A computer security researcher says he has found several flaws in Citibank"s online payment service C2it.com. The flaws could potentially expose customer account information and even enable a malicious criminal to move money out of a victim"s c2it.com. A Citibank spokesperson said the company is "continuing to take all necessary steps to ensure our c2it site is effectively protected."
Computer security specialist Dave Devitry released details of the security problem on the popular Bugtraq mailing list late Monday. He told MSNBC.com that the flaw — known in security circles as the "cross-site scripting vulnerability" — opened Citibank customers up to a myriad of problems.
"You could automatically transfer cash out of bank accounts and credit cards. You could also access account numbers and bank accounts," Devitry said. Attackers could also get lists of credit card numbers stored on C2it.com servers. The card numbers included a secret 3-digit security code general printed on the back of the credit card, Devitry said. Generally, merchants are instructed not to store the security codes with the credit card numbers.