[Big Mac]

I'm amazed. Stunned even. I mean, I know of corporate incompetence - big corporations may not be any more competent than big governments - but I'm awestruck by this news:

Originally Posted by The Register

Hackers who stole bank account details for 200,000 Citigroup customers infiltrated the company's system by exploiting a garden-variety security hole in the company's website for credit card users, according to a report citing an unnamed security investigator.

The New York Times reported that the technique allowed the hackers to leapfrog from account to account on the Citi website by changing the numbers in the URLs that appeared after customers had entered valid usernames and passwords. The hackers wrote a script that automatically repeated the exercise tens of thousands of times, the NYT said in an article published Monday.

I have experience running some high-profile sites and doing light to moderate web coding, but I'm not a programmer (at least not based on my definition of the term) or a web security expert. Yet this is one of the first things I would have thought of if I were in charge of security of a financial institution. In fact, I've dealt with private URL access/security issues; I made sure to audit how restricted login URLs were treated by non-logged in browsers before a new version of a site I was managing went online. I never really thought it was possible that a major corporation with such tremendous resources could overlook something that to me is so basic, and to me it's a profound betrayal for a financial institution to be so reckless when it comes to security.

I'm telling any family and friends who are Citibank customers to march into their local branches with a copy of this article and demand to know why they shouldn't close out their accounts right now over such an appallingly easy, gaping security hole. This kind of abysmal security failure is an open invitation to ignorant Congress Critters to ram through some ridiculous cyber-security legislation.

[Wiskedjak]

Originally Posted by Big Mac 

I'm amazed. Stunned even. I mean, I know of corporate incompetence - big corporations may not be any more competent than big governments - but I'm awestruck

Sadly, I'm not at all shocked. How many times in just the last year has a major corporation been hacked now and had customer information stolen?

Originally Posted by Big Mac 

I'm telling any family and friends who are Citibank customers to march into their local branches with a copy of this article and demand to know why they shouldn't close out their accounts right now over such an appallingly easy, gaping security hole. This kind of abysmal security failure is an open invitation to ignorant Congress Critters to ram through some ridiculous cyber-security legislation.

It's unfortunate that some of the major corporations aren't able to be responsible on their own to spend the money on proper security. Unfortunately, without government regulation, the only motivation they have to do so is the prospect of losing customers. Also unfortunately, given the sheep-like nature of consumers these days and the fact that there's no guarantee that the competition is any better, the number of customers they lose will probably be minimal.

[Big Mac]

Originally Posted by Wiskedjak 

Sadly, I'm not at all shocked. How many times in just the last year has a major corporation been hacked now and had customer information stolen?

Yeah, but how many of the other exploits were anywhere this blatant and this simple?

It's unfortunate that some of the major corporations aren't able to be responsible on their own to spend the money on proper security. Unfortunately, without government regulation, the only motivation they have to do so is the prospect of losing customers. Also unfortunately, given the sheep-like nature of consumers these days and the fact that there's no guarantee that the competition is any better, the number of customers they lose will probably be minimal.

I'm concerned that if Congress smells blood we'll end up with $1,000 fines on corporations large and small for any security breaches and the monetization of faux-white hack hacking. The whole Internet shouldn't be punished by punitive regulations because of the gross incompetence of some firms like Citibank. Instead, I'd like to see major financial and ecommerce sites create a self-enforcement committee to oversee/audit security measures.

[lpkmckenna]

I'm switching sides to the scumbag hackers. Someone has to show up these useless and lazy businesses. Of course, they won't change their ways, just pay off both parties and ask the FBI to come in.

[Wiskedjak]

Originally Posted by Big Mac 

I'm concerned that if Congress smells blood we'll end up with $1,000 fines on corporations large and small for any security breaches ...

Shouldn't there be some sort of consequence for negligent security? It seems unlikely that they'd choose to self-regulate.

[Big Mac]

There should be some consequence for truly negligent security lapses like this one, but I'm not at all optimistic that Congress or an executive bureau could possibly get legislation right in this area. They perpetrate much worse security lapses than even this one by Citibank. And I do think the industry could self-regulate if sufficient pressure were brought to bear (i.e. Congress threatening to fark things up even worse with deficient legislation).

[The Final Dakar]

It appears this year is going to be an uncomfortable wake-up call for the internet.

[Eug]

That happened about 8-10 years ago with the account registration system for I believe Air Canada Aeroplan. Personal info available for all to see, just by changing URLs, after you logged in once with a valid account. No credit card info though.

However, that was nearly a decade ago. You'd think something as basic as this shouldn't happen again to a big company in 2011.

Some programmers/designers just shouldn't be writing secure sites.

[mattyb]

Originally Posted by Eug 

Some programmers/designers just shouldn't be writing secure sites.

Some programmers are forced into certain design decisions by financial and project management types. Security costs.

[Big Mac]

Originally Posted by mattyb 

Some programmers are forced into certain design decisions by financial and project management types. Security costs.

You should be hired by Citibank as a PR person!

This was a case of computer programming malpractice. No project management decision can possibly take the blame for this fundamentally broken security.

[Wiskedjak]

Originally Posted by Big Mac 

You should be hired by Citibank as a PR person!

This was a case of computer programming malpractice. No project management decision can possibly take the blame for this fundamentally broken security.

Hiring of incompetent developers.
Not bothering to implement processes to properly test the site to ID security holes.

There are plenty of Project Management decisions that could be responsible.

[Eug]

Yeah, I don't necessarily blame the individual programmers, but the team, and that includes the decision makers.

It's one thing to make a clunky ugly website, but it's another to create one that violates even the most basic practices in site security.

That said, nobody's perfect, and sh!t happens.

[mattyb]

Originally Posted by Big Mac 

You should be hired by Citibank as a PR person!

This was a case of computer programming malpractice. No project management decision can possibly take the blame for this fundamentally broken security.

Features, Schedule, Budget. Pick any two and the third is determined for you. As with all projects, its all about trade-offs.

[LegendaryPinkOx]

I think we should totally foreclose on them.