All one needed to access other users’ information was a Citigroup account and a lot of spare time. After logging into the Citigroup credit card customer area of the site, accessing the information of other customers was simply a matter of replacing the account number in the browser’s URL bar with another number.
So. Much. Tech.
Some of the biggest names in tech are coming to TNW Conference in Amsterdam this May.
In short, potential thieves just needed a few lucky guesses to take other customer’s money.
This explains why the attack wasn’t spotted until May: it was the equivalent of a “no forced entry” break-in, using horribly lax authentication to access parts of the site without circumventing security measures.
If this is what online banks deem to be a secure system, I think I’ll put my cash under my mattress and sleep with a shotgun. Even with my non-existent aiming abilities, it’ll be safer.