Welcome!
If you have an account, please:
Log in
Stay Informed
Recommendations

Here's something that


I, Jeremy Duffy, actually recommend and think is worth checking out.
No web-bugs, no bs, just a legit recommmendation that I have personally evaluated before allowing it to be listed here:

Think something's here that shouldn't be? contact me!

How can I help you?
Contact Jeremy

Citibank Unable to Afford Secure Web Design

Really Citibank?

When I teach, I explain how most of the breaches and problems you hear in the world aren't about clever hackers or sophisticated attackers, but instead about weak security. This has just become my new go-to example.

Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else's account.

What that means is that if you were to look at the address in your bar at the top of the browser, it contains the name of the website you're on and (as is typical) a whole lot of other junk like this:

http://www.citibank.com/account.asp?were=dumbbell&we=shouldhaveknownbetter

One of the values in the "lots of other junk" area told Citibank who's account to show. If you just entered any random number, the website would think you were the user with that ID and show you their page. Given that this kind of issue is one that security professionals have known about and handled for more than a decade apparently large (and rich) companies can somehow manage to forget the basics.

Source

Tags: , , , ,

Share This

Have a Comment or Question?

If you want to learn more about my professional background, click here to learn more. Otherwise, let’s get started - how can I help?

Online learning
On-site learning
Read my blog