Crooks Nab Citibank ATM Codes, Steal Millions

An anonymous reader writes "Citibank is reissuing ATM cards following a December server breach in which hackers stole customer PIN codes, Wired reports. In recent months the FBI has arrested 10 people in the New York area who were allegedly involved in using the codes to steal over $2 million from Citibank checking and savings accounts, including two Ukrainian immigrants who were each caught with $800,000 in cash stashed in boxes and shopping bags in their homes. Some of the suspects are cooperating, telling the feds that they've been working for a Russian hacker. They use magstripe writers to encode the stolen account numbers onto blank cards, then hit ATMs in New York, and transfer 70% of the loot back to Russia."

Depends on how you use biometrics

[cheros]

Disclaimer: I just joined the company that has dreamt up this stuff..

For the use of biometrics to be safe you need the following conditions:

1 - it must still be a combination of what you KNOW and what you have. The solution is to name the fingers, i.e. think of a word like "fox" and then give a character to each finger. Only you know which finger you have called "f", "o" and "x".
2 - biometrics are yours. They have no place in a central database where anyone can make a mess by replacing or erasing them, and what isn't stored cannot be abused. Thus: using biometrics to replace PIN code is fine by me, provided it stays local to the device. In other words, the prints are a device/token enabler, not the actual method of authentication and/or authorisation. Oh, and the relevant storage area should not be accessible other than by the token comparator engine - export MUST be made verifiably impossble.
3 - "detached" and fake fingerprints should be rejected. Solution: don't be a cheapskate when you build this stuff and use the best, RF based reader. Even if you make the fake prints conductive it's going to be VERY hard (we've tried).

Biometrics are good because you can't forget them. But they're yours, and yours only.

Re:Time to look into other means of security

[Anonymous Coward]

As someone who works for a company that makes banking software, I have to tell you - the entire banking industry isn't worried about security.

Sounds surprising right? That 4 digit little code is just like putting a lock on the front door - it stops casual passer-bys from just walking in and taking things.

What banks are actually worried about is accountability. Accountability is WAY more important than security. When you use your debit card to withdraw 20$, or pay for a meal at a fast food location, your transaction (and balance check, and debit hold, and finalization and 3-4 other behind-the-scenes transactions) are noted by every machine and institution they pass through.

That's how they could know exactly which accounts were compromised.

In fact, most of the security that exists in banking networks is of the most simple type: They keep it physically separate from the 'internet' as a whole.

So, you can slap a device on an outgoing ATM and record cards & pins, but, these still nail you down to physical locations. In the end, that's what they rely on to catch thieves, and they have no problems moving the numbers back to their starting positions in the meanwhile.

Remember: Security is a compromise with usability and accessibility. More of one means less of the other. Would you use an ATM if it took you 5 minutes to pass a security muster?

If you're a Citibank customer

[Solandri]

And wondering if you're affected, the compromised PINs seem to have been used at ATMs in 7-Eleven stores. Reposting here since the summary didn't mention it and it was buried near the end of the article.

Citibank emphasizes that customers aren't responsible for fraudulent withdrawals. But the bank won't say how many consumers had their information stolen in the attack. Court documents suggest the breach is limited to those who made withdrawals during the period that the server was actively compromised. But the bank won't reveal what that period was.

Also unclear is who was responsible for the server that was attacked, and why PIN codes, which are supposed to be transmitted only in encrypted form, were vulnerable. An FBI affidavit in the case blames a Citibank-owned server responsible for processing transactions from 7-Eleven convenience stores. But Citibank blames an unnamed "third party" transaction processing firm.

Re:Thats why...

[encoderer]

You're confusing two issues: An ATM Withdrawal and a Purchase.

Any Debit Card with a Visa or MC logo carries fraud protection. They both require that funds be put back into your account within 5 business days, and many banks do it same-day, mine included. This includes provisions for overdrafts that happened because of the fraudulent deduction.

In fact, on the Visa website, you'll see that the Debit Card page and the CC page both point to the same "Zero Liability" page.

The Zero Liability policy covers all Visa credit and debit card transactions processed over the Visa networkâ"online or off. The only transactions not covered under the Zero Liability policy are commercial card, ATM, and non-Visa-branded PIN transactions.

Of course, as I said, you confused 2 issues: Purchases and PIN-Based ATM withdrawals.

If you take a cash advance from your CC at an ATM using your PIN, it won't be so simple as "okay, reversed." It's their policy that its your duty to keep your PIN secure and secret. And that applies equally to both Credit and Debit cards.

Don't get me wrong -- I do the same thing you do. Every online purchase, and many offline, I use my Credit Card and pay it off when the statement comes. But I do it for the added benefits: Points, extra warranty on everything I buy, etc.

And because I don't always check my bank balances every day. My bank has refunded fraudulent debit card purchases for me twice, and the money was back in my account within an hour or so, but I worry about the time that I don't check it for a couple days and the money isn't there when I need it. Sure, the bank will fix it promptly, but that doesn't help if I have a cart full of groceries.

Not to mention, the worst thing that could happen if your CC is fraudmeistered is that you can't charge anything until it's fixed. There's a lot more headache involved if your checking acct was just drained.

But I wouldn't worry about fraud response from banks. Visa and Mastercard are literally making BILLIONS off Americans using the debit cards in place of cash. They don't want to scare you off.

My parents (presumably) got hit by these guys

[theophilosophilus]

My parents took out a Sears card about 5 years ago to get a deal on carpet and then put the card in the filing cabinet and left it. About 2 months ago they got a bill from Citibank stating that they purchased several thousand dollars of something in Paris. Turns out that Sears sold all their accounts off to Citibank. My father immediately called Citibank and they were absolute jerks. They couldn't understand that my Dad didn't even own a Citibank card (and had never been to Paris). Evidently, someone had gotten the number and activated the old Sears (now Citi) account. After several calls to the VERY rude customer support Dad simply drove to Citibank's fraud prevention unit which isn't very far from their home. Fraud prevention is run out of the Midwest and very helpful but the plain customer service people suck.

Further, Citibank's fraud detection must be absolutely horrible. If this was the same security breach, Citi didn't know about it even in March. Further, one large random charge in a foreign country on a card that hasn't been used in 5 years should raise some warning flags. In stark contrast, about two weeks ago Wells Fargo discovered fraud on my card. Turns out someone had my number and was testing its validity with online purchases. The sad sad sad thing is that the transaction that they found odd was a $1 purchase of a weight lifting dietary supplement. I guess even Wells Fargo knows I'm a geek.

Re:What... no citibank commercial quotes?

[Anonymous Coward]

I've done consultancy work for Citibank as an external contractor working on security for some of their internal systems.

My experience of them is that they will cut as many corners as possible in order to save money & that their internal people are very good at passing the buck to someone else.

It's not "sour grapes" on my part either - I walked away from them in the end because they were a nightmare to work with & have never looked back.

Re:Clever...

[CastrTroy]

Well, with only 10,000 possible pins, it wouldn't matter to store the hashes, because either would be trivial to break. Many ATM cards and systems support up to 6 digits, but it's not advisable to use them, because there are still a lot of machines that don't accept 6 digit pins. Either way, it would be trivially easy to generate the rainbow tables for every 6 digit numeric string.