Citi Accounts Were Hacked via URL
The Consumerist (via Matt Gemmell):
Basically after you logged into your account as a Citi customer, the URL contained a code identifying your account. All you had to do was change around the numbers and boom, you were in someone else’s account.
The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.
One security expert familiar with the investigation wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. “It would have been hard to prepare for this type of vulnerability,” he said.
If this is what it sounds like, it’s absurd to call it a vulnerability in the browser, and neither ingenious nor hard to prepare for.
Apparently being smarter than a turnip now also makes you smarter than an anonymous security specialist who is credible enough to be quoted in a major newspaper.