The New York Times reported that Citigroup’s customer Web site was hacked – this hack enabled the thieves to access personal financial information of over 200,000 Citi customers. How did they do it? They manipulated the web site address of Citi’s web site for credit card customers and got the information.
The process the thieves used was not complicated but the amazing part is that they NEW of the vulnerability in Citi’s defenses and leveraged that security hole to their advantage.
The NY Times writes:
In the Citi breach, the data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers.
Once inside, they leapfrogged between the accounts of different Citi customers by inserting vari-ous account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.
The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.
What can you do?
- Ensure you hire a security expert to carefully review your customer built online applications – this security expert should work closely with your programmer.
- For hosted applications from a vendor, ask the vendor how secure their product is and if all known security holes are plugged.
- Monitor your web site logs for any unusual activity. YOU might not be able to do this but work with a company who can help, such as Verisign.
- Do regular vulnerability scans of your web sites and online applications. Your IT consultant can help you with this or you can look online for a reputable vendor who can help – here.
- Consider using a company such as ProPay who has tools and services to help secure credit card and other information on THEIR services so you don’t have to.
These are just a few things you can.