company BT, says that preventing the URL from displaying account-specific information is “kindergarten security.” Security researcher L. Jean Camp of Indiana University agrees that the hack was remarkably simple. “Can you believe it?” she says.

Which raises a question: How could a sophisticated financial institution—one that has been hacked before—let something like this happen? Essentially, it built a vault of solid steel and used balsa wood for the door.

Balkanization inside Citigroup may have played a part. Large organizations, Camp says, usually have separate groups for customer service and network security. In a typical company, employees know that certain tasks must always go through certain departments—all personnel changes through Human Resources, for instance. But such a “gatekeeping” role does not always exist for security. This means that a customer service group might design a Web page for credit card holders without necessarily running it past security first. Camp has consulted with at least one major company in which the user interface team said, regarding its design, “If we add security, we’ll break it.” Security is usually called in only in response to a threat or breach, Camp notes.

2 comments. Share your thoughts »

Credit: Technology Review

Tagged: Business, Business Impact, Securing Data

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me