There are two very worrying aspects to this report of hack on a Citigroup website. The first is the ease with which customers’ financial information was obtained. The hackers “leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar.”
If one of the largest banks in the world can leave themselves open to that old trick, what hope is there for thousands of other online services dealing in personal and financial data? If the report is accurate there is a defence against this so obvious it would make any novice web programmer blush to have missed it (If you match the given account number against the logged in user you can check whether they should have access, defeating any attempt to “leapfrog” to another account).
But hey, don’t we all make mistakes? Yes we do – so where are the layers of specialised QA that a corporation with assets of $337 billion should have in place for a website storing a “vast reservoir of personal financial data”?
Secondly, the New York Times quotes an expert who tells us it is “hard to prepare for this type of vulnerability” and that the attackers are “especially ingenious.” Who is this anonymous expert and where can I get a cushy job like this telling big companies it’s not their fault? Possibly the reason “the thieves knew to focus on this particular vulnerability” is because hackers know standards are so low and it’s worth their time targetting the obvious potential holes.
Basic errors, lack of testing, expert and media ignorance. Where does this leave us when our whole lives are stored online?