News:

    PD.com forums: a disorganized echo-chamber full of concordian, Greyfaced radical left-wing nutjobs who honestly believe they can take down imaginary Nazis by distributing flyers. They are highly-suspicious of all newcomers and hostile to almost everyone, including themselves. The only thing they don't take seriously is Discordianism.

Main Menu

Holy fucking security fail

Started by Cain, June 15, 2011, 08:42:46 PM

Previous topic - Next topic

Cain

I...there are no words for this

http://consumerist.com/2011/06/how-hackers-stole-200000-citi-accounts-by-exploiting-basic-browser-vulnerability.html

QuoteDetails have emerged has to how hackers were able to steal over 200,000 Citi customer accounts, including names, credit card numbers, mailing addresses and email addresses. It turns out quite easily, in fact. All they had to do was log in as a customer and change around a few numbers into the browser's URL bar, NYT reports. Facepalm.

Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else's account.

So if the URL was something like citibank.com/user/12345, all you had to do was change it to citibank.com/user/123456 and you had access to all of their account information.

The hackers then used a simple script that automatically scraped all the account information, saved it, and then changed the numbers in the URL and repeated the process. Hundreds of thousands of times.

:x

The Good Reverend Roger

Well, a real security system might have cost money.
" It's just that Depeche Mode were a bunch of optimistic loveburgers."
- TGRR, shaming himself forever, 7/8/2017

"Billy, when I say that ethics is our number one priority and safety is also our number one priority, you should take that to mean exactly what I said. Also quality. That's our number one priority as well. Don't look at me that way, you're in the corporate world now and this is how it works."
- TGRR, raising the bar at work.

Precious Moments Zalgo

I will answer ANY prayer for $39.95.*

*Unfortunately, I cannot give refunds in the event that the answer is no.

Elder Iptuous

wwwwwow.
can you imagine the glee when the thieves figured this out?
they must have set up the scripts while soiling themselves with laughter and then head off down to the pub to raise a glass to citi's stupidity.

Mesozoic Mister Nigel

"I'm guessing it was January 2007, a meeting in Bethesda, we got a bag of bees and just started smashing them on the desk," Charles Wick said. "It was very complicated."


Triple Zero

Quote from: Iptuous on June 15, 2011, 09:04:51 PM
wwwwwow.
can you imagine the glee when the thieves figured this out?
they must have set up the scripts while soiling themselves with laughter and then head off down to the pub to raise a glass to citi's stupidity.

:lulz:


but yeah, that's a pretty dumb mistake. Usually you would give users one-time hashed tokens (not a technical term), like you wouldn't give them 00001-99999 or whatever, but rather an unpredictable semi-random string like kf7f47dhaKHd84d4hu48.

Ex-Soviet Bloc Sexual Attack Swede of Tomorrow™
e-prime disclaimer: let it seem fairly unclear I understand the apparent subjectivity of the above statements. maybe.

INFORMATION SO POWERFUL, YOU ACTUALLY NEED LESS.

Disco Pickle

"Events in the past may be roughly divided into those which probably never happened and those which do not matter." --William Ralph Inge

"sometimes someone confesses a sin in order to take credit for it." -- John Von Neumann

Cain

The sad downside to this story is (IIRC) Citi are claiming no responsibility for the stolen money.  It's up to you to protect your money, once it's in the bank.

(if it is not them, then some bank argued this very recently - and the court agreed).

Disco Pickle

Quote from: Cain on June 16, 2011, 01:12:36 PM
The sad downside to this story is (IIRC) Citi are claiming no responsibility for the stolen money.  It's up to you to protect your money, once it's in the bank.

(if it is not them, then some bank argued this very recently - and the court agreed).

I was under the impression that it was the information that was stolen, not the money.  I know I've read several times that this happens pretty regularly and the banks just don't make it public.  They are approached by the hackers with the information they've stolen and demand a ransom and the bank just pays it quietly rather than have the fallout from a public announcement.

I'm pretty sure any actual stolen money (under $250,000) would fall under the FDIC guarantee.  I don't see how any bank could or would want to get around that.
"Events in the past may be roughly divided into those which probably never happened and those which do not matter." --William Ralph Inge

"sometimes someone confesses a sin in order to take credit for it." -- John Von Neumann

Faust

Quote from: Cain on June 16, 2011, 01:12:36 PM
The sad downside to this story is (IIRC) Citi are claiming no responsibility for the stolen money.  It's up to you to protect your money, once it's in the bank.

(if it is not them, then some bank argued this very recently - and the court agreed).

Its not our fault the money that we leave laying in a wheel barrow outside the bank was stolen its yours.
Sleepless nights at the chateau

Elder Iptuous

Quote from: Cain on June 16, 2011, 01:12:36 PM
The sad downside to this story is (IIRC) Citi are claiming no responsibility for the stolen money.  It's up to you to protect your money, once it's in the bank.

(if it is not them, then some bank argued this very recently - and the court agreed).

The court agreed with that? wtf?!
when i read the OP, i immediately assumed there would be a class action suit that would be open and shut...

Cain

It was another bank, sorry.  I was mistaken.

http://www.wired.com/threatlevel/2011/06/bank-ach-theft/

QuoteA judge in Maine has ruled that a bank that allowed hackers to steal more than $300,000 from a customer's online account isn't responsible for the lost money, saying the customer should have done more to protect the account credentials.

Magistrate Judge John Rich sided with Ocean Bank in recommending that the U.S. District Court in Maine grant the bank's motions for a summary dismissal of a complaint filed by Patco Construction Company. The ruling was reported Monday by BankInfoSecurity.

The case raises questions about how much security banks and other financial institutions may be reasonably required to provide commercial customers. It could set a precedent for liability in circumstances where customer systems are hacked and banking credentials are stolen. Small and medium-sized businesses around the United States have lost hundreds of millions of dollars in recent years to such activity, known as fraudulent ACH (Automated Clearing House) transfers.

Patco Construction Company, a family-owned business in Sanford Maine, sued Ocean Bank, which is owned by People's United Bank, after discovering in May 2009 that hackers were siphoning about $100,000 per day from its online bank account. The hackers had sent a malicious e-mail to employees that allowed them to surreptitiously install the Zeus password-stealing trojan on an employee computer.

After obtaining Patco's banking credentials and waiting for its account to fill up with money, the hackers used the credentials to initiate a series of electronic money transfers. Nearly $600,000 worth of transfers were made out of the account before Patco realized it had been hacked.

Ocean Bank, after being notified of the fraud, was able to block about $240,000 in transfers. But Patco was unable to retrieve the rest.

Patco sued the bank for failing to notice the fraudulent activity and stop it. According to Patco, the out-of-character transactions triggered alarms inside the bank, but the bank didn't notice them and let the transfers go through. Patco also accused the bank of failing to implement "best" security practices of requiring customers to use multifactor authentication.

Ocean maintained that it had done its due diligence in verifying that the ID and password used were authentic.

Judge Rich agreed that Ocean Bank could have done more to authenticate that the person initiating the transfers was indeed an authorized party.

"It is apparent, in the light of hindsight, that the Bank's security procedures in May 2009 were not optimal," he wrote in his ruling. "The Bank would have more effectively harnessed the power of its risk-profiling system, if it had conducted manual reviews in response to red flag information instead of merely causing the system to trigger challenge questions."

But he nonetheless concluded that the law does not require the bank to implement the "best" security measures available, and that the bank is clear to customers when they sign up about the level of security it provides and the amount of liability it will assume if money is stolen from a customer account. The judge also noted that Ocean's level of security was comparable to that offered by other banks. Ultimately, he determined that Patco was responsible for the loss, because it had not better secured its account credentials.

ñͤͣ̄ͦ̌̑͗͊͛͂͗ ̸̨̨̣̺̼̣̜͙͈͕̮̊̈́̈͂͛̽͊ͭ̓͆ͅé ̰̓̓́ͯ́́͞

Quote
[...] the customer should have done more to protect the account credentials.

:lulz: :lulz: :lulz: :lulz: :lulz:
P E R   A S P E R A   A D   A S T R A

PresidentLincPwln

This wouldn't happen if people didn't trust their bank info with unscrupulous corporations like, ya know, their banks.
A house divided is a condo.

-Abraham Lincoln

Doktor Howl

Quote from: PresidentLincPwln on June 18, 2011, 05:37:28 AM
This wouldn't happen if people didn't trust their bank info with unscrupulous corporations like, ya know, their banks.

I find your lack of faith in our glorious civilization...disturbing, citizen.
Molon Lube