"Hackers" obviously managed to get full Credit Card and personal Data from around 360.000 People from Citigroup (a banking group).

The shame about this is:
They didn't actually have to do any hacking. Anyone who does own a web-banking account can take full, unlimited control of other accounts, by simply changing one number (account ID) in the URL of the browser window, after logging in.

This is not bypassing security - this is just noticing that there IS NO security.

This compares to a bank storing you money behind a swing-door and then as sole "security measure" painting a fake keyhole onto the door. As long as noone tries to open the door without a key, everyone assumes it's safe.

This is gross negligence.

Even more gross than not securing against SQL-Injections (which where the cause of many later hacks, except for the first big PSN hack) - which already is very gross by it's own.

So, if someone comes along and "breaks in" through your swing-door that even doesn't have a lock...
Do you really think "Could have happened to anyone. Those guys were simply assholes."
- or do you think: "The bank should have anticipated that something like that would happen sooner or later. It's a sad sign that something like that had to happen, to make them consider upgrading their security."

Well that's certainly "hacking" on a whole new level.
After this discovery, I wouldn't want to be the one who built that system, my guess is he's not very popular atm.

Well the guy who made it obviously wasn't experienced in such things, and probably shouldn't have been working on a system like that. Not double-checking ids is the single most common beginners error. It happens once to every young programmer.

But the shocking part is:

Nobody thought that a system holding credit card data of 360.000 people would need any security testing.

Not the company that made it, not the bank that ordered it, not even some consumer organization or governmental control organ. No-one cared about security at all.
Seems there wasn't even some consumer organization asking the bank why it hadn't any security certificates - or why there hadn't been done any testing by an independent security company?

So neither the developers of the software, nor the bank paying for the software, nor the government, nor the consumers/credit card holders ever gave shit about security. No-one ever even thought of it.

Well, that's gonna change. Now that all that data theft is all across the media, people will start thinking about security.
Seems this was necessary to happen, to wake people up.

Now that all that data theft is all across the media, people will start thinking about security.

Hopefully, yes.

I'm starting to wonder how many systems/sites that actually are "safe and secure". But at the same time, "Anything can be hacked", so what is a reasonable level of security?

I guess security certificates serves quite well as goals and achievments for a "Good enough" or "Great" level of security, but it doesn't necessarily make it impossible to hack.

Let's say Sony does some amazing jobs on its security and acquires a just as amazing certificate for it. Two weeks later their database is breached. Was it still a reasonable level of security?

I believe the amount of security has to fit the type and amount of data stored.

If it's just a forum like this, where your account contains nothing but some username and an encrypted password - no useful data to be stolen - security surely doesn't need to be as high as at a bank.

But the best method is, to not store more data than absolutely required.

Having to reenter just your security code and expiry date on every purchase you make, is only a minor inconvenience. So the companies wouldn't need to store that data too. If someone hacked the company and stole your credit card data, they still had to overcome those other hurdles.

Security number and credit card data don't need to be shown anywhere - ever. The owner of the card has those numbers printed onto his card. If the card get's lost, he calls the bank to have it locked anyways. There is no need to show those things inside a web-banking account. So even if the account does get hacked - the data can't get stolen.

And the best thing is - one-way-encryption. Even message boards like this do this with passwords! You create an account, and choose a password. That password gets encrypted in a way, that cannot be decoded again. Whenever you login, you enter your password again, and the board then encrypts the password anew, and compares it to the encrypted password stored in the db. So even if the database would get stolen, the thieves would not be able to get usable passwords out of it.

That's the reason why you can only reset your password - in which case you get a new one. The old password cannot be restored.

Well you actually could try and bruteforce it, but to do so, the thief needs to know exactly how it has been encrypted. But even if the thief does know, it'd take months to break all stolen passwords, even with some serious CPU power.

This where you reach the point, where the attacker has to say that stealing some more or less anonymous message board accounts, simply isn't worth effort.

Any system can be hacked yes. But it makes a huge difference if you can just easily walk away with millions of fully functional credit card numbers, or if costs tons of effort and months of work, to get pure credit card numbers without security code and without expiry date.

Recently also various other companies were hacked, although in Spain they managed to catch the group 'Anoymous'. but a hacking group named LulzSec released statements that they managed to hack various accounts which were as yet untold of. i bet that this bank is just 1 on a long long list...