Crooks Nab Citibank ATM Codes, Steal Millions 282
An anonymous reader writes "Citibank is reissuing ATM cards following a December server breach in which hackers stole customer PIN codes, Wired reports. In recent months the FBI has arrested 10 people in the New York area who were allegedly involved in using the codes to steal over $2 million from Citibank checking and savings accounts, including two Ukrainian immigrants who were each caught with $800,000 in cash stashed in boxes and shopping bags in their homes. Some of the suspects are cooperating, telling the feds that they've been working for a Russian hacker. They use magstripe writers to encode the stolen account numbers onto blank cards, then hit ATMs in New York, and transfer 70% of the loot back to Russia."
Depends on how you use biometrics (Score:5, Informative)
Disclaimer: I just joined the company that has dreamt up this stuff..
For the use of biometrics to be safe you need the following conditions:
1 - it must still be a combination of what you KNOW and what you have. The solution is to name the fingers, i.e. think of a word like "fox" and then give a character to each finger. Only you know which finger you have called "f", "o" and "x".
2 - biometrics are yours. They have no place in a central database where anyone can make a mess by replacing or erasing them, and what isn't stored cannot be abused. Thus: using biometrics to replace PIN code is fine by me, provided it stays local to the device. In other words, the prints are a device/token enabler, not the actual method of authentication and/or authorisation. Oh, and the relevant storage area should not be accessible other than by the token comparator engine - export MUST be made verifiably impossble.
3 - "detached" and fake fingerprints should be rejected. Solution: don't be a cheapskate when you build this stuff and use the best, RF based reader. Even if you make the fake prints conductive it's going to be VERY hard (we've tried).
Biometrics are good because you can't forget them. But they're yours, and yours only.
Re:Time to look into other means of security (Score:3, Informative)
As someone who works for a company that makes banking software, I have to tell you - the entire banking industry isn't worried about security.
Sounds surprising right? That 4 digit little code is just like putting a lock on the front door - it stops casual passer-bys from just walking in and taking things.
What banks are actually worried about is accountability. Accountability is WAY more important than security. When you use your debit card to withdraw 20$, or pay for a meal at a fast food location, your transaction (and balance check, and debit hold, and finalization and 3-4 other behind-the-scenes transactions) are noted by every machine and institution they pass through.
That's how they could know exactly which accounts were compromised.
In fact, most of the security that exists in banking networks is of the most simple type: They keep it physically separate from the 'internet' as a whole.
So, you can slap a device on an outgoing ATM and record cards & pins, but, these still nail you down to physical locations. In the end, that's what they rely on to catch thieves, and they have no problems moving the numbers back to their starting positions in the meanwhile.
Remember: Security is a compromise with usability and accessibility. More of one means less of the other. Would you use an ATM if it took you 5 minutes to pass a security muster?
If you're a Citibank customer (Score:5, Informative)
Re:Thats why... (Score:5, Informative)
You're confusing two issues: An ATM Withdrawal and a Purchase.
Any Debit Card with a Visa or MC logo carries fraud protection. They both require that funds be put back into your account within 5 business days, and many banks do it same-day, mine included. This includes provisions for overdrafts that happened because of the fraudulent deduction.
In fact, on the Visa website, you'll see that the Debit Card page and the CC page both point to the same "Zero Liability" page.
Of course, as I said, you confused 2 issues: Purchases and PIN-Based ATM withdrawals.
If you take a cash advance from your CC at an ATM using your PIN, it won't be so simple as "okay, reversed." It's their policy that its your duty to keep your PIN secure and secret. And that applies equally to both Credit and Debit cards.
Don't get me wrong -- I do the same thing you do. Every online purchase, and many offline, I use my Credit Card and pay it off when the statement comes. But I do it for the added benefits: Points, extra warranty on everything I buy, etc.
And because I don't always check my bank balances every day. My bank has refunded fraudulent debit card purchases for me twice, and the money was back in my account within an hour or so, but I worry about the time that I don't check it for a couple days and the money isn't there when I need it. Sure, the bank will fix it promptly, but that doesn't help if I have a cart full of groceries.
Not to mention, the worst thing that could happen if your CC is fraudmeistered is that you can't charge anything until it's fixed. There's a lot more headache involved if your checking acct was just drained.
But I wouldn't worry about fraud response from banks. Visa and Mastercard are literally making BILLIONS off Americans using the debit cards in place of cash. They don't want to scare you off.
My parents (presumably) got hit by these guys (Score:4, Informative)
Further, Citibank's fraud detection must be absolutely horrible. If this was the same security breach, Citi didn't know about it even in March. Further, one large random charge in a foreign country on a card that hasn't been used in 5 years should raise some warning flags. In stark contrast, about two weeks ago Wells Fargo discovered fraud on my card. Turns out someone had my number and was testing its validity with online purchases. The sad sad sad thing is that the transaction that they found odd was a $1 purchase of a weight lifting dietary supplement. I guess even Wells Fargo knows I'm a geek.
Re:What... no citibank commercial quotes? (Score:2, Informative)
My experience of them is that they will cut as many corners as possible in order to save money & that their internal people are very good at passing the buck to someone else.
It's not "sour grapes" on my part either - I walked away from them in the end because they were a nightmare to work with & have never looked back.
Re:Clever... (Score:3, Informative)