Citibank security hole
from the there-is-no-excuse-for-this dept
As a Citibank credit card holder I often check my account statement online. In fact, I don't even get paper statements from them. I recently discovered a security hole in their system. Anyone can view transaction records of any account holder, without any password or username. Don't believe me? Click on this link. That's the monthly membership fee for my account with Citibank. There is absolutely no excuse for this type of security hole from any online site, much less a bank.Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Reader Comments
Subscribe: RSS
View by: Time | Thread
Look closer...
https://www.accountonline.com/CB/amount.jsp?POSTING_DATE=10%2F20%2F00&SALE_DATE=10%2F20%2F00&TR ANSACTION_TYPE_TEXT=ANONYMOUS+USAGE&REFERENCE_NUMBER=00000000&PERSON_NAME=&TRANSACTION_AMOUNT=1000.0 0&FOREIGN_CURRENCY=&MERCHANT_DESCRIPTION=ANONYMOUS+USAGE+OCT+00-SEP+01++++++++++++&SIC_DESCRIPTION=+ +++++++++++++++++++++++++++++++++++++++&STATEMENT_DATE=10%2F19%2F00
Now this would all change if account number and any reference numbers were part of the URL passed.
Greg
[ link to this | view in chronology ]
Re: Look closer...
[ link to this | view in chronology ]
Re: Look closer...
[ link to this | view in chronology ]
Re: Look closer...
[ link to this | view in chronology ]
The URL is secure
Otakudo - The Way of the Nerd.
[ link to this | view in chronology ]