After the numerous hacks related to Sony, people thought that it was clearly an isolated case of the company which simply was negligent about security and wasn’t going to change such behavior, while all the rest were supposed to be smarter. However, within the past weeks, the reports have been circulating, revealing that security issues were not just exclusive to Sony.
The examples are numerous. For instance, the National Health Services of the United Kingdom had their administration passwords obtained by the hacker group LulzSec just a few days ago, but failed to notify its users as well. Then, the Conservative Party of Canada found out their website to be hacked, with a donor list subsequently leaking. Finally, the American Senate was also hacked in a fortnight after the government of the United States declared that a hack was an “act of war”. The list is close to endless, including Bethesda, Minecraft, servers for EVE Online, and the Escapist League of Legends.
What comes to mind after learning all these facts is that it really is easy to hack all those services. That’s what one hacker group called LulzSec thinks, too, as it is responsible for many of those incidents. How easy it can be is illustrated by a recently disclosed hack described below.
Daily Mail has reported that Citigoup, one of the largest banking institutions worldwide, was hacked, with 200,000 accounts being compromised. The hack was accomplished by a simple act of changing numbers in a URL. Can you imagine that? You don’t even need to know any special DOS command or have any hacking utilities. All you need is a browser and an Internet connection, all you need to do is to change some numbers in the URL to get access to many people’s banking details. However, the worst part of all that is that the company’s investigators claimed it would have been hard to prepare for such vulnerability.
For industry observers it turned out to be hard to understand in what way changing a URL in a browser to steal 200,000 people’s personal data is considered so sophisticated that it can’t be stopped?
This seems to be a point where a security breach moves from a malicious attack to negligence on the company’s part. The question is why do 200,000 bank clients have to worry about finding themselves among people suddenly discovering that they owe thousands of dollars in countries they don’t even reside in?