In light of the recent news about CitiBank's security breach, here are my personal/professional thoughts on the matter.

Disclaimer: The content in this post reflects my own opinions and experience, not that of Microsoft, my employer. Microsoft is not responsible for anything written here.

CitiBank wasn't hacked!

According to this article at the NY Times, as well as other news sources, here's what happened:

"...Once inside, they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browser’s address bar. The hackers’ code systems automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data..."

Really? Really? Seriously? Wow, the NYTimes isn't kidding here, are they?

If this and other news reports are to be believed, and this really is what happened, this is appalling! That's NOT a breach of security and it's NOT a hack!

Why?

The type of "hack" isn't hacking at all. Checking and sanitizing input is a fundamental programming technique! The folks at CitiBank didn't perform even this most basic approach to working with input. Forget about security for a second, what they've done is neglect fundamental, basic, novice, programming approaches. I work with both high school and college kids that already know enough to do this basic input checking, despite having no formal experience in the field.

It is, in my personal-professional opinion, this is gross negligence, gross incompetence, or both. (probably both)

As stated on Twitter by an actual security expert, Barry Dorrans from Microsoft IT:

...and...

CitiBank, shame on you.

And it gets worse...

Again, according to the same NY Times article, here's what a security expert had to say:

"One security expert familiar with the investigation wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser."

This is a security expert? The most basic testing of the CitiBank site in question would have exposed this! Additionally, the security expert quoted here is wrong. DEAD WRONG! This is NOT an exploit of any browser, not IE, not FireFox, not Chrome, not Opera. None of them. Sure browsers have their faults, however this isn't one of them. This is CitiBank's fault, 100%.

“It would have been hard to prepare for this type of vulnerability,” he said. The security expert insisted on anonymity because the inquiry was at an early stage."

Wow, it does get worse. I'll say it AGAIN....The most primitive testing of the CitiBank site in question would have exposed this! And where are the IT pros? Where where the security "professionals" that are supposed to be looking at these things? Has CitiBank performed no basic checks and balances at all in the program?

It seems they haven't.

The news outlets also seems to think that is is some sort of sexy, sophisticated, Russian attack from super secret squirrel spies. The cold war is over news organizations, cut it with the Ruzzian Haxx0rz crap.

"The expertise behind the attack, according to law enforcement officials and security experts, is a sign of what is likely to be a wave of more and more sophisticated breaches by high-tech thieves hungry for credit card numbers and other confidential information. "

Expertise behind the attack? Expertise? Because at the rate they're going, this isn't going to be hard for malicious users, or regular uses for that fact, to continue "hack" them. 

Be very scared, dear bank account holder.

From ABC News...

"Citi told the Financial Times that the incident occurred in early May at Citi Account Online. With over 21 million customers in North America, according to its annual report, the breach may have exposed about one percent of its accountholders. While the bank said information like social security numbers, card security codes and birth dates were not exposed, customers may wonder if secure online banking really exists."

Considering what's gone on here, I don't believe a word from CitiBank that other data hasn't been exposed. How do they know it wasn't, especially if they missed something so blatantly obvious as input checking? If they can't get the type of basic programming principles down, I just can't believe that they can keep any of the other data safe. Jeff Blankenburg, Developer Evangelist at Microsoft, also raised this same question on his blog.

I'm happy to say I'm not a Citi customer (and now will never be), and had I been, I would have closed my account within a few minutes of reading this. Sadly, my guess is that like many companies that deal with customer accounts, it's only a bit flag that determines whether or not the account is closed. That leaves information still stored where malicious people can get to your data anyway. Sure, they might not get your money, this time, but they can get to lots of sensitive information about you, to use at another bank you might deal with. Or, to open accounts using your information at banks you don't deal with.

Recently, banks and other online sites have taken to playing a game of "20 questions" with customers in the same of security. Generally, you're now asked everything from your mother's maiden name to your first pet to your favorite college team. This means banks have more information about you than ever before, and If CitiBank has done this, which I'm sure they have, then the "hackers" probably have more information than we think.

Summary

I'm sad to say that I'm not all that shocked about this, considering how often I run across awful software in the field. Banks, however, along with other types of high profile information holding institutions, should be the bastions of security, not the bastards of it.

An open note to all developers, IT pros, DBA, and "security experts" out there: Take a lesson from instances like this and go back and do those fundamental things you're supposed to. Then get in a crack team to try find vulnerabilities in YOUR software, without blaming browsers and others for your mistakes.