Citi site easy to crack: hackers

Think of it as a mansion with a high-tech security system — but the front door wasn’t locked tight.

Using the Citigroup customer website as a gateway to bypass traditional safeguards and impersonate actual credit card holders, a team of sophisticated thieves cracked into the bank’s vast reservoir of personal financial data, until they were detected in a routine check in early May.

That allowed them to capture the names, account numbers, e-mail addresses and transaction histories of more than 200,000 Citi customers, security experts said, revealing for the first time details of one of the most brazen bank hacking attacks in recent years.

The case illustrates the threat posed by the rising demand for private financial information from the world of foreign hackers.

In the Citi breach, the data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers.

Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems repeated this exercise tens of thousands of times — allowing them to capture private data.

The method seems simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.

One security expert familiar with the investigation wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. “It would have been hard to prepare for this type of vulnerability,” he said. The security expert insisted on anonymity because the inquiry was at an early stage.

The financial damage to Citigroup and its customers is not yet clear. Sean Kevelighan, a bank spokesman, declined to comment on the details of the breach, citing the ongoing criminal investigation. In a statement, he said that Citigroup discovered the breach in early May and the problem was “rectified immediately.”

The expertise behind the attack, according to law enforcement officials and security experts, is a sign of what is likely to be a wave of more and more sophisticated breaches by high-tech thieves hungry for credit card numbers and other confidential information.

That is because demand for the data is on the rise. In 2008, the underground market for the data was flooded with more than 360 million stolen personal records, most of them credit and debit files. That compared with 3.8 million records stolen in 2010, according to a report by Verizon and the Secret Service, which investigates credit card fraud along with other law enforcement agencies like the Federal Bureau of Investigation.

©2011 The New York 
Times News Service