Apparently the hackers who stole all kinds of personal information to Citigroup’s website did so by URL hacking.
This is just unconscionable. Even before you get to cyber-security 101, SOMEONE should have figured out that putting the account number in plain text in the URL was a terrible idea.
I don’t care who you are, the first thing you need to know about dealing with a website is that your server cannot trust a user’s input. This can be for any number of, even very innocent, reasons – but primarily as a way to be ward against potential problems. It just sickens me that their website had what amounts to zero security. URL hacking isn’t even really hacking at all, it’s just a matter of tweaking URL address inputs. It’s essentially the equivalent of dialing a company’s phone number and changing the extension by one digit just to see if you can escape phone-tree-voice-mail-hell. 1 2
I mean, would you, as a bank, put deposit or balance information into the URL? NO. Otherwise in 5 seconds everyone would alter their links to include “¤tbalance=100000000000”. 3 Why, then, would you ever include plain text bank account numbers in the URL and not actually verify that information on the server side?! I mean, this is the kind of security you get with WordPress for free just by installing it.
The Citigroup website is very Web2.0, rounded corners, social-media and blogging links. It looks great. Did they just have their web designer handle security? How the hell did this happen?!
Okay, Sony, Facebook, Twitter – these things get hacked because of lame or re-used passwords. Those guys got hacked because their attackers were smart. Citigroup got hacked because they are too stupid to handle a basic website, let alone someone’s money.