Citi Fooled by Old Tricks in Hack Attack

Citigroup has so far come off looking good in how it has fought off its website breach — 99% of its cardholders were unaffected, and a recent New York Times story portrayed Citi as the victim of "a team of sophisticated thieves" — but the approach of Citi's foes wasn't all that sophisticated.

The attack, according to the Times, involved replacing some text in the website's address bar to gain access to other users' accounts — a technique that has been well-publicized for years.

In 2002, for example, Barnes & Noble's website had a flaw that allowed users to access one another's accounts by replacing some text in the address bar. It agreed to pay $60,000 in penalties under a 2004 agreement with then-New York Attorney General Eliot Spitzer over this flaw, which the bookseller fixed in August 2002.

According to reports at the time, the Barnes & Noble exposure stemmed from its decision to avoid using cookie files to store user data, instead putting this information in the address bar in plain text.

In a separate incident at AT&T, customers registering new iPhones last year found themselves in each others' accounts by accident.

A Citi spokeswoman declined to provide comment on the specifics of the hack when I emailed her this morning.

TowerGroup's George Tubin said, "a lot of times companies don't test for that [website flaw], and they need to test for that to a pretty deep level … it's kind of a surprise that a company like Citi would have that vulnerability."

Gartner Inc.'s Avivah Litan agrees that the attack on Citi "just doesn't sound that complicated."

Citi likely used a system to detect unusual account activity and stop it, explaining why only 1% of accounts were affected by a flaw that could have reached many more, she said. The only reason hackers got away with the data they did is that their technology moved faster.

"The problem with these [intrusion detection] systems is: they listen in real time, but they don't block in real time," she said.