Crooks Nab Citibank ATM Codes, Steal Millions 282
An anonymous reader writes "Citibank is reissuing ATM cards following a December server breach in which hackers stole customer PIN codes, Wired reports. In recent months the FBI has arrested 10 people in the New York area who were allegedly involved in using the codes to steal over $2 million from Citibank checking and savings accounts, including two Ukrainian immigrants who were each caught with $800,000 in cash stashed in boxes and shopping bags in their homes. Some of the suspects are cooperating, telling the feds that they've been working for a Russian hacker. They use magstripe writers to encode the stolen account numbers onto blank cards, then hit ATMs in New York, and transfer 70% of the loot back to Russia."
Time to look into other means of security (Score:5, Interesting)
Maybe it's just me, but a simple 4 digit number doesn't provide all that much security in my mind. How easy is it to simply glance over someone's shoulders and read their pin? Aren't there any means of verifying user identity in a quick secure manner?
I know that some banks will send their users a text message with a confirmation code, but this seems a bit inconvenient (cell battery can die, text can take a long time to arrive, etc.). Anyone on
Re:Server was breached in December.... (Score:3, Interesting)
The best comment I have to that is, "Think back to Fight Club."
The cost of the lawsuits versus the cost of the recall just isn't enough, so a few soccer moms can burn. I do have to say, though, I'm way more comfy with a bank saying, "Ehh, we'll lose the money in customer's accounts," provided the bank is the one that takes the loss.
Re:Time to look into other means of security (Score:5, Interesting)
Mine is more than 4 digits... maybe (Score:5, Interesting)
I have a Bank of America ATM card that has a six-digit PIN. The really interesting thing, though -- which I discovered by accident -- is that on Bank of America ATMs you can simply enter the first four digits and then as many random digits as you want and the code works.
In other words, say my PIN is 443672. I can enter 4436, 44367, or 4436987899979 and it will always work. This seems like a fairly serious security flaw, to me.
I know what you're thinking: "Sounds like you really only have a 4-digit PIN." But no! On other kinds of machines, say at the supermarket, I always have to enter in all 6 digits accurately. It's only Bank of America ATM machines where this is true.
In the past, I have thought about raising this issue with Bank of America, but I have no idea how to approach them such that I can speak to somebody clueful.
Glad to know our partners are secure... (Score:3, Interesting)
On the more serious side: They insist on using REAL customer data for testing, their test systems are not in sync with production, their test practices are VERY bad....
It comes as no surprise that they've had a break-in.
I'm a Citibank customer (Score:4, Interesting)
In the alert they claim that a third party ATM network was breached but they didn't say which company's ATMs where hit. I even called and tried to find out but they wouldn't/couldn't tell me. The customer support person just kept saying "Sir, Your card was breached" as if the problem was with my ATM card. Here in NY there are tons of independent ATMs around which charge anywhere from $1-$3 for withdrawal (Maybe they could use some of those fees for security). If I knew which one f'ed up I would spend my withdrawal fees elsewhere.
Citi also botched sending me a new card twice so now they've disabled my old card and have yet to send me a new one. I guess I don't have to worry about those pesky fees for a while.
Re:Clever... (Score:5, Interesting)
Seventy percent, eh? (Score:2, Interesting)
Let me see here:
$2 million * .7 = $1.4 million. $2 million - $1.4 million = $600,000. And yet there was $1.6 million recovered in cash? Either they were welching on their 70% deal, were very slow to shipping that money back, or there was more like $5.3 million stolen by just these two. I suppose they could only pin on them the $2 million they had direct evidence for.
But if the two suckers who got caught took Citibank for at least $5 million, what do you suppose the clever ones who didn't get caught walked away with?