Photo: Wikimedia Commons
Last week Citi was forced to admit that it’s online banking system had been hacked, resulting in tens of thousands of accounts being breached.That breach was so huge it accounted for 1% of the bank’s North American customers.
“While Citigroup insisted the breach had been limited, experts called it the largest direct attack on a major U.S. financial institution,” Reuters reported.
And the scary thing is — apparently getting into the system was ridiculously easy for the hackers.
The bank’s security system itself is pretty sophisticated, according to the New York Times, but the thieves went in through the customer website, which makes the hacking akin to this: “Think of it as a mansion with a high-tech security system — but the front door wasn’t locked tight.”
Here’s how the hackers did it, according to the NYT,
In the Citi breach, the data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers. Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar.
The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data. The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.
One security expert familiar with the investigation wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. “It would have been hard to prepare for this type of vulnerability,” he said.
Does the above comment imply to anyone else like this might have been an inside job?
Anyway, the Independent’s Stephen Foley cautioned people against freaking out about the hacking. While the breach was large in terms of quantity, the qualitative consequence was less so:
For all the security breaches, few have resulted in actual fraud on people’s accounts. In the Citigroup case, those three-digit security codes on the back of its customers’ cards were stored separately. So were their social security numbers, and the expiry dates of their cards. The likelihood of discovering a fraudulent transaction on a Citigroup card is low.
Now there’s calls in Washington for a total reassessment of online bank security. The banks will hate it.
“Banks and credit card companies have tolerated a certain amount of fraud in their systems because the cost of additional security would not justify the potential savings,” according to Reuters.
Business Insider Emails & Alerts
Site highlights each day to your inbox.