Home

 
     HOME     ARTICLES     Frank DAIGNAULT     TROPHY RIGS     CONTENTS     FAQs     FLY FISHING     OFF ROAD 4 X 4     STRIPED BASS    SURFCASTING
 
Go Back   StriperSurf Forums > The Frat House > Computers, etc

Computers, etc Computers, Networking, Printers, Electronics, TV's, SAT Radio, iPods and why you too hate Microsoft.

Reply
 
Thread Tools Display Modes
  #1  
Old 07-01-2008, 07:57 PM
Bob D'Amico's Avatar
Bob D'Amico Bob D'Amico is offline
Publisher, StriperSurf
 
Join Date: Sep 1998
Location: Franklin Park, NJ
Posts: 20,493
eek Citibank ATM breach reveals PIN security problems

Citibank ATM breach reveals PIN security problems


Hackers broke into Citibank's network of ATMs inside 7-Eleven stores and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.

The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs ? the numeric passwords that theoretically are among the most closely guarded elements of banking transactions ? by attacking the back-end computers responsible for approving the cash withdrawals.

The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem.

Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption ? which means encoding them to cloak them to outsiders ? some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.

"PINs were supposed be sacrosanct ? what this shows is that PINs aren't always encrypted like they're supposed to be," said Avivah Litan, a security analyst with the Gartner research firm. "The banks need much better fraud detection systems and much better authentication."

It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March of this year and was first reported by technology news Web site Wired.com. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the U.S., but it doesn't own or operate any of them.

That responsibility falls on two companies: Houston-based Cardtronics Inc., which owns all the machines but only operates some, and Brookfield, Wis.-based Fiserv Inc., which operates the others.

A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn't been answered publicly.

All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.

They could have gained administrative access to the machines ? which means they had carte blanche to grab information ? through a flaw in the network or by figuring out those computers' passwords. Or it's possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.

What that means for consumers is that their PINs were stolen from machines that showed no signs of tampering they could detect. In previous PIN thefts, thieves generally took steps that might draw notice ? sending "phishing" e-mails, for example, or installing false-front keypads or even tiny cameras on ATMs.

Getting the PINs is a key step for identity thieves. It lets criminals encode stolen account information onto blank ATM cards and withdraw piles of cash from compromised accounts.

Don Jackson, director of threat intelligence for SecureWorks Inc., said he has seen an "alarming" spike in the number of attacks on back-end computers for ATM networks over the past year.

"This was fairly large, but I don't think it's anything out of the ordinary ? these kinds of scams go on every day," Jackson said. "What makes this case unique is the sheer luck of happening upon these guys and catching them red-handed. But there are a whole lot of other ATM and PIN compromises going on that aren't reported."

The alleged plot is outlined in court papers supporting the prosecution of three people ? Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva. They were indicted in March on two counts each of conspiracy and fraud. Prosecutors say their activities generated at least $2 million in illegal profits.

Defense lawyers for all three people did not return calls for comment, and it was not clear where they had been living. The main defendant, Rakushchynets, was described as having Michigan and Florida's driver licenses in a February FBI affidavit for an arrest warrant.

Citibank, part of Citigroup Inc., has declined to comment on the technique or how many customers' accounts were compromised. It said it notified affected customers and issued them new debit cards.

"We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts," the bank said in a statement.

Cardtronics said it is cooperating with authorities but otherwise declined to comment. Fiserv spokeswoman Melanie Tolley said the intrusion didn't happen on Fiserv's servers.

"Fiserv," she said, "is confident in the integrity and security of our system."
__________________
Bob D'Amico

Reply With Quote
  #2  
Old 07-01-2008, 09:05 PM
StriperKnight's Avatar
StriperKnight StriperKnight is offline
Moderator
 
Join Date: Nov 2002
Location: Jackson, New Jersey
Posts: 2,313
Default Re: Citibank ATM breach reveals PIN security problems

They had inside help on that one.
Reply With Quote
  #3  
Old 07-01-2008, 09:47 PM
Jess's Avatar
Jess Jess is online now
Administrator
 
Join Date: Nov 2003
Location: Berkeley Township
Posts: 9,534
Default Re: Citibank ATM breach reveals PIN security problems

I'm guessing it pays to change your pin every so often..
__________________
Guns, Guts and God made this Country
Lets not lose any of them!

----------------------------------------------------
Untied we Stand
Divided we will Fall!
Reply With Quote
  #4  
Old 07-01-2008, 10:41 PM
Bob D'Amico's Avatar
Bob D'Amico Bob D'Amico is offline
Publisher, StriperSurf
 
Join Date: Sep 1998
Location: Franklin Park, NJ
Posts: 20,493
Default Re: Citibank ATM breach reveals PIN security problems

Quote:
Originally Posted by StriperKnight View Post
They had inside help on that one.
Inside where, Citibank, Cardtronics or Fiserv?
__________________
Bob D'Amico

Reply With Quote
  #5  
Old 07-02-2008, 10:42 AM
StriperKnight's Avatar
StriperKnight StriperKnight is offline
Moderator
 
Join Date: Nov 2002
Location: Jackson, New Jersey
Posts: 2,313
Default Re: Citibank ATM breach reveals PIN security problems

"All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist."


1. Wherever this server is (does not say what company) an employee probably sold access codes. I have seen cases where disgruntled employees post access codes to things on the 'net.

or
2. They used a really good phishing scam and people willingly gave up their pin codes.
I had scam come in an e-mail from one of my credit cards that looked so good it fooled my wife.
Reply With Quote
Reply


Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is On
HTML code is On
Forum Jump


All times are GMT -4. The time now is 09:32 PM.


Powered by vBulletin® Version 3.6.6
Copyright ©2000 - 2019, Jelsoft Enterprises Ltd.
Copyright 1998 - 2016 StriperSurf.com, All Rights Reserved