Citigroup has so far come off looking good in how it has fought off its website breach — 99% of its cardholders were unaffected, and a recent
The attack, according to the Times, involved replacing some text in the website's address bar to gain access to other users' accounts — a technique that has been well-publicized for years.
In 2002, for example, Barnes & Noble's
According to reports at the time, the Barnes & Noble exposure stemmed from its decision to avoid using cookie files to store user data, instead putting this information in the address bar in plain text.
In a separate incident at AT&T, customers registering new iPhones last year
A Citi spokeswoman declined to provide comment on the specifics of the hack when I emailed her this morning.
TowerGroup's George Tubin said, "a lot of times companies don't test for that [website flaw], and they need to test for that to a pretty deep level … it's kind of a surprise that a company like Citi would have that vulnerability."
Gartner Inc.'s Avivah Litan agrees that the attack on Citi "just doesn't sound that complicated."
Citi likely used a system to detect unusual account activity and stop it, explaining why only 1% of accounts were affected by a flaw that could have reached many more, she said. The only reason hackers got away with the data they did is that their technology moved faster.
"The problem with these [intrusion detection] systems is: they listen in real time, but they don't block in real time," she said.