Citibank Tries to Hush ATM Crypto Vulnerability

palme999 writes "Citibank is trying to get a gag order for new vulnerabilities found in the cryptographic equipment commonly used to protect the PINs of ATM transactions. The vulnerabilities came to light during a court case involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure."

This was covered at k5 also

Mostly it affects where banks choose your pin for you (which happens in the UK among other places) based upon a hash of your account number. Not that a 4 digit pin was particularly strong an encription method, but this paper merely says it's even weaker when based of the users account number. However, it seems this crack is most easily acheived by an insider, not your local script kiddie with Aunt Edna's ATM card.

Read more here:
http://www.kuro5hin.org/story/2003/2/20/61350/0548

ATMs are fallible in lots of ways

[osgeek]

With no cash in my wallet, I went to an ATM (Wells Fargo) a few months ago. I withdrew $200, and went along my merry way.

I pulled out my wallet about an hour later. As I was thumbing through my cash to pay for something I discovered a ten dollar bill in the middle of my stack of twenties... HUH? Damned ATM machine ripped me off.

The next time I went by a Wells Fargo branch office, I reported the problem. They mentioned that there was some complicated method for submitting a complaint. I decided that it would cost me a lot more than $10 to try to get it back.