Yet Another Hack - This Time on Citigroup

SenseiSteve · Post #1 (**permalink**) 06-09-2011, 03:03 PM

Yet another hack - this is getting ridiculous how high profile companies are being hacked and holding back on notifying their clients. See this story on CNN Money.

Artashes · Post #2 (**permalink**) 06-09-2011, 03:31 PM

Quote:

The latest known hack, which occurred more than a month ago, was announced this morning: Citigroup (C) said information for about 210,000 customers, or 1% of its credit-card holders in North America, was stolen.

And they let people know over a month later??? Are they kidding me? Unacceptable.

HostLeet · Post #3 (**permalink**) 06-10-2011, 08:37 PM

How can a company that big be so irresponsible and wait that long?

I don't understand..

Over 200K customer credit card numbers stolen, and they let their customers know a month later??!!.. Makes me wonder if they actually hacked themselves...

PaulJ · Post #4 (**permalink**) 06-14-2011, 04:44 PM

Its Bad that a reputable organization like citigroup dont have their servers hardened ed and Secured .

Paul0130 · Post #5 (**permalink**) 06-14-2011, 09:30 PM

Shocking, I wonder how the clients feel.

handsonhosting · Post #6 (**permalink**) 06-16-2011, 12:47 PM

So I take it these companies that are hacked are not following proper PCI Compliance guidelines and limiting the access to databases as required

It always blows my mind to see these large companies getting hacked and thousands of users affected as a result.

Not good to not send out a notice of the hack - that's bad business on their part. They require their clients to report if their card is stolen, so shouldn't the bank be required to do the same!

handsonhosting · Post #7 (**permalink**) 06-16-2011, 12:49 PM

Quote:

THE HACKING of Citibank that led to the exposure of 360,000 customers' credit card details was made by simply altering the bank's URL.
When users log into the Citi Account Online system the URL changes to include a series of numbers relevant to the user's account. However, it was discovered that someone could access another's account by simply changing those numbers, according to The New York Times.
The hackers used this remarkably simple technique to hop from account to account and they even developed a script to automate the hack for them. It's difficult to even call it a hack, as it's like copying and slightly changing a key and using it on a neighbour's front door.

SERIOUSLY? It couldn't have been that easy now could it?

Read more: http://www.theinquirer.net/inquirer/...-altering-urls

csn-uk · Post #8 (**permalink**) 06-17-2011, 11:51 AM

Quote:

Originally Posted by handsonhosting

SERIOUSLY? It couldn't have been that easy now could it?

Read more: http://www.theinquirer.net/inquirer/...-altering-urls

Almost Fell of my chair after reading the first line of the article, can't be possible that a "BANK" is passing session and account data within the URL to begin with let alone not verifying accounts VS active sessions.

What next, are they going to print peoples pin number on the back of the cards as well

?

SenseiSteve · Post #9 (**permalink**) 06-20-2011, 08:57 AM

Quote:

Originally Posted by csn-uk

Almost Fell of my chair after reading the first line of the article, can't be possible that a "BANK" is passing session and account data within the URL to begin with let alone not verifying accounts VS active sessions.

What next, are they going to print peoples pin number on the back of the cards as well

?

It is crazy, isn't it? It really is amazing how so many businesses lack adequate security. I can't tell you how many times I've done a security audit for small mom and pops to find unsecured wireless networks.

ServerSea · Post #10 (**permalink**) 06-21-2011, 08:03 PM

I guess, companies suffer such issues just because of over confidence other wise carelessness towards security is just ridiculous.