How to Steal 200,000 Bank Accounts With Your Web Browser
You know what should be one of the hardest things in the world to do? Break into a bank and make off with tens of thousands of bank accounts. But hackers waltzed into Citigroup's website and did just that without breaking a sweat.
Citi discovered last May that hackers had stolen over 200,000 of their credit card customers' financial information. (That's about 1% of the bank's customers.) And this New York Times article about the hack makes it clear that stealing a dozen Kit Kat bars is more taxing than pilfering tens of thousands of folks' financial data:
In the Citi breach, the data thieves were able to penetrate the bank's defenses by first logging on to the site reserved for its credit card customers.
Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser's address bar. The hackers' code systems automatically repeated this exercise tens of thousands of times - allowing them to capture the confidential private data.
Theoretically anyone who knew about this vulnerability could have gone in and done this using a regular old browser.
Yikes! We'd recommend you withdraw your money form the bank and store your savings in your mattress, but then hackers would probably just break into Bed Bath & Beyond's computer system and steal your credit card information from the time you bought the mattress. So, you should probably just spend all your money on useless crap immediately after you earn it. Oh, you already do? Good. Way to beat the hackers.