Hackers breached Citibank security using simple URL manipulation - Update

The theft of approximately 200,000 Citibank customer accounts may have achieved by means of a simple manipulation of the Citibank URL. Security experts told the The New York Times that the hackers were able to impersonate actual account holders by using a simple trick.

After logging into a valid account, the URL to the Citi Account Online system contains a string of numbers which represents the customer's account. By changing this string, the criminals were able to easily switch between multiple accounts and obtain private customer information. Using a script to automate this process allowed them to do so hundreds of thousands of times.

The attackers are said to have gained access to around one per cent of the bank's approximately 21 million credit card customers in North America. Details obtained in the attack included customer names, account numbers and email addresses. The hackers did not, however, gain access to the security codes for the credit cards or to the holders' Social Security numbers and birth dates.

Citibank says that it first discovered the break-in at the beginning of May during a routine check. The company has since reported it to criminal investigators and says it has stepped up its security. Citibank has not yet announced who it believes is responsible for the attack, but the security expert who talked to The New York Times on condition of anonymity, says that he presumes they are from Eastern Europe.

Update - Citigroup has now told the Reuters news agency that the number of affected customers was nearly double its original estimate, with 360,000 customers' credit card accounts, rather than 200,000, affected by the breach. The company has reissued credit cards to 217,657 accounts.

(crve)