Citibank Unable to Afford Secure Web Design

Really Citibank?
Really Citibank?

When I teach, I explain how most of the breaches and problems you hear in the world aren't about clever hackers or sophisticated attackers, but instead about weak security. This has just become my new go-to example.

Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else's account.

What that means is that if you were to look at the address in your bar at the top of the browser, it contains the name of the website you're on and (as is typical) a whole lot of other junk like this:

http://www.citibank.com/account.asp?were=dumbbell&we=shouldhaveknownbetter

One of the values in the "lots of other junk" area told Citibank who's account to show. If you just entered any random number, the website would think you were the user with that ID and show you their page. Given that this kind of issue is one that security professionals have known about and handled for more than a decade apparently large (and rich) companies can somehow manage to forget the basics.

Source

Tags: , , , ,

Hijack A Facebook Account in One Click

Ok so maybe not ONE click. But someone has put together a simple tool that you can use to take over the active sessions of anyone within wireless range of you. Hang out at the Starbucks free wi-fi and you'll be able to control the Facebook or other accounts of people nearby. It's an attack that was always simple to do for those who know how, but now any idiot can do it with a simple new interface.

Hopefully with their newest black eye (it never ends for Facebook does it?) they'll patch up this glaring hole.

By the way, they mention a few protections from this at the bottom of the article, but here's one more.

Tags: , ,
IDENTITY THEFT
How to Steal Identities - Why It's So Easy
Credit Freeze
Data Defense
Credit Monitoring
Id Theft Insurance
The Identity Theft Victim's Mini-Guide to Recovery
PRIVACY
The Geek Privacy Principle
Nothing to Hide
Data Abuse
RFID - Radio Frequency IDentification
Privacy Alias/Persona
Data Defense
INTERNET SAFETY
Online Addiction
The Consequences of Posting Online
Photo Safety
Tricks and Scams
Account Hijacking
Trusting Companies
PASSWORDS
Bad Passwords
Password Tips and Tricks
Password Protection
Password Mugging
Computer Security
E-mail Safety
Kids and Computers
Shopping Online
Retailers
All About Warranties