Jun 22 in Uncategorized Written by: 2K Networking
>Back in 1998 & 1999, while working at MindSpring, myself and a large number of co-workers were testing a new web-email product called “SpringMail”. A group of very observant co-workers paid attention to the browser URL address-bar and noticed that their email address was there. If they made a change to the URL to contain someone else’s email address, then they could easily gain access to that mailbox without being asked for a password. We alerted the developers and they tried fixing it. The next time this group of co-workers tested it, there was a unique ID in the URL field instead of the email address. If you changed that unique ID number up or down, you could again gain access to someone else’s mailbox without being asked for a password. This problem took months for the developers to solve and caused product delays, but the developers did not release the product to the public until the security issues were resolved.
I’m relaying this story to help you understand that some very high paid CitiBank software developers in charge of creating the credit card management and authentication system created and why it was so easy for the hackers to compromise CitiBank’s credit card databases in 2011.
There are links below that provide more details into the CitiBank story, but the beginning of it started with the CREDIT CARD ACCOUNT NUMBER being displayed as the “unique identifier” in the website URL field. All someone needed to do was notice this and they could then start changing numbers to see if they could gain access to someone else’s account. While there were other flaws in the website database system that allowed the hackers to gain deeper access into the CitiBank servers, the basic fact remains that one of the simplest software development oversights caused all these problems. Yes Citibank is providing new credit cards to the 300,000+ accounts they feel were compromised, but do you really know WHO was grabbing your browser sessions when you logged into your credit card account BEFORE this problem was fixed? If I were a CitiBank credit card holder (of any type credit card) – I would be asking for a new card immediately.