NY Times Humiliates Itself on Citi Hack Story

It is really hard to believe that in 2011 two technology reporters for ‘the paper of record’ could humiliate themselves and their paper so completely by botching a simple technology story. I don’t think I’ve ever seen a story as screwed up as this one; literally. — They didn’t get a few facts wrong, they got the whole story wrong.

Ok, the topic is computer security -but before your eyes glaze over- TRUST ME a third grader could follow it. — As long as that third grader was not part of the layers and layers of fact checkers and editors at the New York Times.

And while I’ll explain the technology (in an easy way, honest) you don’t need to know a thing about computers to know the story is bogus simply because it is not internally consistent. They spend half the story telling us how easy the hack was the other half telling us how sophisticated the hack was. Which is it?

And I’m purposely leaving the byline of Nelson Schwartz and Eric Dash in the story because they should forever be tied to this steaming pile of dung. As a formatting convention, I’m underlining the parts of the story that are pure poppycock and I’ll bold the important parts.

Thieves Found Citigroup Site an Easy Entry

Using the Citigroup customer Web site as a gateway to bypass traditional safeguards and impersonate
actual credit card holders, a team of sophisticated thieves cracked into the
bank’s vast reservoir of personal financial data, until they were detected in a
routine check in early May.

That allowed them to capture the names, account numbers, e-mail addresses and
transaction histories of more than 200,000 Citi customers, security experts
said, revealing for the first time details of one of the most brazen bank
hacking attacks
in recent years.

In the Citi breach, the data thieves were able to penetrate the bank’s
defenses by first logging on to the site reserved for its credit card customers.

Once inside, they leapfrogged between the accounts of different Citi
customers by inserting various account numbers into a string of text located in
the browser’s address bar
. The hackers’ code systems automatically repeated this
exercise tens of thousands of times — allowing them to capture the confidential
private data.

The method is seemingly simple, but the fact that the thieves knew to focus
on this particular vulnerability marks the Citigroup attack as especially
ingenious, security experts said.

One security expert familiar with the investigation wondered how the hackers
could have known to breach security by focusing on the vulnerability in the
browser. “It would have been hard to prepare for this type of vulnerability,
  [Complete bullshit -ED]    The security expert insisted on anonymity because the inquiry was at an
early stage.

The expertise behind the attack, according to law enforcement officials and
security experts, is a sign of what is likely to be a wave of more and more
sophisticated breache
s by high-tech thieves hungry for credit card numbers and
other confidential information.

So let’s review what these super elite ubber hackers did that was so impossible to prepare for… They saw their own credit card number in the URL in the address bar and they tried changing it out for another card number and BINGO the system coughed up information.

EEEEEW I hope you were impressed by their mad hacker high school skillz. — This really wasn’t even a hack, it was finding a big fat hairy bug that even no rookie programmer should have left.

Folks, this ain’t rocket science. You don’t put account numbers (or passwords etc) where people can see them. DUH! — You know that and you’re not a NYT expert.

It does not say what language they used on the site but I’ll give you an example in PHP (which is the most widely used programming language on the web) it is a simple as using a POST command instead of a GET command. They do the same thing but a GET puts the information in the address bar and a POST hides it.

And how many programming degrees from Ivy league schools do you need to learn this bit of esoteric computer security? Well if you learn beginning programming at Lynda.com they teach it at hour 3 of a 22 hour course. It’s one of the first things you learn as a programmer.

But maybe with the financial sector on the skids, Citi couldn’t spring for the 25 bucks a month for Lynda.com.. NO PROBLEM. Here’s a free video tutorial explaining it. Mind you this is a 22 minute video and you should watch the other 80 minutes first. So if you use the free site you should get to it about an hour and a half after you start to learn programming.

In other words, any moron who learned programming from youtube should have known this.

And the New York Times “expert’ who says there was no way the bank could have foreseen that? I just wonder which of the two authors asked his 8 year old to be an expert for him. No ‘expert’ in the world would say something so stupid. If I were their editor I WOULD ASK WHO THE EXPERT WAS. They did not interview an expert, they made the quote up themselves or similar.

I know that most people become reporters because they don’t have the skills to do anything else… but geeze you’d think two technology reports and their ‘expert’ would at least come close to getting it right…

But if you think that, you’d be expecting too much… These morons have no clue what they are talking about. QED

]]>< ![CDATA[Note: Other languages than PHP do it differently of course but in EVERY language,  not transmitting sensitive data like card number and passwords in the clear (unencrypted) is something you learn basically on day one.  No 'sophisticated teams' of hackers required.

The Old Girl's New Tricks, Part V
"Wingnut Debt Ceiling Demands"
  • James H

    Spell check your headline.

  • Ken in Camarillo

    Paul, you are completely correct. I you were an inquisitive type and happened to look at the url and see your own data, you would not be able to resist experimenting to see what would happen with other data instead of your own. It seems likely therefore that this was a young person who was curious.

  • Paul

    Thanks James, new keyboard and I had all sorts of typos… naturally I leave the big one. sigh.

  • Paul

    The bigger question Ken is ‘How long was this bug there before someone found it?’

    With the number of users Citi has I wouldn’t expect a bug like that to last more than a day myself.

  • Jim Addison

    Heads should roll at Citi for allowing such a basic breach of security.

    At NYT, not so much. At one time, back when Abe Rosenthal was running the show, if you saw something stated as fact in the NYT you could take it to the bank – even in opinion pieces. But the principal owners, the Sulzberger-Ochs families, were determined to elevate their scion, Pinch, and shoved old Abe aside along with his antiquated notions of accuracy and fact-checking.

    NYT is now all about the narrative. Their motto has changed from “All the news that’s fit to print” to “All the news that fits, we print.” If it fits the narrative, it’s too good to check or correct.

    Apparently Citi is on the “good” list this week.

  • James H

    Paul: I have always found my spelling errors doubly embarrassing when accusing others of stupidity.

  • Cindermutha

    I think we went over that in week 2 of my php class. And that is only because week 1 was going over the syllabus

  • Paul

    Yeah it was a case of “Blogger Humiliates himself by misspelling humiliates.”

    But I’ll take the occasional typo vs this train wreck.

  • WildWillie

    Okay computer wizards. How do I secure my AT&T WIFI? I can’t figure it out. ww

    Paul, great to see you back.

  • Infinitus est Numerus Stultorum

    I wonder which bottom basement offshore code mill built this stuff? Having said that, someone at Citi should have been code-reviewing and raised a red flag. This is incompetence bordering on sabotage!

  • GarandFan

    People still read the NYT’s?

  • James H

    WW: Send me your IP Address, username and password, and your Mastercard number.

  • Paul

    WW I’m not actually here. 😉

    I just had to come out the shadows for Charles Johnson making a Weiner out of himself and this was just so egregiously stupid, I had to blast them…

    But having said that, I spoke to Kevin the other day (after the last Weiner update) and told him “I’ll see you in a year or two when something gets to me.”

    Blogging once or maybe twice a year is fine with me… I’m actually exceeding my ‘sell by’ date rapidly making this many posts. 😉

    Have a good one.


  • Kenny


    Assuming you have the default ATT wireless router:

    Log in to your router (typically

    click on the home network tab.

    click on the wireless settings option.

    Make your changes and save.

  • WildWillie

    Thanks Kenny.

    James H, the information should be coming to you very soon. 😉

    Paul, come on. Join the party. Kick it up a knotch. ww

  • James H

    Actually, spelling and grammar errors drove me away from reading the NYT as much as I used to.

    If a newspaper skimps on checking basic grammar and spelling, I also think the newspaper is skimping on its fact-checkihg.

  • Gmac

    The NYT is guilty of gross stupidity and lack of factual content, but that’s their problem because I don’t read them on or offline.

    BTW, that’s not a hack, its an exploit.