Thousands of Citigroup's credit card customers saw their account information compromised last week, and all it took was a browser and changing a few numbers in the URL string after logging into a valid account. That's according to an unnamed security expert talking to The New York Times, but if true, it's an embarrassing oversight from Citi that highlights how careless or oblivious the company was when it came to securing their systems.
According to the report, attackers were able to penetrate the bank's defenses by first logging on to the site reserved for its credit card customers using a valid username and password. Once inside, since the website apparently failed to hide actual account numbers in the URL string, attackers simply used a script to change these numbers and automatically jump from account to account while harvesting any identifiable information.
This type of vulnerability is known as "Insecure Direct Object References" and it's so common that it ranks as the fourth most critical vulnerability on the Open Web Application Security Project's top ten list of security risks in 2010.
How they missed such a flaw and failed to notice a spike in web requests with bogus combinations of numbers is anyone's guess, but with hackers actively probing networks for weaknesses other companies better get ready.
Citigroup says that it first discovered the break-in at the beginning of May during a routine check. After internally analyzing the full extent of the breach the company began notifying customers and replacing credit cards in June. More than 360,000 customers were affected by the breach and credit cards have been reissued to 217,657 accounts.