Hackers used Citigroup website as gateway to info

Using the Citigroup customer website as a gateway to bypass traditional safeguards and impersonate actual credit card holders,a team of sophisticated thieves cracked into the banks vast reservoir of personal financial data,until they were detected in a routine check in early May.

That allowed them to capture the names,account numbers,e-mail addresses and transaction histories of more than 2,00,000 Citi customers,security experts said,revealing for the first time details of one of the most brazen bank hacking attacks in recent years.

In the Citi breach,the data thieves were able to penetrate the banks defences by first logging on to the site reserved for its credit card customers.

Once inside,they leapfrogged between the accounts of different Citi customers by inserting various account numbers into a string of text located in the browsers address bar. The hackers code systems automatically repeated this exercise tens of thousands of times allowing them to capture the confidential private data.

The method is seemingly simple,but the fact that the thieves knew to focus on this particular vulnerability marks the Citigroup attack as especially ingenious,security experts said. One security expert familiar with the investigation wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser. It would have been hard to prepare for this type of vulnerability, he said.

The financial damage to Citigroup and its customers is not yet clear. A bank spokesman said Citigroup discovered the breach in early May and the problem was rectified immediately.

The expertise behind the attack,according to law enforcement officials and security experts,is a sign of what is likely to be a wave of more and more breaches. That is because demand for the data is on the rise.