Note: This series simplifies and analyze breach/exploit reports which are usually cryptic and legal led and to help other enterprises avoid the same mistake.
Hackers were able to acquire over 350K customer’s personal data from Citi’s web application. Citi managed over 21M customers when the breach happened. This breach exposed just over 1% of the customer data.
What was exposed?
- Customer names
- Account numbers
- Contact information
How was this hack perpetrated?
Through an exploit known as parameter tampering for web applications and APIs.
How does the parameter tampering works?
For example, let’s take this simple scenario.
Let’s assume the vulnerable app had these endpoints.
GET: /customers/{account-number} // return customer info e.g. name etcGET: /customers/{account-number}/accounts // returns customer account info etcGET: /customers/{account-number}/contacts // returns customer contact info etc
Note: The {account-number} param can be a path param like the above one or could have been a query or body params like the example below. This exploit will still works across all the scanarios.
GET: /customers?account-number=val // return customer info e.g. name etc
Criteria for a successful attack?
This exploit will work if there is a flaw in the app’s business logic. A missing validation or a missing role assignment can allow any user in the app to request information belonging to any other user/customer just by knowing the other customer’s account numbers.
What made it much worse?
Predictable account numbers e.g. incremental numbers 100034567, 100034568, etc. This will allow an attacker to automate and steal large continuous numbers without having to fish specific numbers on the web.
What won’t work in thwarting these kinds of attacks
It doesn’t matter if these endpoints were secured. Attackers will usually use stolen credentials to access these paths.
It doesn’t matter if these endpoints were not disclosed on the customer web apps. There are several ways to identify non-disclosed endpoints.
Fuzz testing doesn’t detect these exploits.
Web scanners won’t help detect these exploits either, they focus more on injection and on fuzzing attacks rather than tailored scenarios like these.
Static code analysis won’t help either. These scenarios require live testing.
How to protect your Apps and APIs against these attacks?
Design best practice: never use Incremental IDs for record identifications in your database. Instead, use random UID’s. This will slow down the attack as it will be much harder to guess and fish UID’s.
Continuously scan & validate access-controls logic on all endpoints. As the product grows these vulnerabilities become a commonplace.
A Type-2 Scanner which looks in addition to injection attacks and looks for business logic vulnerabilities including RBAC, ABAC, Hijack, Sensitive Data Exposure attacks, etc.
FAQs
Hackers gained access to over 350,000 Citibank customer records by exploiting a vulnerability in the bank's web application and APIs, specifically through parameter tampering.
How did the hackers steal target's customer data? ›
While no one knew initially how the breach occurred, it turned out that hackers and cyber attackers accessed Target's gateway server through credentials stolen from a third-party vendor. This called attention to the vulnerability of supply chains and was a wake-up call for both industry and government.
Why does my Citi card keep getting hacked? ›
There are numerous ways the unauthorized user could have gotten access to your information, such as purchasing it on the dark web, getting it after a data breach, or phishing via email, phone or text message.
How Citibank uses customer data for retention and new user acquisition? ›
Customer Retention Big Data Use Case at Citi Bank
This entails employing machine learning algorithms to target promotional expenditures following data analysis; by offering features that keep them as a company and their customers safe, Citi benefits themselves and their clients.
How many customer accounts does Citi have? ›
Citi is a leading global bank, with approximately 200 million customer accounts and locations in more than 160 countries and jurisdictions.
What is the number one Target for hackers? ›
Hackers typically set their sights on anything that could be of value — especially passwords that access bank accounts. Others include: Social Security numbers. Date of birth.
How hackers steal your data? ›
Once connected, the hacker has access to all information going through the network such as login details and credit card numbers. Sniffing/Snooping: If data packets that are sent over networks are not encrypted, packet sniffers (applications that can intercept network packets) are used to read the data.
How did my credit card get hacked if I never used it? ›
Accidentally downloading malware or spyware can enable hackers to access information stored on your computer, including credit card information and other details. For example, a malware attack might use a keylogger that records your keystrokes or browser history and then sends that information to a hacker.
What is the Citibank credit card scandal? ›
Citi does not maintain strong protections to stop unauthorized account takeovers, misleads customers about their rights after their accounts are hacked and money stolen, and illegally denies reimbursem*nts to those defrauded, according to the lawsuit filed on Tuesday.
How did someone get my credit card information? ›
Credit cards can be stolen in a variety of ways: Through theft of a physical card, via data breaches, by card skimmers—the list goes on. Zero liability protections may prevent you from being financially responsible for fraud, but a credit card theft remains an inconvenience at best and a nightmare at worst.
"You can continue using your Citi account without any changes in account number, IFSC / MICR codes, debit card, chequebook, fees, and charges and continue to enjoy the many benefits of your account," Citibank said.
What does Citibank do with your personal information? ›
Citi acquires and uses services provided by third parties that collect and analyze customer data. This information may be used to service your accounts and for marketing purposes.
Which cloud platform does Citibank use? ›
Citigroup built an internal cloud using IBM® Cloudburst™ and Tivoli® software solutions, enabling self-service request, automated provisioning, and internal chargeback capabilities, while at the same time boosting utilization rates and improving operational efficiencies.
What is the Citigroup scandal? ›
Citigroup has been fined £61.6m by financial regulators after its internal systems failed to prevent a fat-fingered banker causing a flash crash by erroneously placing more than £1bn of orders. The trader had intended to sell equities to the value of $58m (£46m) on 2 May 2022.
What bank owns Citibank? ›
Citibank is owned by Citigroup, a U.S.-based investment bank and financial services corporation headquartered in New York, NY. Citigroup was founded in 1998 and has owned Citibank ever since. Citibank is the 3rd-largest credit card issuer in the United States, with 79.1 million cards in circulation.
Who owns most of Citigroup? ›
Citigroup (C) Ownership Overview
The ownership structure of Citigroup (C) stock is a mix of institutional, retail and individual investors. Approximately 61.12% of the company's stock is owned by Institutional Investors, 4.15% is owned by Insiders and 34.72% is owned by Public Companies and Individual Investors.
How do hackers pick their targets? ›
Hackers often use techniques like phishing, exploiting software vulnerabilities, or brute force attacks to find initial access points. They may also leverage publicly available information or use social engineering tactics to trick employees into granting access.
How was the Target breach detected? ›
Target itself did not become aware of the breach through its own detection systems, but through credit card companies, who realized an attack had occurred after noticing a surge in fraudulent transactions. Target had invested in a virus detection service, which flagged malware from the attack on November 30.
How did the attackers gain access to Target's network quizlet? ›
How did the attackers gain access to Target's network? They obtained Fazio Mechanical Services' authentication information on the vendor server. They probably did this through a spear phishing e-mail attack.
Why do cybercriminals Target customer data? ›
Detailed customer information can be used to craft convincing phishing emails or social engineering attacks, tricking individuals into revealing more sensitive information or accessing secure systems.
