Really Citibank?

When I teach, I explain how most of the breaches and problems you hear in the world aren't about clever hackers or sophisticated attackers, but instead about weak security. This has just become my new go-to example.

Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else's account.

What that means is that if you were to look at the address in your bar at the top of the browser, it contains the name of the website you're on and (as is typical) a whole lot of other junk like this:

http://www.citibank.com/account.asp?were=dumbbell&we=shouldhaveknownbetter

One of the values in the "lots of other junk" area told Citibank who's account to show. If you just entered any random number, the website would think you were the user with that ID and show you their page. Given that this kind of issue is one that security professionals have known about and handled for more than a decade apparently large (and rich) companies can somehow manage to forget the basics.

Source

I'm fairly ambivalent about the whole Wikileaks issue. I've long been a supporter of whistleblowing in general as companies and the governement should be held accountable for abuses and wrong-doing and often it's only fully public scandals that allow that to happen (though sometimes not even then).

Anyway, as to whether Wikileaks has done anything wrong, one must first ask if there was anything posted that caused significantly more harm than good (which so far has been a "no" it seems).

But to the point, Wikileaks is expected to release a lot of data about Bank of America very soon. There's a lot of speculation, but more interestingly, there are reports that Bank of America is preparing focused teams to respond to whatever drops when it drops.

I look forward to seeing how slime covered that rock is when it's lifted.

That's not my dog...

(Image used under: Creative Commons 2.0 [SRC])

Sometimes when you set up an account with a company, they'll let you set a question and the answer. Then when you call in, the operator will read the question YOU WROTE and you get to provide the response. This has the potential to be highly amusing if done right:

Q: What the hell is your f***ing problem, sir?
A: This is completely inappropriate and I'd like to speak to your supervisor.

Q: I've been embezzling hundreds of thousands of dollars from my employer, and I don't care who knows it.
A: It's a good thing they're recording this call, because I'm going to have to report you.

Q: Are you really who you say you are?
A: No, I am a Russian identity thief.

Check out a ton more here.

This is a great idea!

(Image source is unknown)

With tweetMyMoney, you can monitor your account balance, deposits, withdrawals, holds and cleared checks with simple commands. And, you can even transfer funds within your account. It’s all available on Twitter, 24/7! And, the best part is, our tweetMyMoney service is free!

(Emphasis mine)

Hello Twitter banking, goodbye money.

Why anyone thought this was a good idea, I don't know. Granted, you can't transfer money to OTHER accounts, only "within you account", but someone who breaks into your twitter account can still get a lot of information about you and move your money around causing you serious overdraft fees.

The issue at heart here is that getting information about your account and moving money around only requires the security of your Twitter account (which isn't to say much). How many people put strong passwords on their Twitter like they do the bank? How much effort does Twitter put into their security?

I think the idea of alerts to your phone is kind of cool, but maybe the bank should have set up its own Twitter-like messaging service instead of using a public one that's a big fat target of bad guys already.

(Image is used under the Pixabay license)

At least one person was able to challenge a foreclosure because the bank that tried to foreclose didn't actually have the legal right to do so.

(Image is used under the Pixabay license)

Originally, the bankruptcy laws were a catch-all for handling aggressive and dishonest lending allowing people to completely remove their debts once every 7 years. That way, even if someone made mistakes or was suckered in by bad credit deals, they could escape them under some circumstances and start over.

Lenders weren't happy with this and wanted it to be much harder for people to get out of the credit programs they carefully lured you into. They scored victory in 2005 by managing to secure a new law that made it much tougher for people to file bankruptcy, but didn't do anything to help curb the massive lending abuses by credit grantors. Now it seems the one-sided bill may have hurt lenders as much as it's helped them.