Apparently, the recent CitiGroup breach was due to an insufficient authorization error. Can you explain a bit about how this error works and how to prevent it?