The theft of approximately 200,000 Citibankcustomer accounts may have achieved by means of a simple manipulation of the Citibank URL. Security experts told the The New York Times that the hackers were able to impersonate actual account holders by using a simple trick.
After logging into a valid account, the URL to the Citi Account Online system contains a string of numbers which represents the customer's account. By changing this string, the criminals were able to easily switch between multiple accounts and obtain private customer information. Using a script to automate this process allowed them to do so hundreds of thousands of times.
The attackers are said to have gained access to around one per cent of the bank's approximately 21 million credit card customers in North America. Details obtained in the attack included customer names, account numbers and email addresses. The hackers did not, however, gain access to the security codes for the credit cards or to the holders' Social Security numbers and birth dates.
Citibank says that it first discovered the break-in at the beginning of May during a routine check. The company has since reported it to criminal investigators and says it has stepped up its security. Citibank has not yet announced who it believes is responsible for the attack, but the security expert who talked to The New York Times on condition of anonymity, says that he presumes they are from Eastern Europe.
No comments:
Post a Comment