You might have heard that, amid the recent rash of cyber-attacks on high-profile institutions, that Citicorp got hacked. Details of some 200,000 bank accounts got compromised. But the news gets weirder when you consider how it was done, in the most blazingly obvious way.

misc_hackBriefly, credit card customers noticed that their credit card account number showed up in the URL of any given page when they were on the Citigroup website. Well, what happens when we substitute another credit card number? Oops, that shows you the page for that card! Great, let’s write a script to have wget or lynx or something run through all the 16-digit combinations and save whatever pages it finds for later phishing.

Yeah, it was that simple.

The lesson we can all take away: Think of everything! While it may seem blindingly obvious now that not hashing the account number in the user’s visible URL was a bad idea, would you have thought of a similar hole that large on your own site? One expert is quoted in that article that he: “…wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser.”

It just goes to show, anybody can be caught off-guard.