The hackers who recently attacked Citigroup and made of with the details of 200,000 customers used an extremely rudimentary attack that anyone could’ve pulled off, the Daily Mail reports.
All one needed to access other users’ information was a Citigroup account and a lot of spare time. After logging into the Citigroup credit card customer area of the site, accessing the information of other customers was simply a matter of replacing the account number in the browser’s URL bar with another number.
In short, potential thieves just needed a few lucky guesses to take other customer’s money.
This explains why the attack wasn’t spotted until May: it was the equivalent of a “no forced entry” break-in, using horribly lax authentication to access parts of the site without circumventing security measures.
If this is what online banks deem to be a secure system, I think I’ll put my cash under my mattress and sleep with a shotgun. Even with my non-existent aiming abilities, it’ll be safer.
Get the TNW newsletter
Get the most important tech news in your inbox each week.