Tuesday, June 14, 2011
More than 200,000 Citi credit card customers had their accounts hacked earlier this month. The thieves got their names, account numbers, e-mail addresses and transaction histories. The fascinating part of the story is the criminal element came in through what was an essentially an unlocked front door, the main customer service website.
This site is publicly open and available to all of Citi's customers. The hackers exploited a flaw in the number strings of the site's urls. When the site redirects its customers internally, it uses their credit card number as part of the website's id. The credit card thieves were able to exploit this vulnerability, writing code that inserted potential credit card numbers into these long url strings, over and over, until they hit actual account numbers. When they did, the customer's private credit card data was all theirs.
The only good news? Citi reports that the attackers were unable obtain expiration dates or the three-digit security code on the back of the cards, making the stolen data more difficult to use.
Read more here in the New York Times.