Earlier yesterday I came across this article on the New York Times: Thieves Found Citigroup Site an Easy Entry. At first I thought, “Man, another big site had their customer data compromised”, but as I continued reading this incident is a little bit different; especially the nature of the attack that was described in the article. The marketing and PR departments for these brands – and in this case Citigroup – need to be a little more careful about the kind of technical information that gets released when shit hits the fan.
Think of it as a mansion with a high-tech security system — but the front door wasn’t locked tight.
After reading through the article and the retarded nature of the attack you can’t think of it as a mansion with a high tech security system; not even close. Some context on this attack:
In the Citi breach, the data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers.Once inside, they leapfrogged between the accounts of different Citi customers by inserting vari-ous account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.
So, all these thieves needed to do is basically log in with their own or even someone else’s Citigroup account and lo and behold this account number was present in the address bar after login. Changing it gave them access to someone else’s account. A little script to repeat this for thousands of accounts and scrape the details.
This process was described by “security experts” as “especially ingenious”. Really?!? This is the oldest trick in the book; i.e. mess around with the URL until you get somewhere. These “security experts” should get fired if this kind of attack was surprising.
The “what can we do, we got hacked” wagon got extremely popular in recent years, especially this year, but this Citigroup incident is different. There is no excuse for being on the “we are retards, we got hacked” wagon. When your “high-tech security system” is composed of changing account numbers in URLs, then what else can someone find if they look harder?
How does one get to this position? I think at the root of the problem is the thinking that people working in technology are interchangeable cogs in a giant machine. When you are building the pyramids, yes you can get 40,000 slaves and have them drag giant slabs of rock into place and stack them with virtually no way for an error to occur. And yes you can get another 40,000 slaves and replace the first 40,000 and they will still drag and stack the rocks as good as the previous 40,000 did. That mentality works when the tasks at hand are fairly simple and mechanical such as building the pyramids, or the production line at Ford. It is absolutely not valid in technology, yet there are many executives, project managers, and software architects today that think its possible.
The other part of the problem has to do with measuring expertise. The above assumption that developers, architects, designers, etc. are interchangeable also leads to the flawed assumption that a developer with 10 years of experience can replace any other developer with 10 years of experience as well. It is easy to get to that assumption when you think of these tasks as mechanical such as building the pyramids, or putting the wheels on a car. 10 years of experience developing doesn’t have the same weight it did 30 years ago. Most developers today got into while they are teenagers, and hence by the time they graduate university they already have 10 years of experience developing stuff. Also, there are more technologies today that are available to the average developer to experiment with and try out, than there was 30 years ago. Hence why building technology systems and development in general is a combination of science and art. The Sistine Chapel would have looked different if Leonardo da Vinci painted it instead even if he got the same directions from the Pope. The Pyramids would have looked the same regardless where the 40,000 slaves came from.
So for an online application that has to do with people’s credit card accounts to fail at this level doesn’t give me the warm fuzzy feeling that I should be getting when I read “Citi has implemented enhanced procedures to prevent a recurrence of this type of event.” – if I were a customer.
Where else did you not do the due diligence you owe your customers? What other skeletons are in the closet? The New York Article should have started out like this:
Think of it as a tent with a zipper — but the zipper wasn’t closed.