Jun
13
Citi Hack Unsophisticated?
According to the New York Times, a recent breach that exposed private data of “of more than 200,000 Citi customers” was a relatively simple attack.
“In the Citi breach, the data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers.
Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.”
If the above is true (seems like there may be some details missing) then Citi’s developers clearly failed to do a minimum level of application code review, which should have included testing for common vulnerabilities outlined in the OWASP Top 10. More specifically, it appears Citi’s failure was in authentication and/or session management, which OWASP clearly defines as a high risk. Year after year, the Verizon Data Breach Investigations Report consistently recommends companies “Test and review web applications” and this year is no different. On p. 66 of the 2011 DBIR, Verizon states,
“SQL injection attacks, cross-site scripting, authentication bypass, and exploitation of session variables contributed to nearly half of breaches attributed to hacking or network intrusion. As with everything else, put out the fires first: even lightweight web application scanning and testing would have found many of the problems that led to major breaches in the past year.”
Until more details are released, I’m going to assume that Citi didn’t bother to do a quick automated scan and, given the potential value of Citi’s assets, that is unacceptable.
References:
http://www.nytimes.com/2011/06/14/technology/14security.html
https://www.owasp.org/index.php/Top_10_2010
https://www.owasp.org/index.php/Top_10_2010-A3
http://www.verizonbusiness.com/resources/reports/rp_data-breach-investigations-report-2011_en_xg.pdf