The Ingenious Infiltration of Citigroup

This article is from the archive of our partner .

An IT expert speaking with The New York Times called it a Mission Impossible-like operation. Last month, a team of unidentified hackers accessed information to 200,000 Citigroup bank accounts by simply waltzing through the "front door" of Citigroup's customer website. The bank came under fire last week for waiting nearly a month before notifying customers their account information had been compromised (the stolen information includes names, account numbers and e-mail addresses). But it may face further scrutiny as news spreads of how simple, yet clever, the hacking mission was. The Times has the details:

Using the Citigroup customer Web site as a gateway to bypass traditional safeguards and impersonate actual credit card holders, a team of sophisticated thieves cracked into the bank’s vast reservoir of personal financial data, until they were detected in a routine check in early May...

The data thieves were able to penetrate the bank’s defenses by first logging on to the site reserved for its credit card customers. Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data.

The method is seemingly simple, but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious, security experts said.

A security expert speaking with the Times had no idea how the hackers figured out the vulnerability in the browser. “It would have been hard to prepare for this type of vulnerability,” he said. Meanwhile the article dives into the shadowy world of data theft and how this hacker team was likely assembled. “It’s like ‘Mission Impossible’ when they select the teams,” said Mark Rasch of CSC, an information technology services firm. “And they don’t know each other, except by hacker handle and reputation.” When coordinating these kinds of missions, the hackers separate into specialties, reports the Times.

For example, some hackers specialize in prying out customer names, account numbers and other confidential information... Brokers then sell that information in the Internet bazaars. Criminals use it to impersonate customers and buy merchandise. Finally, “money mules” wire home the profits through outlets like Western Union or MoneyGram.

The Times writes that this shadow economy is growing larger by the year. In 2010, 3.8 million personal records were stolen, much of that credit and debit card information, according to the Secret Service and a firm that investigates credit card fraud. According to Reuters, the attack on Citigroup is finally waking banks up to the fact that they need to beef up their security.

Banks and credit card companies have tolerated a certain amount of fraud in their systems because the cost of additional security would not justify the potential savings, according to David Robertson, publisher of The Nilson Report, which follows the payment industry.

He said typical payment-card fraud can average $1,000 to $1,500 per incident -- relatively low amounts because criminals do not want to raise red flags.

But hackers with direct access to bank accounts would pose a much bigger threat as they can seek out much bigger one-time heists. "The potential for fraud in an online banking environment is monumentally different than with payment cards," he said.

This article is from the archive of our partner The Wire.