Crooks Nab Citibank ATM Codes, Steal Millions

An anonymous reader writes "Citibank is reissuing ATM cards following a December server breach in which hackers stole customer PIN codes, Wired reports. In recent months the FBI has arrested 10 people in the New York area who were allegedly involved in using the codes to steal over $2 million from Citibank checking and savings accounts, including two Ukrainian immigrants who were each caught with $800,000 in cash stashed in boxes and shopping bags in their homes. Some of the suspects are cooperating, telling the feds that they've been working for a Russian hacker. They use magstripe writers to encode the stolen account numbers onto blank cards, then hit ATMs in New York, and transfer 70% of the loot back to Russia."

Further development on the case

[elrous0]

Authorities report that the two Ukrainians, identified as cousins Niko and Roman Bellic, were released from police custody after police confiscated their guns and took 10% of their money. The pair subsequently stole several cars and went on a killing spree with an RPG they found on a nearby rooftop.

FP

[Anonymous Coward]

In Soviet Russia, the ATM robs you

Fixed.

[bigstrat2003]

Citibank is reissuing ATM cards following a December server breach in which hackers stole customer PIN codes...

I believe you misspelled "ATM machine cards" and "PIN numbers", sir. Please correct this oversight as soon as is convenient for you.

Re:

[stewbacca]

They forgot to run the BIT test on the ATM machines to verify the PIN numbers.

Re:

[MightyYar]

You've got mail!

Oh Jesus

[commodoresloat]

just STFU up.

Re:

[c6gunner]

Technically it's just ATM, because the M stands for Machine. If you're going to be pedantic then do it correctly.

WHOOOOOSH!

Re:Fixed.

[statemachine]

Wait, wait! I need to attach a wind turbine to this thread.

OK, go.

Re:

[Dancindan84]

Whoosh...

Re:

[Zardus]

Dude, come om! Yu misspeled 'right' to! Dont make tipos when corecting peaple!

Re:

[MightyYar]

Are you from the Philly area? My wife and I still call them MAC machines and MAC cards, which causes trouble since we don't live in Philly anymore.

Re:

[Macgruder]

Used to live in PGH, they were MAC machines there, too. Took me awhile to catch on to what other folks meant.

Now I live out in the midwest, and when I slip and ask for a MAC machine, no one has any idea to what I'm referring.

Re:

[pfleming]

You jest, but there's actually a good reason for saying "ATM machine" and "PIN number" and the like.

If you just say "ATM cards," you could be referring to cards that have a magnetic strip that are put into Automated Teller Machines or you could be referring to cards (PCI, etc) that are part of a router or computer that's communicating using Asynchronous Transfer Mode. PIN code could be referring to a Personal Identification Number or it could be the ICD-9 code for Prostatic Intraepithelial Neoplasia or Progressive Inflammatory Neuropathy (yes, I used wikipedia and no, I have no idea whether those two conditions have actual ICD-9 codes).

Now in this case, it's pretty clear by the context which references the acronyms are intended to refer to, but that's not always the case. And in cases where there's any ambiguity, it can be very useful to append the full word represented by the last letter of the acronym. This is especially true when an acronym has multiple definitions within a certain space. For instance, ASP can mean Application Service Provider or Active Server Page and there are many contexts where it would be easy to confuse the two. But using ASP provider or ASP page removes the ambiguity.

ID-10-T

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:initialisms

[Gat0r30y]

I assume the boxes and bags all had big dollar signs on the side of them.

Not mentioned in the article is the neighbor who turned them in noting to the police, there's something funny about the two guys living there: they are always wearing black and white horizontal stripped jumpsuits and running around with masks and bags marked $.

the guys were drunk too

[commodoresloat]

They were drinking out of big jugs with "XXX" on the side of them

Time to look into other means of security

[pwnies]

...other than just a pin code?

Maybe it's just me, but a simple 4 digit number doesn't provide all that much security in my mind. How easy is it to simply glance over someone's shoulders and read their pin? Aren't there any means of verifying user identity in a quick secure manner?

I know that some banks will send their users a text message with a confirmation code, but this seems a bit inconvenient (cell battery can die, text can take a long time to arrive, etc.). Anyone on /. have any ideas?

Re:Time to look into other means of security

[pclminion]

What difference is the PIN going to make when the way they were acquired in the first place was by breaking into a database?

This problem is already solved. It's called an RSA dongle. "Oh, but it's a pain!" So is having your checking account cleared out.

Re:

[AKAImBatman]

This problem is already solved. It's called an RSA dongle. "Oh, but it's a pain!" So is having your checking account cleared out.

No need for a dongle. Just build it into the ATM card. That way the machine could authorize no more than one transaction every minute. (One transaction per token generated.) If bad guys got hold of your account number, they'd still need to physical card to crack the PIN. It might be slightly annoying that multiple transactions at an ATM would take a little longer, but the vast maj

Re:

[AKAImBatman]

ever try using a rsa dongle?

I have two of them.

you have to be looking at said dongle to use it.

No, no you don't. Not if you build it into the ATM card. Smartcards exist for that very reason.

I'd rather keep it on my keys for that reason, *plus* your rsa key is seperate from the card. so you have to have two things and your pin to access the account.

Putting aside for a moment that such a tactic would be inconvenient and would lead to a large number of fobs on your keychain, it wouldn't add any real-wor

Re:

[pclminion]

The problem in the article was that the cards were easy to defeat because the PIN and card number can easily be captured and reproduced. Thus just account and PIN (i.e. user/pass) are insufficient.

I originally brought up the RSA token, but it now occurs to me that perhaps it would have been overkill at least in THIS scenario. Suppose all PINs are kept in a database. But what is written to the mag-stripe on the card is NOT the PIN, but rather an RSA-signed hash of the PIN. The ATM verifies the signed has

Re:

[pclminion]

Ick. In the above post I should have written "account number" everywhere I said PIN. Sorry. Obviously the cards do not have the PIN on them.

Re:

[AKAImBatman]

But what is written to the mag-stripe on the card is NOT the PIN, but rather an RSA-signed hash of the PIN. The ATM verifies the signed hash against the PIN you input on the console.

There are two problems there. First is that the security leak was supposedly at a third party level. i.e. The ATMs could have been compromised, the servers the ATMs talk to could have been compromised, etc., etc. etc. Anyway you cut it, the hash would have been just as compromised.

Secondly, the ATM cannot verify the data by i

Re:

[edraven]

Benefit of an RSA SecurID key or something of that order would be it could also be used for online transactions.

Re:

[The Warlock]

Biometrics, of course. Fingerprint scanning, retinal scanning, voice recognition, or whatever. It's the only way to really verify. The problem is how expensive it would be to refit existing ATMs.

Re:

[Gat0r30y]

That sounds all well and good until russian hackers break into the fingerprint, retinal scan, and colon map database the bank keeps. The real solution here is security at the server.

Re:Time to look into other means of security

[The Warlock]

I imagine it's a lot easier to type in a PIN stolen from a database than it is to, um, change your thumbprint or the pattern of the veins in your retina to one stolen from a database.

Perhaps I'm missing something.

Re:

[edraven]

You are. There are ways to deceive biometric scanners.

Re:Time to look into other means of security

[gnick]

No - he's spot on. Of course biometric scanners can be deceived. His point is that it's much more difficult to trick a fingerprint scanner than it is to type in four numbers. There's no infallible way to secure the machines - But they could be made much more secure without a major inconvenience to the end user.

The big problem is the expense of implementation.

Re:Time to look into other means of security

[j00r0m4nc3r]

Of course biometric scanners can be deceived. His point is that it's much more difficult to trick a fingerprint scanner than it is to type in four numbers.

When there's $2+ million on the line you can bet the baddies will take the time to work out a solution.

Re:

[edraven]

If that was his point, then that's what he ought to have said, and I wouldn't have disagreed with him. But it isn't. What he actually said strongly implied that the only way to fool a biometric scanner is to have surgery. Possibly very involved surgery.
Of course there's no such thing as perfect security, there is only a balance between the expense you force on the potential intruder compared to the risk of loss from the intrusion, taking into account the expense you incur for implementing the security itsel

Re:

[The Warlock]

No, I meant what he said. When it comes down to it, you only need to make the machine secure enough so that it's less of a hassle, risk, and expense to just tie it to the back of a pickup truck and pull it out of the wall. A four-digit code doesn't do that. Biometrics probably would.

Re:

[edraven]

If I say you ought to have said that, I'd be repeating myself, wouldn't I? ;)
Biometrics does have its own problems, of course, chief among them being that if it's defeated once you have to throw it out. For exactly the reason you originally mentioned: that it's easier to change a PIN than a fingerprint, which is what you'd have to ask the legitimate account-holder to do if someone actually did defeat the system. That, or go to the expense of implementing something completely different. If someone steals PIN

Re:

[Gat0r30y]

I don't recall implying that you needed to have surgery. All you need is the data. What I was trying to get at, is biometrics isn't a solution to a server vulnerability. That is because the server is still prone to getting hacked and if they can't secure 4 digits, I'm not entirely sure its a good idea to give them your fingerprints and so on.

Re:

[Missing_dc]

Is it just me or does anyone else see a push to use the national ID AND your bank card in tandem on ATMs? It would make spoofing them a tad more difficult AND it would further the perceived need for a national ID card.
(Que the Tinfoil Hatters and the conspiracy theorists on 3 2 1...)

Re:

[camperdave]

Yes, you're missing the fact that biometrics change over time. If you get a cut on your thumb you won't be able to get cash out of the ATM until it heals. A cataract could lock you out of your account forever. Etc.

And the biggest thing you're missing is that outfitting hundreds of thousands, if not millions, of ATMs and Point of Sale machines with biometric sensors is going to run up far more of a bill than covering loss from ATM fraud to begin with.

Re:

[EvanED]

If you get a cut on your thumb you won't be able to get cash out of the ATM until it heals. A cataract could lock you out of your account forever. Etc.

Actually I'm just running into this on my laptop. I log in using a fingerprint scan because it's quicker and easier than a password. (And besides, I have the scanner, might as well use it. Also, I used my middle finger, so every time I log on I can say I'm giving Windows the finger.) But I'm also doing a lot of (gym) rock climbing, and the texture of the hand

Re:

[pjt33]

It's also a lot easier to change your PIN than it is to change your retina when someone cracks into the database. Cuts both ways.

Re:

[Gat0r30y]

a dedicated patsy.

I gotta get me one of those.

Re:

[riceboy50]

colon map

Perhaps you don't mind having your colon mapped, but some of us aren't into that kinda stuff!

Re:Time to look into other means of security

[Kickersny.com]

Biometrics, of course. Fingerprint scanning, retinal scanning, voice recognition, or whatever. It's the only way to really verify. The problem is how expensive it would be to refit existing ATMs.

The trouble with biometrics is that it can't be changed. Additionally, the various ways have bad flaws:

• Fingerprints are a terrible idea because you leave a copy of your private key on everything you touch.
• Voice recognition is a terrible idea because everyone within earshot can hear your private key.
• Retinal scanning would fail if someone was in an accident or had surgery or something.

As a general rule, I wouldn't use my fingerprint to protect anything that's worth more to a criminal than my finger is to me.
http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm [bbc.co.uk]

Re:Time to look into other means of security

[edraven]

Retinal scanning would fail if someone was in an accident or had surgery or something.

Or just went on a bender last night. I knew a guy who loved to tell the story of when he was consulting at a military installation that employed retinal scanners among other security measures. He went out drinking one night and the next day when he reported for work he was a little bloodshot and the scanners didn't recognize him. And the metal walls came down while the guys with shotguns were summoned...

Depends on how you use biometrics

[cheros]

Disclaimer: I just joined the company that has dreamt up this stuff..

For the use of biometrics to be safe you need the following conditions:

1 - it must still be a combination of what you KNOW and what you have. The solution is to name the fingers, i.e. think of a word like "fox" and then give a character to each finger. Only you know which finger you have called "f", "o" and "x".
2 - biometrics are yours. They have no place in a central database where anyone can make a mess by replacing or erasing them, and what isn't stored cannot be abused. Thus: using biometrics to replace PIN code is fine by me, provided it stays local to the device. In other words, the prints are a device/token enabler, not the actual method of authentication and/or authorisation. Oh, and the relevant storage area should not be accessible other than by the token comparator engine - export MUST be made verifiably impossble.
3 - "detached" and fake fingerprints should be rejected. Solution: don't be a cheapskate when you build this stuff and use the best, RF based reader. Even if you make the fake prints conductive it's going to be VERY hard (we've tried).

Biometrics are good because you can't forget them. But they're yours, and yours only.

Re:

[geekoid]

And when they get compromised you have no way to identify yourself anymore.

Not to mention, if you didn't store pins centrally, this wouldn't be a problem.

Not stroing them centrally depends on having the identity on the card, and then after swiped a comparison is done between the PIN and the PIN on the card.

However the logistics to set this up is a nightmare.

Even after all that, I can think of attacks to compromise this security.

Biometrics are not about secrecy

[Beryllium Sphere(tm)]

>Fingerprints are a terrible idea because you leave a copy of your private key on everything you touch.

A private key authenticates you because, and only because, you keep it secret. Fingerprints don't have to be secret. They authenticate you because they're attached to you. If someone replays your fingerprint or your voice, the security failure is not a secrecy breach but the fact that the biometric system is accepting a recording instead of an organism.

The measures that keep biometrics secure are humans

Re:

[Hoi Polloi]

I was fingerprinted for a security clearance while I had bad psoriasis on both hands (it has since cleared up). My fingerprints were just smooth, thickened skin at that point. I pointed this out but they didn't care. I'd love to see the blank prints they got.

Re:Time to look into other means of security

[Gat0r30y]

My personal solution: being broke as hell.

Mine is more than 4 digits... maybe

[PCM2]

I have a Bank of America ATM card that has a six-digit PIN. The really interesting thing, though -- which I discovered by accident -- is that on Bank of America ATMs you can simply enter the first four digits and then as many random digits as you want and the code works.

In other words, say my PIN is 443672. I can enter 4436, 44367, or 4436987899979 and it will always work. This seems like a fairly serious security flaw, to me.

I know what you're thinking: "Sounds like you really only have a 4-digit PIN." But no! On other kinds of machines, say at the supermarket, I always have to enter in all 6 digits accurately. It's only Bank of America ATM machines where this is true.

In the past, I have thought about raising this issue with Bank of America, but I have no idea how to approach them such that I can speak to somebody clueful.

Re:

[ShibaInu]

I have a seven digit PIN on my Wells Fargo card. I like the longer length, but when I was in Spain, I couldn't use the card because Wells Fargo told me that European ATMs only take four digit pins. Is this still true? Four digits doesn't seem like much to me.

Re:

[PCM2]

OK, you've actually hit on the thing that really bugs me. I was often told this, too. "European ATMs can only use 4-digit PINs." It's still in all the travel guidebooks. But in my experience it is absolutely, in no way true, having successfully used ATMs everywhere from Singapore to Norway with my 6-digit PIN.

But wait! Having told you what I told you in the earlier post -- how do I know it's not true? Maybe it really is true, and my ATM card just has some "cheater" property that lets me get away with it?

Eur

Re:

[EvilIdler]

Nope. Never. 4 digits all the way. Last time I asked for a new code, they sent me a new card and eventually the same old code, even!

Online, the security gives the impression of being better. My current bank uses a stupid java app which in no way improves security, though.

Re:

[Smauler]

No.

But seriously, four digits should be enough for anyone, anyway. In my day, we only had 2 digits. And no card! And no bank account! And no money!

Re:

[John3]

Citibank switched to 4 digit PIN's a few years ago and truncated the extra characters in their system. Customers can still enter more than four digit PIN's but the ATM only uses the first four digits you key in.

Re:

[Braino420]

In the past, I have thought about raising this issue with Bank of America, but I have no idea how to approach them such that I can speak to somebody clueful.

They could be doing it on purpose. The supermarket and stores aren't nearly safe, from BoA's standpoint, as the ATMs are. The ATMs have cameras and it is easy to cover your PIN. The supermarket has no cameras and people all around.

Re:

[nine-times]

It seems to me the bigger problem is not issuing new PIN codes when you *know* they've been compromised. They notified the FBI and then sat around for months doing nothing, when they could have contacted the affected customers and said, "Here is your new PIN".

Re:Time to look into other means of security

[sm62704]

Maybe it's just me, but a simple 4 digit number doesn't provide all that much security in my mind. How easy is it to simply glance over someone's shoulders and read their pin?

I no longer use a debit card for that very reason - my bank account was cleaned out by a woman I took pity on. She'd been strung out on crack and had nothing left but the clothes on her back. She wanted to dry out and get into rehab. So I stupidly let her stay at my apartment for a week.

During that week she obviously watched over my sholder at the ATM, then stole a book of checks. And the keys to my car I'd only made one payment on.

The bank made good on the forged checks, but not the ATM. Their rationale was that if the person had the PIN the only way to get it was have it given to them!

I journaled about it her:
Ask Slashdot: Women [slashdot.org]
The Crackwhore and the Nerd [slashdot.org]
Party Like It's 1976 [slashdot.org]

Re:

[LandDolphin]

Seems the problem was more wiht you letting a crackhead into your life then with the bank's debit card.

Re:

[digitrev]

Well, I do pity you for getting so royally screwed over. Did you change banks after that? Also, after a bit of research into credit/debit cards in the US of A, I am incredibly confused. Any chance you can give me a rough approximation of how your system works? In Canada, it's fairly straightforward.

Debit cards are issued by banks, and associated with one or two accounts in your name (your savings or your checking account). At an ABM with your bank's logo, you can make deposits, withdrawals, and transfer m

Re:Time to look into other means of security

[uniquename72]

Probably a Ukrainian disguised as a crackwhore -- social engineering strikes again.

Re:

[Anonymous Coward]

As someone who works for a company that makes banking software, I have to tell you - the entire banking industry isn't worried about security.

Sounds surprising right? That 4 digit little code is just like putting a lock on the front door - it stops casual passer-bys from just walking in and taking things.

What banks are actually worried about is accountability. Accountability is WAY more important than security. When you use your debit card to withdraw 20$, or pay for a meal at a fast food location, your

Re:

[prelelat]

You mean like the picture ID on credit cards(show ID to use the card) as well a signature(show ID to use the card again). This wouldn't stop identity theft, and someone still using your debit card, but that's 3 different checks that can be used to verify the person. It's getting to the point where I would rather get rid of my debit card and just use a visa/master card and carry small sums of cash on me for little things. Credit Card companies in my experience have been much better at returning your money

The honorable Judge Whitey presiding.

[attemptedgoalie]

Futurama is such a wonderful show.

Tall on story, light on details

[Anonymous Coward]

It seems clear that insider fraud is responsible. PIN codes are not afaik transmitted anywhere, they are checked locally by the terminal, not sent to any server. The fact that Citibank are taking respobsibility for the fraud is unusual, if PIN codes are stolen they would normally try to blame the customer first. What probably happened is that an insider stole the PIN codes and account information being sent to new card users and provided these to accomplices who used them to create fake cards.

Re:Tall on story, light on details

[supersat]

PINs are encrypted and sent across the network. These crooks managed to intercept the PINs at one of the servers that processed them.

If PINs were checked locally, then every ATM would need to be able to determine the correct PIN for every card inserted into it, which means that one of them could be turned into a PIN-producing machine.

Isn't PIN on the card?

[wsanders]

As far as I know, I still have to take my ATM card into the bank to change the PIN on it. So something is still encoded on the card, whether it's the PIN itself or another factor used in addition to the PIN to authenticate me.

Assuming I still have to take my card in to change the PIN (I can't seem to find a place to do it online), this could serve as a 2nd line against a server hack. Hopefully.

Server was breached in December....

[zonky]

yet only in June do they issue new pins? Nice.

Re:

[autocracy]

The best comment I have to that is, "Think back to Fight Club."

The cost of the lawsuits versus the cost of the recall just isn't enough, so a few soccer moms can burn. I do have to say, though, I'm way more comfy with a bank saying, "Ehh, we'll lose the money in customer's accounts," provided the bank is the one that takes the loss.

If you're a Citibank customer

[Solandri]

And wondering if you're affected, the compromised PINs seem to have been used at ATMs in 7-Eleven stores. Reposting here since the summary didn't mention it and it was buried near the end of the article.

Citibank emphasizes that customers aren't responsible for fraudulent withdrawals. But the bank won't say how many consumers had their information stolen in the attack. Court documents suggest the breach is limited to those who made withdrawals during the period that the server was actively compromised. But the bank won't reveal what that period was.

Also unclear is who was responsible for the server that was attacked, and why PIN codes, which are supposed to be transmitted only in encrypted form, were vulnerable. An FBI affidavit in the case blames a Citibank-owned server responsible for processing transactions from 7-Eleven convenience stores. But Citibank blames an unnamed "third party" transaction processing firm.

Re:

[PCM2]

And wondering if you're affected, the compromised PINs seem to have been used at ATMs in 7-Eleven stores.

Actually, it doesn't sound like the cards were used at 7-Elevens. It sounds like they scooped the PINs off a Citibank server that was used for processing transactions for 7-Eleven ATMs. A system was compromised somewhere along 7-Eleven's merchant transaction processing chain, not at the store locations themselves.

Re:

[dbcad7]

Citibank is light on locations in my area (Reno) and are in fact selling the accounts to Wells Fargo and shutting the branches down.. but 7-Elevens we have many of, and they are free of fees to use their ATM's for Citibank customers.. It kind of sucks that they did not give me a choice of maintaining an account with them without a local branch, as I never actually go to the bank anyway.. but I guess Wells will be ok.

I was hoping...

[Lester67]

...that with the U.S. Dollar in the shitter, the Russians would start picking on someone else.

Re:

[phobos13013]

No. You must not have mercy on a failing opponent. You have to go for the kill to win. Otherwise they come back bigger and stronger than before.

Re:

[east coast]

My good friend,

My late uncle, a wealthy American senator, had a large bank account in the United States. I currently can not remove the funds due to a legal dispute but an outside source such as yourself may be able to help me. I will let you have the majority of his 23 million dollar bankroll if you simply transfer the funds into your Russian account until I can leave the country. All I need from you is $5000 transfered into my account for verification of your account and processing and legal fees...

Citibank

[whisper_jeff]

Ok, I'm Canadian so I could be very wrong, but it certainly seems that Citibank is regularly the target of hackers/phishers/scammers. I often get emails from Citibank asking me to update my account information (obviously, I don't have an account...) but other banks seem to be subject to similar attacks far less often. Were I American, methinks I'd be picking just about any bank other than Citibank...

Re:

[Arccot]

Ok, I'm Canadian so I could be very wrong, but it certainly seems that Citibank is regularly the target of hackers/phishers/scammers. I often get emails from Citibank asking me to update my account information (obviously, I don't have an account...) but other banks seem to be subject to similar attacks far less often. Were I American, methinks I'd be picking just about any bank other than Citibank...

It's just because they're huge, they get targeted more often. It's the same problem with Chase Bank.

But yes, using a smaller bank would help, even if it is possibly less convenient.

My favorite part...

[InlawBiker]

From the article: "...What's more, neither Citibank nor the third-party transaction processor involved in the breach has warned consumers to watch for fraudulent withdrawals, raising questions about the disclosure policies in the financial industry. Citibank spokesman Robert Julavits says the bank "has complied with all applicable notification requirements."

But according to the Payment Card Industry's own rules and the disclosure laws of NY, in the event of a breach the company must follow these rules:

* Notification: Most expedient time possible, without unreasonable delay

* Civil or criminal penalty for failure to promptly disclose

So in other words they were more than happy to keep this secret to themselves.

Re:

[nine-times]

Sure, why do they care? It's not their money.

Re:

[Sechr Nibw]

That wasn't Citibank notifying you of potential identity theft - that was a potential thief.

Another step

[geekoid]

to no more online digital financial transactions.

Considering how they did this, there is no security ID method that is actually secure.

Glad to know our partners are secure...

[Bomarc]

Whew, I'm glad to know that our business partners are secure. Our business just decided to use "Citi", and they have assured us that they are secure. Oh - wait, isn't Citi the same as "CitiBank"?

On the more serious side: They insist on using REAL customer data for testing, their test systems are not in sync with production, their test practices are VERY bad....

It comes as no surprise that they've had a break-in.

I'm a Citibank customer

[drusifer2]

I'm a Citibank customer here in New York and I am one of those who is getting their card reissued. Citibank did notify me of the breach through one of those alerts on their web site but the alert was several months after the breach was discovered (I got it on June 3rd to be precise). They didn't specifically mention the date of the incidents and I have no good way of validating all the charges to my ATM card. Pouring over several months of statements is not easy when you don't know what you are looking for.

In the alert they claim that a third party ATM network was breached but they didn't say which company's ATMs where hit. I even called and tried to find out but they wouldn't/couldn't tell me. The customer support person just kept saying "Sir, Your card was breached" as if the problem was with my ATM card. Here in NY there are tons of independent ATMs around which charge anywhere from $1-$3 for withdrawal (Maybe they could use some of those fees for security). If I knew which one f'ed up I would spend my withdrawal fees elsewhere.

Citi also botched sending me a new card twice so now they've disabled my old card and have yet to send me a new one. I guess I don't have to worry about those pesky fees for a while.

Re:

[Sponge Bath]

Pouring over several months of statements is not easy when you don't know what you are looking for.

It is worth reducing the total number of ATM transactions you make and using cash for the numerous small transactions. That makes it easier to reconcile and verify these transactions. Keep every ATM receipt and go over every detail in Quicken.

Extend this to every transaction (CC, ATM, Check, bills) and account for every last penny once a week. This helps to catch the other crooks like phone companies, ISPs,

Re:

[Red Flayer]

They didn't specifically mention the date of the incidents and I have no good way of validating all the charges to my ATM card. Pouring over several months of statements is not easy when you don't know what you are looking for.

Why are you not reconciling your bank accounts (~balancing your checkbook) every month? They send you a statement every month...

Even if you don't want to make an entry into your register every time you go to the ATM, it's simple enough to spike your withdrawal receipts (and purchas

The bigger question: Three Months!?

[penguin_dance]

From the article:
Three months had passed since Citibank notified the FBI that a hacker managed to steal customer-account numbers and PIN codes, in an attack on a server that processes transactions from Citi-branded ATMs at 7-Eleven convenience stores. In late February and early March, the FBI and the U.S. Secret Service arrested two Ukrainian immigrants and two alleged co-conspirators for allegedly using the stolen PINs to steal $2 million in cash from unsuspecting Citibank customers.

Okay that answers the question on how they got the PINs. They didn't need the physical cards, they just hacked and got the bank account numbers with PINs. I'm going to guess that they let this go on to catch the bad guys, but THREE MONTHS? And obviously they weren't telling customers there had been a breach and that they should change their pin number.

Maybe that's one solution...at least for those of us who know better. A way to be able to go in and change your pin number on a regular basis. But it doesn't matter if you have 4-digit pin or a 16-digit PIN if the bank is going to keep the Acct. number together with the PIN.

I believe lawyers felt a shift in the Force.

Diebold machines?

[140Mandak262Jamuna]

Were these ATMs manufactured by Diebold? May be they left the superpassword meant to be used to steal elections in the bank ATMs by mistake? Or may be by design?

Hmm

[mapkinase]

$800,000/$500 day withdrawal limit = 1600 human-days. Isn't that too much?

It might be that not only ATM were involved but also lax checking of the IDs at the counter.

The Solution

[IMustBeNewHere]

The EMV-card.

On this type of card, the magnetic strip is replaced by a microcontroller with various cryptographic features (aka smart card) that are supposed to secure transactions and make the card a PITA to clone.

http://en.wikipedia.org/wiki/EMV [wikipedia.org]

It is a quite recent innovation. It was only standardized oh ... 9 years ago, and its backers - VISA and Mastercard - are relatively unknown companies.

This is probably why many banks are wary about issuing EMV cards yet ... or that they are cheapskates. I'm not sure which.

Re:

[geekoid]

They wouldn't have stopped this attack.
And as far as cloning goes, only 1 person needs to figure it out, then everyone can do it. And yes, they can be cloned.

My parents (presumably) got hit by these guys

[theophilosophilus]

My parents took out a Sears card about 5 years ago to get a deal on carpet and then put the card in the filing cabinet and left it. About 2 months ago they got a bill from Citibank stating that they purchased several thousand dollars of something in Paris. Turns out that Sears sold all their accounts off to Citibank. My father immediately called Citibank and they were absolute jerks. They couldn't understand that my Dad didn't even own a Citibank card (and had never been to Paris). Evidently, someone had gotten the number and activated the old Sears (now Citi) account. After several calls to the VERY rude customer support Dad simply drove to Citibank's fraud prevention unit which isn't very far from their home. Fraud prevention is run out of the Midwest and very helpful but the plain customer service people suck.

Further, Citibank's fraud detection must be absolutely horrible. If this was the same security breach, Citi didn't know about it even in March. Further, one large random charge in a foreign country on a card that hasn't been used in 5 years should raise some warning flags. In stark contrast, about two weeks ago Wells Fargo discovered fraud on my card. Turns out someone had my number and was testing its validity with online purchases. The sad sad sad thing is that the transaction that they found odd was a $1 purchase of a weight lifting dietary supplement. I guess even Wells Fargo knows I'm a geek.

What... no citibank commercial quotes?

[mark-t]

Does anyone else find it incredibly ironic that a financial institution that so strongly marketed themselves as offering effective identity theft solutions should have this happen to them?

Re:

[sm62704]

The best gift cards in the US are green and have pictures of dead presidents on them.

Re:

[statemachine]

You keep the ones with the dead presidents. I'll keep the others. I'll only insist on having the same number, to be fair. Deal?

Re:Thats why...

[Beardo the Bearded]

It's why I moved all my purchasing from debit to credit.

The dispute resolution for M/C is a lot easier:

"I didn't buy this."

"Okay, reversed."

vs. the bank:

"I didn't make that withdrawal."

"Well, we'll have to review the security tapes, check your whereabouts, and in 12-16 months, we'll credit your account."

Also, I get 1% cash back on the M/C. And no, I don't carry a balance.

Re:Thats why...

[encoderer]

You're confusing two issues: An ATM Withdrawal and a Purchase.

Any Debit Card with a Visa or MC logo carries fraud protection. They both require that funds be put back into your account within 5 business days, and many banks do it same-day, mine included. This includes provisions for overdrafts that happened because of the fraudulent deduction.

In fact, on the Visa website, you'll see that the Debit Card page and the CC page both point to the same "Zero Liability" page.

The Zero Liability policy covers all Visa credit and debit card transactions processed over the Visa networkâ"online or off. The only transactions not covered under the Zero Liability policy are commercial card, ATM, and non-Visa-branded PIN transactions.

Of course, as I said, you confused 2 issues: Purchases and PIN-Based ATM withdrawals.

If you take a cash advance from your CC at an ATM using your PIN, it won't be so simple as "okay, reversed." It's their policy that its your duty to keep your PIN secure and secret. And that applies equally to both Credit and Debit cards.

Don't get me wrong -- I do the same thing you do. Every online purchase, and many offline, I use my Credit Card and pay it off when the statement comes. But I do it for the added benefits: Points, extra warranty on everything I buy, etc.

And because I don't always check my bank balances every day. My bank has refunded fraudulent debit card purchases for me twice, and the money was back in my account within an hour or so, but I worry about the time that I don't check it for a couple days and the money isn't there when I need it. Sure, the bank will fix it promptly, but that doesn't help if I have a cart full of groceries.

Not to mention, the worst thing that could happen if your CC is fraudmeistered is that you can't charge anything until it's fixed. There's a lot more headache involved if your checking acct was just drained.

But I wouldn't worry about fraud response from banks. Visa and Mastercard are literally making BILLIONS off Americans using the debit cards in place of cash. They don't want to scare you off.

Re:

[encoderer]

Yes, that's how I read it, anyway. My understanding is that Visa doesn't make much money from PIN transactions, so they don't guarantee them. Goes back to the "Your PIN is your Responsibility" schtick.

Of course, I see more and more stores that actually give me an incentive to pay using a PIN-based transaction. The Jewel supermarkets around here give you 1% off your bill. I imagine that's because they're paying more than 1% to Visa when you sign. I can't imagine any other reason that they'd give you that muc

Re:

[gnick]

I think the summary just misspoke a little. It says that they were each caught with $800k but, if you assume that $800k was the total between the two, it works out to ~$2.7M with ~$1.9M going to Russia.

Re:

[gnick]

You know, reading the article really takes the fun out of wildly speculating based on the summary. Did you really need to ruin it for us?

Re:

[ewhac]

almost as good as the "under the mattress" trick.

...Or the in-the-freezer [cnn.com] trick.

Schwab

Re:Clever...

[GIL_Dude]

I don't know enough about this to have a real opinion I guess, but I had sort of made the assumption that PINs worked like passwords in Linux and Windows - the server wouldn't know your password (PIN), but would know the HASH only. I guess these folks are saying that you can actually steal the PIN itself from a bank's server? I'd think it more likely that you could steal the hashes and then knowing that the PINs are generally 4 digit numbers, crack the hash. But if they directly store the PIN on their servers - that seems like a stupid idea.

Re:

[CastrTroy]

Well, with only 10,000 possible pins, it wouldn't matter to store the hashes, because either would be trivial to break. Many ATM cards and systems support up to 6 digits, but it's not advisable to use them, because there are still a lot of machines that don't accept 6 digit pins. Either way, it would be trivially easy to generate the rainbow tables for every 6 digit numeric string.