Yes, it's THAT book!

Drop your email here to stay informed of the status of my "tell most" book about the National Security Agency:

--OR--

Read a little about the book here:

Employees are allies, not the adversary

--OR--

Check out the Kickstarter here (click)
How can I help you?
Contact Jeremy
Recommendations

Here's something that

I, Jeremy Duffy, actually recommend and think is worth checking out.
No web-bugs, no bs, just a legit recommmendation that I have personally evaluated before allowing it to be listed here:

Think something's here that shouldn't be? contact me!

Citibank Unable to Afford Secure Web Design

Sunday, February 21st, 2016 (No comments yet)
Really Citibank?

When I teach, I explain how most of the breaches and problems you hear in the world aren't about clever hackers or sophisticated attackers, but instead about weak security. This has just become my new go-to example.

Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else's account.

What that means is that if you were to look at the address in your bar at the top of the browser, it contains the name of the website you're on and (as is typical) a whole lot of other junk like this:

http://www.citibank.com/account.asp?were=dumbbell&we=shouldhaveknownbetter

One of the values in the "lots of other junk" area told Citibank who's account to show. If you just entered any random number, the website would think you were the user with that ID and show you their page. Given that this kind of issue is one that security professionals have known about and handled for more than a decade apparently large (and rich) companies can somehow manage to forget the basics.

Source

Tags: , , , ,

Share This

Have a Comment or Question?

Loading...

If you want to learn more about my professional background, click here to learn more.

Check out one of my guides/tutorials:

goodbye identity theft Tutorial
|INDEX|next: Credit Freeze

Too Late!

If you've already become a victim, here is a list of things you should do.

Solving ID Theft

Lock your credit reports with a Credit Freeze to prevent credit-based ID theft (90% of ID theft risk).
Learn to protect your information to prevent not only ID theft, but many other kinds of problems (the rest of ID theft risk).

Save Time and Money

cancel credit-monitoring services.
Cancel id-theft-insurance

Who is Responsible?

Sometimes you just have to wonder why it's so easy to steal identities in the first place.

... or check out any of my other guides and tutorials by clicking here!

The Identity Theft Victim's Mini-Guide to Recovery

If you've already experienced ID theft, here are some tips of what to do next.

[Click for full description]

Credit Freeze

Setting a credit report freeze is the fastest and most effective way to actually block and reduce your risk of ID Theft. And it's free.

[Click for full description]

Out and About Defense

The best defense against non-credit ID Theft and a variety of other risks is to adopt a mindset of protection: Data Defense. Learn how to protect your information with simple and sometimes free countermeasures all based on a simple philosophy that the less people who have your information, the safer you are.

[Click for full description]