Citibank Tries to Hush ATM Crypto Vulnerability

palme999 writes "Citibank is trying to get a gag order for new vulnerabilities found in the cryptographic equipment commonly used to protect the PINs of ATM transactions. The vulnerabilities came to light during a court case involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure."

This is SERIOUS

[arvindn]

This isn't like on of the regular "a new vulnerability has been discovered. No exploitz are known yet. Patch can be found " kind of things we get on bugtraq all the time.

From the article

For the last couple of years or so there has been a rising tide of phantoms. I get emails with increasing frequency from people all over the world whose banks have debited them for ATM withdrawals that they deny making. Banks in many countries simply claim that their systems are secure and so the customers must be responsible. It now looks like some of these vulnerabilities have also been discovered by the bad guys.

What the bank is doing is very irresponsible. I hope they get lots of bad publicity for this. Getting on /. is a good start.

Re:This is SERIOUS

[mosch]

Yes, but the banks are claiming that the system contains no vulnerabilities at all. The presence of any vulnerability demonstrates that the banks are being less than honest with the courts.

Last I checked, it's significantly illegal to be less than honest with the courts.

Re:Shut them up!

[Daniel+Dvorkin]

Um ... you're kidding, right?

Citibank has no interest in "the best interest of its customers." Like any other megacorp, they don't give a shit about you. They're much more concerned about the embarrassment of admitting that their security is worthless than they are about actually keeping people's money safe. The only way to get them to fix this problem is to publicize it as loudly as possible, because then not fixing the problem becomes even more of an embarrassment for them.

Re:Fees...

[Lawbeefaroni]

They're not completely secure because if they were, it would put a dent in all that dough they're raking in. Security through obscurity is free, security that is secure isn't.

Re:Go back to sleep children

[aussersterne]

Everything is ok.

Your money is safe.

The world is simple.

You are with us or against us.

Go buy yourself something, you deserve it.

Those in charge know what they are doing and will take care of you.

When I think about this, the fact that this post was modded as "insightful" by someone is perhaps the most frightening thing I've seen in a long time.

The real threat

[goombah99]

After pondering this some I have come to the conclusion that this is a real threat. at first I dismissed it because it was going to take a bank employee with access to programming the machines low level inputs, plus a Very large list of card numbers, plus access to the pin offsets, plus a way to launder the money, plus the ability to make 15 tries without losing the card or having to override the system (which would get noticed).

but then I thought, well where could you do this an not get caught? how about North Korea or Nigeria. North Korea already mints high tech conterfeit US 100 dollar bills on government printing presses. So this would be small but useful potatoes.

but more important than the money, It also would make a nice weapon: UN provokes N. Korea, N korea dumps 100,000 cards with pins written on them in say the NY subway system. Next day all ATM banking is halted world wide. Nice little panic. Travelers stranded. Runs on banks as people have to now go inside to get money and they run out of cash. Anyhow you get the idea.

or maybe just one of the millions of merchant accounts visa hands out is owned by ..... well you name it.
Yikes