The heart of tech

This article was published on June 15, 2011


    Citigroup ‘hack’ turns out to be simple enough for your grandmother to exploit

    Citigroup ‘hack’ turns out to be simple enough for your grandmother to exploit
    Joel Falconer
    Story by

    Joel Falconer

    Joel Falconer is the Features Editor at TNW. He lives on the Gold Coast, Australia with his wife and three kids and can sometimes be found g Joel Falconer is the Features Editor at TNW. He lives on the Gold Coast, Australia with his wife and three kids and can sometimes be found gaming or consulting. Follow Joel on Twitter.

    The hackers who recently attacked Citigroup and made of with the details of 200,000 customers used an extremely rudimentary attack that anyone could’ve pulled off, the Daily Mail reports.

    All one needed to access other users’ information was a Citigroup account and a lot of spare time. After logging into the Citigroup credit card customer area of the site, accessing the information of other customers was simply a matter of replacing the account number in the browser’s URL bar with another number.

    In short, potential thieves just needed a few lucky guesses to take other customer’s money.

    This explains why the attack wasn’t spotted until May: it was the equivalent of a “no forced entry” break-in, using horribly lax authentication to access parts of the site without circumventing security measures.

    If this is what online banks deem to be a secure system, I think I’ll put my cash under my mattress and sleep with a shotgun. Even with my non-existent aiming abilities, it’ll be safer.