We all know how hacks work. First, you gleam the cube. That’s step one. Once you’ve gleamed as hard as you can, you kickflip off that rail and into a payphone booth. From there, you can access the “web” anonymously with your state of the art portable computing machine. Once you’re in the web, it’s a simple smash and grab… in a city made of data. Antiviral programs try to stop your Virtual Avatar Virus by shooting it with ‘bullets’ made of purified code. If you can make it past them, though, it’s smooth sailing. You just need to make sure your download counts down before the meatspace cops are alerted by the corporate white-hat tools.
What’s surprising is that actually, many hackers forgo that whole rigamarole and just look for really, really dumb security holes that massive corporations manage to leave because they’ve got the same understanding of computers my grandmother does.
Citigroup, a massive multinational banking concern, was recently hacked. 200,000 accounts had information stolen. How, you ask, did this massive theft occur?
Well, see the address bar in your browser? It should say either “troublethinking.wordpress.com” or “troublethinking.wordpress.com/2011/06/15/citigroup-hacked-in-seriously-embarrassing-manner”
Okay, take that and replace it with “troublethinking.wordpress.com/2011/05/09/spacechem-is-half-off-on-steam/”
Oh my! Oh my word, you moved to another page! It gets so lonely when you’re away.
So Citigroup had pages which displayed your account number in the URL. Someone thought “Hunh. Wonder what happens if I change the number?”
Turns out, it brought you to a new page. As though you’d logged in to another account.
One automatic script that ran through a ton of likely numbers and plugged them into the browser bar later and yeah, lots and lots of personal information was stolen. Because Citigroup apparently stopped paying attention halfway through the intro to web design seminar.
They’re pretending it was unforeseeable because they know that most people are willing to assume “hacking” is something difficult to understand or pull off. This wasn’t difficult or intricate or devious, it was just people poking at a door and finding out it wasn’t just unlocked, it was opened. With milk and cookies on the other side, and a friendly note.
I mean, the New York Times article says
The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.
No. No that isn’t a mark of an ingenious attack. It’s the mark of someone looking at the URL, which is you know a very common completely known method of gaining access to things you’re not supposed to. In fact, it’s listed on the Top Ten Risks by the Open Web Application Security Project, it’s number 4: “Insecure Direct Object Reference“.
Wow, that seems to be considered not at all fucking ingenious. Hey though, it’s not like they use this exact situation as an example or anyt- oh wait
The application uses unverified data in a SQL call that is accessing account information:
String query = “SELECT * FROM accts WHERE account = ?”;
PreparedStatement pstmt = connection.prepareStatement(query , … );
pstmt.setString( 1, request.getParameter(“acct”));
ResultSet results = pstmt.executeQuery();
The attacker simply modifies the ‘acct’ parameter in their browser to send whatever account number they want. If not verified, the attacker can access any user’s account, instead of only the intended customer’s account.
But I mean it must have been amazingly unlikely and ingenious or else you might start demanding Citigroup figure out how to actually secure your data instead of just taking your money and leaving you to twist in the wind.
What I’m saying I guess is if you’re banking with Citigroup, feel free to demand an explanation. And maybe cancel some things with them, because so far they’ve only revealed that “about 1%” of customers had information stolen. They may not have bothered to contact you, much in the same way Sony decided you shouldn’t worry your pretty little head about your credit card getting stolen.