In an earlier post, I talked about a major design flaw in secure USB flash drives that were designed by SanDisk and OEMd to several other vendors. The basic problem was that the user’s password was validated outside of the FIPS 140-2 security boundary and the same unlock code worked on every drive no matter what the user’s password was. The analogy was prying a numeric keypad off of a wall and touching the two wires together to open the door.
Citibank has a similar problem on their hands which allowed hackers to steal information for 360,000 account holders. In the Citibank case, after a user logs into the Citi Account Online system, the URL (the website name at the top of a browser window) changes to include a series of numbers relevant to the user’s account. So far, no problem.
However, it was discovered that any Citibank customer account could be accessed by simply changing those numbers, according to The New York Times. Not quite as bad as touching two wires together to open the door, but pretty close. One would think that if a new set of numbers was entered from a computer that did not login to that account already, a login screen would come up to ask for the user name and password. Sadly, this was not the case.
Since the length of the number is fixed, it becomes a simple matter to write a program that will generate all possible numbers of that length then use them to go to the Citibank website where names, account numbers, and email addresses can be accessed.
The best analogy is that you are outside of a block of houses with automatic doors that can be unlocked by calling a phone number unique to each house. You have a PC connected to your mobile phone that can dial a thousand numbers a second. As you are dialing, you watch the doors. When a door opens, you go inside and make copies of interesting papers, then dial the next number.
I can only assume that the design of this system was never run by security professionals, or if it was, they were overruled. The security boundary was not large enough and while they may have been encrypting customer data to protect it on the disk, they left the front door wide open.
Could this breach have been prevented through the use of one time passwords (like an RSA SecurID) or a smart card? Probably not, because entering the right series of numbers didn’t even invoke the authentication system.
I really hope that the board of directors and perhaps a government agency or two will address the extreme negligence that allowed this hack to take place. If you are a CIO or CSO, you may want to have a talk with your development team to see if your system is implemented in a similar manner.
