Thieves Found Citigroup Site an Easy Entry

[FONT=Times New Roman][LEFT][FONT=Arial][FONT=Verdana]Think of it as a mansion with a high-tech security system — but the front door wasn’t locked tight.[/FONT]
Using the Citigroup customer Web site as a gateway to bypass traditional safeguards and impersonate actual credit card holders, a team of sophisticated thieves cracked into the bank’s vast reservoir of personal financial data, until they were detected in a routine check in early May.

[/FONT] [FONT=Verdana]That allowed them to capture the names, account numbers, e-mail addresses and transaction histories of more than 200,000 Citi customers, security experts said, revealing for the first time details of one of the most brazen bank hacking attacks in recent years.[/FONT]
The case illustrates the threat posed by the rising demand for private financial information from the world of foreign hackers.[/FONT]
[FONT=Verdana]In the Citi breach, the data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers.

[/FONT] [FONT=Verdana]Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.

[/FONT] [FONT=Verdana]The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.

[/FONT] [FONT=Verdana]One security expert familiar with the investigation wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. “It would have been hard to prepare for this type of vulnerability,” he said. The security expert insisted on anonymity because the inquiry was at an early stage.

[/FONT] [FONT=Verdana]The financial damage to Citigroup and its customers is not yet clear. Sean Kevelighan, a bank spokesman, declined to comment on the details of the breach, citing the ongoing criminal investigation. In a statement, he said that Citigroup discovered the breach in early May and the problem was “rectified immediately.” He added that the bank had initiated internal fraud alerts and stepped up its account monitoring.

[/FONT] [FONT=Verdana]The expertise behind the attack, according to law enforcement officials and security experts, is a sign of what is likely to be a wave of more and more sophisticated breaches by high-tech thieves hungry for credit card numbers and other confidential information.

[/FONT] [FONT=Verdana]That is because demand for the data is on the rise. In 2008, the underground market for the data was flooded with more than 360 million stolen personal records, most of them credit and debit files. That compared with 3.8 million records stolen in 2010, according to a report by Verizon and the Secret Service, which investigates credit card fraud along with other law enforcement agencies like the Federal Bureau of Investigation.[/FONT]
[FONT=Verdana]Now, as credit cards that were compromised in the vast 2008 thefts expire, thieves are stepping up efforts to find new accounts.

[/FONT] [FONT=Verdana]As a result, prices for basic credit card information could rise to several dollars from their current level of only pennies.[/FONT]
[FONT=Verdana]“If you think financially motivated breaches are huge now, just wait another year,” said Bryan Sartin, who conducts forensic investigations for Verizon’s consulting arm.

[/FONT] [FONT=Verdana]The kind of information the thieves are able to glean is shared in online forums that are a veritable marketplace for criminals. Networks that three years ago numbered several thousands users have expanded to include tens of thousands of hackers.

[/FONT] [FONT=Verdana]“These are online bazaars,” said Pablo Martinez, deputy special agent in charge of the Secret Service’s criminal investigation division. “They are growing exponentially and we have seen the entire process become more professional.”[/FONT]

[FONT=Verdana]For example, some hackers specialize in prying out customer names, account numbers and other confidential information, Mr. Martinez said. Brokers then sell that information in the Internet bazaars. Criminals use it to impersonate customers and buy merchandise. Finally, “money mules” wire home the profits through outlets like Western Union or MoneyGram.[/FONT]
[FONT=Verdana]“It’s like ‘Mission Impossible’ when they select the teams,” said Mark Rasch, a former prosecutor who is now with CSC, an information technology services firm. “And they don’t know each other, except by hacker handle and reputation.”

[/FONT] [FONT=Verdana]In the Citi attack, the hackers did not obtain expiration dates or the three-digit security code on the back of the card, which will make it harder for thieves to use the information to commit fraud.[/FONT]
[FONT=Verdana]Not every breach results in a crime. But identify theft has ranked first among complaints to the Federal Trade Commission for 11 consecutive years, with 1.34 million in 2010, twice as many as the next category, which is debt collection.

[/FONT] [FONT=Verdana]Many of these attacks have their origins in Eastern Europe, including Russia, Belarus, Ukraine and Romania. In fact, the security expert familiar with the Citi breach said it originated in the region, though he would not specify the country.

[/FONT] [FONT=Verdana]In Russia,, is one of the larger forums for Eastern European hackers today, with nearly 13,300 registered members, according to Cyveillance. is larger, and has more than 58,000 members. In addition, attacks by Romanian hackers have grown noticeably more advanced recently, according to security experts.[/FONT]

[FONT=Verdana]On HackZone, one seller who called himself “zoloto” promised “all cards valid 100%” and that they would be sold only one time.[/FONT]
[FONT=Verdana]Underscoring the multinational nature of these rings, American law-enforcement agencies have also been putting more investigators overseas.

[/FONT] [FONT=Verdana]“The only way to address a global issue is to address it globally with your partners,” said Gordon M. Snow, assistant director of the F.B.I.’s Cyber Division.

[/FONT] [FONT=Verdana]The Secret Service established a presence in Tallinn, Estonia, last month, and has embedded agents with Ukrainian authorities since the beginning of the year. The F.B.I. has embedded agents in the Netherlands, Estonia, Ukraine and Romania, and works closely with its counterparts in Australia, Germany and Britain.

[/FONT] [FONT=Verdana]But even officials at these agencies acknowledge that as fast as they move, the hackers’ strategies are evolving at Silicon Valley speed.[/FONT]
[FONT=Verdana]“With every takedown, they regroup,” said J. Keith Mularski, a supervisory special agent with the F.B.I.[/FONT]
[FONT=Verdana]Riva Richmond contributed reporting.[/FONT]
[FONT=Verdana]This story originally appeared in The New York Times[/FONT]

Citibank was hacked by altering URLs

THE HACKING of Citibank that led to the exposure of 360,000 customers’ credit card details was made by simply altering the bank’s URL.

         When users log into the Citi Account Online system the URL changes to  include a series of numbers relevant to the user's account. However, it  was discovered that someone could access another's account by simply  changing those numbers, according to The New York Times.

The hackers used this remarkably simple technique to hop from account to account and they even developed a script to automate the hack for them. It’s difficult to even call it a hack, as it’s like copying and slightly changing a key and using it on a neighbour’s front door.

Details that were stolen included names, account numbers and email addresses, but credit card security codes, social security numbers and birth dates remained safe.

It’s one thing having this major flaw on a commercial web site, but for a bank, where online banking is supposed to require enhanced security, this is mind-boggling.

Surely changing the numbers would force users back to a login screen, one would think, but it seems that this was not the case and any average user could have accessed another user’s account unwittingly by altering a number here or there just like the hackers, who are believed to be from Eastern Europe.

If that were not enough hacking of monetary services, the world’s largest payroll processor, Automatic Data Processing (ADP), has revealed it was the victim of a data breach.

The company, which has over half a million payroll clients, said that it has launched an investigation into the hacking and is taking measures to address the impact of the breach. It did not reveal any specific details about the attack.

It is estimated that half of the employees of major US corporations have their pay processed by ADP, according to Reuters, making this a potentially very devastating and disruptive incident.

It appears that a number of financial services, including the International Monetary Fund, have been targeted by hackers recently in what has become an increasing trend.

These targets were generally off the radar of Anonymous and Lulzsec, who hack for activist and fun reasons respectively, and these attacks might be the work of criminal hackers that are cashing in on the confusion caused by less serious forms of cyber disruption.

By Dean Wilson
Read more:

Citi hackers made $2.7 million. About 3,400 of the 360,000 compromised credit card accounts were hit with fraud

Citigroup suffered about US$2.7 million in losses after hackers found a way to steal credit card numbers from its website and post fraudulent charges.

Citi acknowledged the breach earlier this month, saying hackers had accessed more than 360,000 Citi credit card accounts of U.S. customers. The hackers didn’t get into Citi’s main credit card processing system, but were reportedly able to obtain the numbers, along with the customers’ names and contact information, by logging into the Citi Account Online website and guessing account numbers.

Until now, it wasn’t clear how much – if any – fraud had occurred as a result of the theft. But Citi confirmed Friday that there were losses of $2.7 million from about 3,400 accounts.

The bank has said its customers will not be liable for the losses.

Citi learned about the hack on May 10 and began notifying customers on June 3. The bank said other sensitive data, such as Social Security numbers, birthdates and the cards’ CVV (Card Verification Value) security codes used for online transactions, were not taken.

In addition to the fraud losses, Citigroup will have to pay the cost of notifying customers and reissuing credit card numbers for the 360,000 affected clients. The Ponemon Institute has estimated the average cost of a data breach at $214 per compromised record. By that yardstick, the breach would cost the bank $77 million.

By Robert McMillan (IDG News Service) 25 June, 2011, Computerworld.