Apparently the hackers who stole all kinds of personal information to Citigroup’s website did so by URL hacking.

This is just unconscionable.  Even before you get to cyber-security 101, SOMEONE should have figured out that putting the account number in plain text in the URL was a terrible idea.

I don’t care who you are, the first thing you need to know about dealing with a website is that your server cannot trust a user’s input.  This can be for any number of, even very innocent, reasons – but primarily as a way to be ward against potential problems.  It just sickens me that their website had what amounts to zero security.  URL hacking isn’t even really hacking at all, it’s just a matter of tweaking URL address inputs.  It’s essentially the equivalent of dialing a company’s phone number and changing the extension by one digit just to see if you can escape phone-tree-voice-mail-hell. 1 2

I mean, would you, as a bank, put deposit or balance information into the URL?  NO.  Otherwise in 5 seconds everyone would alter their links to include “&currentbalance=100000000000”. 3  Why, then, would you ever include plain text bank account numbers in the URL and not actually verify that information on the server side?!  I mean, this is the kind of security you get with WordPress for free just by installing it.

The Citigroup website is very Web2.0, rounded corners, social-media and blogging links.  It looks great.  Did they just have their web designer handle security?  How the hell did this happen?!

Okay, Sony, Facebook, Twitter – these things get hacked because of lame or re-used passwords.  Those guys got hacked because their attackers were smart.  Citigroup got hacked because they are too stupid to handle a basic website, let alone someone’s money.

1. Or purgatory? [↩]
2. Definitely purgatory [↩]
3. Or, better yet, “&currentbalance=pony” [↩]