Recently Citigroup announced that hackers had breached its systems in May and accessed personal data from 200,000 accounts — about 1% of its customers. The hackers managed to steal customer email addresses, contact information and account numbers.
However, what is alarming is not that Citigroup was hacked, it was the ease in which the hackers penetrated Citi’s security mechanisms by simply altering the bank’s URL.
When users log into the Citi Account Online system the URL changes to include a series of numbers relevant to the user’s account. However, it was discovered that someone could access another’s account by simply changing those numbers, according to The New York Times.
The cyber criminals used this very simple technique to jump from account to account. They also developed a script to automate the attack. What is astounding is that at such a large financial institution there was no security review or risk assessment to catch this obvious flaw in their consumer security systems.
No technical knowledge would have been required for any average Joe to simply change numbers in the URL and access someone else’s account. There wasn’t even a trip mechanism that forced the user to log-in again.
The Federal Deposit Insurance Corp, the nation’s primary regulator, is preparing new measures on data security. Its chairman Sheila Bair said she may ask “some banks to strengthen their authentication when a customer logs onto online accounts.”
Whoa! Sounds like a decent recommendation. But why do we need a calamity before, at a very basic minimum, instituting fundamental reviews of security systems? Now that your bank has been hacked, what should a consumer do? Here are some recommended steps from Identity Theft 911’s Ondrej Krehel:
No. 1: Look at your financial statements. Check your account online and see if your credit card has been used without your authorization
No. 2: Reset passwords. Citigroup may have already reset passwords for those who have been affected, he said, but as a precaution you should change your passwords for online accounts.
No. 3: Be wary. In the wake of a breach be suspicious of correspondence with financial companies.
No. 4: Consider unique passwords. Don’t use the same passwords for all of your accounts
No. 5: Change your security questions
No. 6: Update your security programs. Make sure all of your antivirus protection software is up-to-date