CitiGroup recently admitted a security breach where hackers got details from lots of credit card customers. The attack itself seems to have been fairly simple. The attacker logged on normally to an account. They then ran a script which iterated through the account number in the browser address bar. According to the New York Times, they "automatically repeated this exercise tens of thousands of times — allowing them to capture the confidential private data." In OWASP Top 10 speak this was a insecure direct object reference vulnerability.
It looks like a fairly simple vulnerability, although the details are unclear. But it should not have happened. Here are three Secure Development Life Cycle (SDLC) activities which, if implemented properly, would have probably prevented this attack*:
- Authorisation checks were not implemented properly to check that the logged on customer had permission to view the details for the requested account number. This is a failure in the analysis/design phase. Whenever a user initiates a request your application should check that the user has permission to execute this particular transaction. There are two basic levels. At a coarse level, check that the user has permission to access this page. At a finer level, the user may have access to a particular page. However, does the requested account (or resource) belong to this user?
It may be that authorisation checks were designed correctly by CitiGroup, but not implemented by the development team. In this case the assurance/testing phase should have come to the rescue.
- During the assurance phase, this vulnerability should have been picked up. A penetration test which probed for various account numbers would most likely have caught this. Similarly a code review would have indicated that something was wrong. This is what the OWASP Application Security Verification Standard (ASVS) is aimed at.
- Finally, Application Monitoring during operation did not recognise the suspicious behaviour that numerious requests were coming from a single account. If proper monitoring had been in place, Citi may been alerted much sooner (maybe in real-time) to the problem. The OWASP AppSensor project could help here.
Have a look at the SLDC Main Posts which shows the main SDLC related posts on this blog and what are the most important steps in a SDLC.
- SDLC Quick Reference
- OWASP AppSensor Project
- OWASP ASVS
- OWASP Code Review
- OWASP Testing
- New York Times
- The Register
* Of course this is all speculation, since we don't know what really happened.