Citibank Unable to Afford Secure Web Design

Really Citibank?
Really Citibank?

When I teach, I explain how most of the breaches and problems you hear in the world aren't about clever hackers or sophisticated attackers, but instead about weak security. This has just become my new go-to example.

Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else's account.

What that means is that if you were to look at the address in your bar at the top of the browser, it contains the name of the website you're on and (as is typical) a whole lot of other junk like this:

http://www.citibank.com/account.asp?were=dumbbell&we=shouldhaveknownbetter

One of the values in the "lots of other junk" area told Citibank who's account to show. If you just entered any random number, the website would think you were the user with that ID and show you their page. Given that this kind of issue is one that security professionals have known about and handled for more than a decade apparently large (and rich) companies can somehow manage to forget the basics.

Source

Tags: , , , ,

Wikileaks Prepares; Bank of America Panics

I'm fairly ambivalent about the whole Wikileaks issue. I've long been a supporter of whistleblowing in general as companies and the governement should be held accountable for abuses and wrong-doing and often it's only fully public scandals that allow that to happen (though sometimes not even then).

Anyway, as to whether Wikileaks has done anything wrong, one must first ask if there was anything posted that caused significantly more harm than good (which so far has been a "no" it seems).

But to the point, Wikileaks is expected to release a lot of data about Bank of America very soon. There's a lot of speculation, but more interestingly, there are reports that Bank of America is preparing focused teams to respond to whatever drops when it drops.

I look forward to seeing how slime covered that rock is when it's lifted.

Tags: , , , ,

Have Fun With Secret Questions

Sometimes when you set up an account with a company, they'll let you set a question and the answer. Then when you call in, the operator will read the question YOU WROTE and you get to provide the response. This has the potential to be highly amusing if done right:

Q: What the hell is your f***ing problem, sir?
A: This is completely inappropriate and I'd like to speak to your supervisor.

Q: I've been embezzling hundreds of thousands of dollars from my employer, and I don't care who knows it.
A: It's a good thing they're recording this call, because I'm going to have to report you.

Q: Are you really who you say you are?
A: No, I am a Russian identity thief.

Check out a ton more here.

Tags: ,

Control Your Online Banking With Twitter. Seriously!?

With tweetMyMoney, you can monitor your account balance, deposits, withdrawals, holds and cleared checks with simple commands. And, you can even transfer funds within your account. It’s all available on Twitter, 24/7! And, the best part is, our tweetMyMoney service is free!

(Emphasis mine)

Hello Twitter banking, goodbye money.
Hello Twitter banking, goodbye money.

Why anyone thought this was a good idea, I don't know. Granted, you can't transfer money to OTHER accounts, only "within you account", but someone who breaks into your twitter account can still get a lot of information about you and move your money around causing you serious overdraft fees.

The issue at heart here is that getting information about your account and moving money around only requires the security of your Twitter account (which isn't to say much). How many people put strong passwords on their Twitter like they do the bank? How much effort does Twitter put into their security?

I think the idea of alerts to your phone is kind of cool, but maybe the bank should have set up its own Twitter-like messaging service instead of using a public one that's a big fat target of bad guys already.

Tags: ,
IDENTITY THEFT
How to Steal Identities - Why It's So Easy
Credit Freeze
Data Defense
Credit Monitoring
Id Theft Insurance
The Identity Theft Victim's Mini-Guide to Recovery
PRIVACY
The Geek Privacy Principle
Nothing to Hide
Data Abuse
RFID - Radio Frequency IDentification
Privacy Alias/Persona
Data Defense
INTERNET SAFETY
Online Addiction
The Consequences of Posting Online
Photo Safety
Tricks and Scams
Account Hijacking
Trusting Companies
PASSWORDS
Bad Passwords
Password Tips and Tricks
Password Protection
Password Mugging
Computer Security
E-mail Safety
Kids and Computers
Shopping Online
Retailers
All About Warranties