14 DAY TRIAL // Experts familiar with the investigation into the recent Citigroup security breach claim that hackers used URL manipulation to extract customer data.
According to a New York Times report, hackers stole information about 200,000 Citi credit card holders by exploiting a simple flaw in the company's Citi Account Online system.
Apparently, the customer information URL contained the account number as a parameter, but the site didn't perform the proper checks and simply changing the value revealed details about other account holders.
The hackers have created a script that tried possible account numbers and saved data corresponding to those that actually existed.
Using this method they managed to successfully extract the names, account numbers and contact information for about %1 of Citigroup's North American customers, until the company discovered the attack during a routine check.
Citigroup defended the three-week delay in alerting customers by citing a 10 to 12 days internal investigation. In light of this new revelation, it's not clear why an attack of such low sophistication would have required such a long probe.
The same type of URL manipulation flaw was exploited back in 2010 on the AT&T website to extract email addresses and other information about iPad owners. Two hackers are currently facing criminal charges for carrying out that attack.
Giving the plethora of security breach and data leak incidents this year, some security experts have dubbed this year "the year of hacking." Tens of millions of consumers over the world have been affected until now by attacks against Sony and other companies. Some of these attacks are done just for fun.
U.S. lawmakers have started working on legislation that would require companies to report any breaches in a timely manner. They would also be expected to maintain a minimum data security standard.