One security expert familiar with the investigation wondered how the hackers could have known to breach security by focusing on the vulnerability in the browser
and these people get paid??
does show you how differently peoples brains work though, I would have expected a junior developer to have pointed out the obvious flaw in that system and here's a security expert can't see the problem. Unless citigroup vet all account holders via psychological profiling before giving them an account number of course. Hmm. Consultancy opportuinity.