Details have emerged about the recent Citigroup hack in which over 200,000 accounts were compromised. Basically, after the hackers log in as a credit card customer, they changed a number in the address bar URL that identified each customer’s account (ie, citigroup.com/user/1234). From there, they ran an automated script thousands of times that allowed them to infiltrate and collect the private information of customers.
Using this simple technique, hackers were able to collect customers’ names, account numbers, email adresses, and entire transaction histories. According to the New York Times, not every breach results in a crime. Despite that, identity theft remains the number one complaint to the Federal Trade Commission for the past 11 years, with 1.34 million cases in 2010.
Citigroup spokesman Sean Kevelighan released a statement explaining that an ongoing investigation is still under way. He reports that the breach was discovered in early May and that the problem has been “rectified immediately.” Since then, the bank has initiated internal fraud alerts and is increasing its attention monitoring the security of user’s accounts.
Thieves Found Citigroup Site an Easy Entry[The New York Times]