Crooks Nab Citibank ATM Codes, Steal Millions 282
An anonymous reader writes "Citibank is reissuing ATM cards following a December server breach in which hackers stole customer PIN codes, Wired reports. In recent months the FBI has arrested 10 people in the New York area who were allegedly involved in using the codes to steal over $2 million from Citibank checking and savings accounts, including two Ukrainian immigrants who were each caught with $800,000 in cash stashed in boxes and shopping bags in their homes. Some of the suspects are cooperating, telling the feds that they've been working for a Russian hacker. They use magstripe writers to encode the stolen account numbers onto blank cards, then hit ATMs in New York, and transfer 70% of the loot back to Russia."
Tall on story, light on details (Score:2, Insightful)
It seems clear that insider fraud is responsible. PIN codes are not afaik transmitted anywhere, they are checked locally by the terminal, not sent to any server. The fact that Citibank are taking respobsibility for the fraud is unusual, if PIN codes are stolen they would normally try to blame the customer first. What probably happened is that an insider stole the PIN codes and account information being sent to new card users and provided these to accomplices who used them to create fake cards.
Re:Time to look into other means of security (Score:5, Insightful)
What difference is the PIN going to make when the way they were acquired in the first place was by breaking into a database?
This problem is already solved. It's called an RSA dongle. "Oh, but it's a pain!" So is having your checking account cleared out.
Re:Time to look into other means of security (Score:3, Insightful)
Biometrics, of course. Fingerprint scanning, retinal scanning, voice recognition, or whatever. It's the only way to really verify. The problem is how expensive it would be to refit existing ATMs.
Server was breached in December.... (Score:5, Insightful)
Bad Summary (Score:0, Insightful)
Hacker != Criminal
Re:Time to look into other means of security (Score:3, Insightful)
Re:Time to look into other means of security (Score:5, Insightful)
I imagine it's a lot easier to type in a PIN stolen from a database than it is to, um, change your thumbprint or the pattern of the veins in your retina to one stolen from a database.
Perhaps I'm missing something.
Re:Time to look into other means of security (Score:5, Insightful)
Biometrics, of course. Fingerprint scanning, retinal scanning, voice recognition, or whatever. It's the only way to really verify. The problem is how expensive it would be to refit existing ATMs.
The trouble with biometrics is that it can't be changed. Additionally, the various ways have bad flaws:
As a general rule, I wouldn't use my fingerprint to protect anything that's worth more to a criminal than my finger is to me.
http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm [bbc.co.uk]
Re:Tall on story, light on details (Score:5, Insightful)
PINs are encrypted and sent across the network. These crooks managed to intercept the PINs at one of the servers that processed them.
If PINs were checked locally, then every ATM would need to be able to determine the correct PIN for every card inserted into it, which means that one of them could be turned into a PIN-producing machine.
Citibank (Score:3, Insightful)
My favorite part... (Score:5, Insightful)
From the article: "...What's more, neither Citibank nor the third-party transaction processor involved in the breach has warned consumers to watch for fraudulent withdrawals, raising questions about the disclosure policies in the financial industry. Citibank spokesman Robert Julavits says the bank "has complied with all applicable notification requirements."
But according to the Payment Card Industry's own rules and the disclosure laws of NY, in the event of a breach the company must follow these rules:
* Notification: Most expedient time possible, without unreasonable delay
* Civil or criminal penalty for failure to promptly disclose
So in other words they were more than happy to keep this secret to themselves.
Re:Time to look into other means of security (Score:5, Insightful)
No - he's spot on. Of course biometric scanners can be deceived. His point is that it's much more difficult to trick a fingerprint scanner than it is to type in four numbers. There's no infallible way to secure the machines - But they could be made much more secure without a major inconvenience to the end user.
The big problem is the expense of implementation.
Re:Time to look into other means of security (Score:5, Insightful)
When there's $2+ million on the line you can bet the baddies will take the time to work out a solution.
Re:Citibank (Score:3, Insightful)
But yes, using a smaller bank would help, even if it is possibly less convenient.
Re:Thats why... (Score:5, Insightful)
It's why I moved all my purchasing from debit to credit.
The dispute resolution for M/C is a lot easier:
"I didn't buy this."
"Okay, reversed."
vs. the bank:
"I didn't make that withdrawal."
"Well, we'll have to review the security tapes, check your whereabouts, and in 12-16 months, we'll credit your account."
Also, I get 1% cash back on the M/C. And no, I don't carry a balance.
The bigger question: Three Months!? (Score:3, Insightful)
From the article:
Three months had passed since Citibank notified the FBI that a hacker managed to steal customer-account numbers and PIN codes, in an attack on a server that processes transactions from Citi-branded ATMs at 7-Eleven convenience stores. In late February and early March, the FBI and the U.S. Secret Service arrested two Ukrainian immigrants and two alleged co-conspirators for allegedly using the stolen PINs to steal $2 million in cash from unsuspecting Citibank customers.
Okay that answers the question on how they got the PINs. They didn't need the physical cards, they just hacked and got the bank account numbers with PINs. I'm going to guess that they let this go on to catch the bad guys, but THREE MONTHS? And obviously they weren't telling customers there had been a breach and that they should change their pin number.
Maybe that's one solution...at least for those of us who know better. A way to be able to go in and change your pin number on a regular basis. But it doesn't matter if you have 4-digit pin or a 16-digit PIN if the bank is going to keep the Acct. number together with the PIN.
I believe lawyers felt a shift in the Force.
Re:My favorite part... (Score:2, Insightful)
The Solution (Score:4, Insightful)
The EMV-card.
On this type of card, the magnetic strip is replaced by a microcontroller with various cryptographic features (aka smart card) that are supposed to secure transactions and make the card a PITA to clone.
http://en.wikipedia.org/wiki/EMV [wikipedia.org]
It is a quite recent innovation. It was only standardized oh ... 9 years ago, and its backers - VISA and Mastercard - are relatively unknown companies.
This is probably why many banks are wary about issuing EMV cards yet ... or that they are cheapskates. I'm not sure which.
Re:Mine is more than 4 digits... maybe (Score:3, Insightful)
Citibank, PCI-DSS (Score:2, Insightful)
Re:Thats why... (Score:3, Insightful)
Yes, that's how I read it, anyway. My understanding is that Visa doesn't make much money from PIN transactions, so they don't guarantee them. Goes back to the "Your PIN is your Responsibility" schtick.
Of course, I see more and more stores that actually give me an incentive to pay using a PIN-based transaction. The Jewel supermarkets around here give you 1% off your bill. I imagine that's because they're paying more than 1% to Visa when you sign. I can't imagine any other reason that they'd give you that much off!