As has been widely reported now, Citibank was “hacked” a few weeks ago and the personal account information of 200,000 – no wait, 360,000 – customers was stolen. I use the word “hack” loosely, because when you understand how it occurred, you can’t help but scratch your head and think “Is this really the best security a financial organization can provide?”

As the New York Times and other outlets have reported, the breach occurred by manipulating the URL or address that appears in the browser when you log onto Citigroup site. In the same articles, they refer to the attackers as “especially ingenious” and “sophisticated cyber criminals”. Really? Let’s break this down with a really simple example:

Let’s say you log onto a web site using your “5551212” account number and the address shown at the top of the browser is:

hxxps://reallysecuresite.com/account/5551212

Hmmm. Your account number is listed right there in the address. Maybe it has a few extra digits or is rearranged a little, but there it is, in plain text for the world to see. Now, you reach into your friend’s wallet and notice he has a credit card with the account “5551313.”

Does it really take a super genius to try editing the address in the browser to now read:

hxxps://reallysecuresite.com/account/5551313

You would think that if you tried this, the “reallysecuresite” would realize you are trying to access a different account and ask you for a different set of login credentials. Apparently not if you are Citigroup. In the case of this recent breach, since the user was already “authenticated” from the first login, they are not asked for any additional credentials. They can happily try thousands of different random numbers and, if they stumble upon a legitimate account, they are now shown the details of that account – as if they had logged onto the site with that account’s credentials.

So that’s what the cyber criminals did. They created a script that generated hundreds of thousands (or millions) of random account numbers and tried entering those numbers into the address string. This takes all of about 2 or 3 lines of script to code. Not rocket science for even the most junior of “hackers.” There was no custom malware involved here, no vulnerability in the browser, no sophistication at all. This was simply an egregious insecurity in the design of the web site. You might as well add a form on your site:

“Please enter the account number you would like to access: [­­­____]”

Citigroup boasted that the hackers “weren’t able to gain access to social security numbers, birth dates, card expiration dates or card security codes.” That’s nice. They basically logged into those accounts as if they were the legitimate customers and were able to see everything a customer could see – account numbers, email address, transaction history and more. That information is more than enough to cause serious damage, launch subsequent spear phishing attacks, or even make purchases so long as they don’t need the credit card security code. They didn’t get the mother’s maiden names either. Do you feel safer? It’s like being told by the police “A criminal broke into your house last night, but don’t worry, they didn’t take your car keys.”

I realize this is a bit of a rant, but please stop telling me the attackers were ingenious, or the attack could not have been foreseen, or that this represents some new level of cyber threat sophistication. This was just sloppy and irresponsible design on the part of Citigroup. My 15 year old son could have done this. Come to think of it, where did he get those new sneakers?