Slashdot Mirror
Crooks Nab Citibank ATM Codes, Steal Millions
An anonymous reader writes "Citibank is reissuing ATM cards following a December server breach in which hackers stole customer PIN codes, Wired reports. In recent months the FBI has arrested 10 people in the New York area who were allegedly involved in using the codes to steal over $2 million from Citibank checking and savings accounts, including two Ukrainian immigrants who were each caught with $800,000 in cash stashed in boxes and shopping bags in their homes. Some of the suspects are cooperating, telling the feds that they've been working for a Russian hacker. They use magstripe writers to encode the stolen account numbers onto blank cards, then hit ATMs in New York, and transfer 70% of the loot back to Russia."
Authorities report that the two Ukrainians, identified as cousins Niko and Roman Bellic, were released from police custody after police confiscated their guns and took 10% of their money. The pair subsequently stole several cars and went on a killing spree with an RPG they found on a nearby rooftop.
SJW: Someone who has run out of real oppression, and has to fake it.
In Soviet Russia, the ATM robs you
Disclaimer: I am not god.
We may not be created equal
But we can be treated equal.
"16MB (fuck off, MiB fascists)" - The Mighty Buzzard
two Ukrainian immigrants who were each caught with $800,000 in cash stashed in boxes and shopping bags in their homes.
I assume the boxes and bags all had big dollar signs on the side of them.
Also, I'm extremely impressed that TFS (I didn't RTFA, of course) had no incidents of "ATM machine" or "PIN number".
Quidquid latine dictum sit, altum sonatur.
...other than just a pin code?
/. have any ideas?
Maybe it's just me, but a simple 4 digit number doesn't provide all that much security in my mind. How easy is it to simply glance over someone's shoulders and read their pin? Aren't there any means of verifying user identity in a quick secure manner?
I know that some banks will send their users a text message with a confirmation code, but this seems a bit inconvenient (cell battery can die, text can take a long time to arrive, etc.). Anyone on
It seems clear that insider fraud is responsible. PIN codes are not afaik transmitted anywhere, they are checked locally by the terminal, not sent to any server. The fact that Citibank are taking respobsibility for the fraud is unusual, if PIN codes are stolen they would normally try to blame the customer first. What probably happened is that an insider stole the PIN codes and account information being sent to new card users and provided these to accomplices who used them to create fake cards.
yet only in June do they issue new pins? Nice.
Hacker != Criminal
plays the innocent victim and whenever Congress tries to pass legislation to protect the consumer from this incompetence, Citi has their K-St. goons to lobby one of the most corrupt Congresses in history.
Oh, you don't have to take bribes to be corrupt for those you who think you have to accept hard money to be a crook.
...that with the U.S. Dollar in the shitter, the Russians would start picking on someone else.
yes I designed the Higher Standards html and I went to jail too?
Oh yeah...a bank is where poor people keep their money...
Here I was, thinking Grand Theft Auto IV was a game and all. But I was actually *really* stealing the money! Now I feel bad for shooting the hooker and then burning her in a 10-car inferno. Really bad.
Ok, I'm Canadian so I could be very wrong, but it certainly seems that Citibank is regularly the target of hackers/phishers/scammers. I often get emails from Citibank asking me to update my account information (obviously, I don't have an account...) but other banks seem to be subject to similar attacks far less often. Were I American, methinks I'd be picking just about any bank other than Citibank...
These figures seem off. Numbers: they stole over 2 million (you have to assume it's less than 2.5, or they would have said 3 mill); two out of the 10 had $800k on hand each (total $1.6m); 70% of the cash had been transferred to Russia. (30%)(1.6m) + (70%)(X) = (100%)(Y2.5)... Somethings not right (could be me).
From the article: "...What's more, neither Citibank nor the third-party transaction processor involved in the breach has warned consumers to watch for fraudulent withdrawals, raising questions about the disclosure policies in the financial industry. Citibank spokesman Robert Julavits says the bank "has complied with all applicable notification requirements."
But according to the Payment Card Industry's own rules and the disclosure laws of NY, in the event of a breach the company must follow these rules:
* Notification: Most expedient time possible, without unreasonable delay
* Civil or criminal penalty for failure to promptly disclose
So in other words they were more than happy to keep this secret to themselves.
WOOSH! How some people even log on I'll never understand...
I have a Bank of America ATM card that has a six-digit PIN. The really interesting thing, though -- which I discovered by accident -- is that on Bank of America ATMs you can simply enter the first four digits and then as many random digits as you want and the code works.
In other words, say my PIN is 443672. I can enter 4436, 44367, or 4436987899979 and it will always work. This seems like a fairly serious security flaw, to me.
I know what you're thinking: "Sounds like you really only have a 4-digit PIN." But no! On other kinds of machines, say at the supermarket, I always have to enter in all 6 digits accurately. It's only Bank of America ATM machines where this is true.
In the past, I have thought about raising this issue with Bank of America, but I have no idea how to approach them such that I can speak to somebody clueful.
Breakfast served all day!
The whole problem with stealing money is that it's rarely NOT economical for the robbed to come after you.
It's not like you can steal a million dollars from a corporation that has hundreds of millions and they're not going to have the resources to track you down, cut you up, and feed your fun parts to the gimp.
The best gift cards in the US are green and have pictures of dead presidents on them.
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
to no more online digital financial transactions.
Considering how they did this, there is no security ID method that is actually secure.
The Kruger Dunning explains most post on
As far as I know, I still have to take my ATM card into the bank to change the PIN on it. So something is still encoded on the card, whether it's the PIN itself or another factor used in addition to the PIN to authenticate me.
Assuming I still have to take my card in to change the PIN (I can't seem to find a place to do it online), this could serve as a 2nd line against a server hack. Hopefully.
Give a man a fish and you have fed him for today. Teach a man to fish, and he'll say "WHERE'S MY FISH, YOU IDIOT?"
Obligatory:
In Soviet Russia, ATM cards cash YOU!!!
Disclaimer: I just joined the company that has dreamt up this stuff..
For the use of biometrics to be safe you need the following conditions:
1 - it must still be a combination of what you KNOW and what you have. The solution is to name the fingers, i.e. think of a word like "fox" and then give a character to each finger. Only you know which finger you have called "f", "o" and "x".
2 - biometrics are yours. They have no place in a central database where anyone can make a mess by replacing or erasing them, and what isn't stored cannot be abused. Thus: using biometrics to replace PIN code is fine by me, provided it stays local to the device. In other words, the prints are a device/token enabler, not the actual method of authentication and/or authorisation. Oh, and the relevant storage area should not be accessible other than by the token comparator engine - export MUST be made verifiably impossble.
3 - "detached" and fake fingerprints should be rejected. Solution: don't be a cheapskate when you build this stuff and use the best, RF based reader. Even if you make the fake prints conductive it's going to be VERY hard (we've tried).
Biometrics are good because you can't forget them. But they're yours, and yours only.
Insert
Whew, I'm glad to know that our business partners are secure. Our business just decided to use "Citi", and they have assured us that they are secure. Oh - wait, isn't Citi the same as "CitiBank"?
On the more serious side: They insist on using REAL customer data for testing, their test systems are not in sync with production, their test practices are VERY bad....
It comes as no surprise that they've had a break-in.
Futurama is such a wonderful show.
My mom says I'm cool.
This would never had happened if only all those customers had used Citibank's Identity Monitor protection service
Of course I didn't RTFA... why would I do that? You really are new here aren't you? Don't let my UID fool you.
I do my banking with 1st Source Bank, They just recently replaced my debit/atm card for the same exact reason. Their database had been compromised by hackers. The hackers had all the account information along with social security numbers and names. I was assured that they were not likely to be using the information for identity theft. What do you think?
You keep the ones with the dead presidents. I'll keep the others. I'll only insist on having the same number, to be fair. Deal?
You've got mail!
W..w..W - Willy Waterloo washes Warren Wiggins who is washing Waldo Woo.
I'm a Citibank customer here in New York and I am one of those who is getting their card reissued. Citibank did notify me of the breach through one of those alerts on their web site but the alert was several months after the breach was discovered (I got it on June 3rd to be precise). They didn't specifically mention the date of the incidents and I have no good way of validating all the charges to my ATM card. Pouring over several months of statements is not easy when you don't know what you are looking for.
In the alert they claim that a third party ATM network was breached but they didn't say which company's ATMs where hit. I even called and tried to find out but they wouldn't/couldn't tell me. The customer support person just kept saying "Sir, Your card was breached" as if the problem was with my ATM card. Here in NY there are tons of independent ATMs around which charge anywhere from $1-$3 for withdrawal (Maybe they could use some of those fees for security). If I knew which one f'ed up I would spend my withdrawal fees elsewhere.
Citi also botched sending me a new card twice so now they've disabled my old card and have yet to send me a new one. I guess I don't have to worry about those pesky fees for a while.
Good laugh (not related to the story, just the parent post:) http://www.thewebsiteisdown.com/salesguy.html
Cool, you can have the ones with dead presidents on them and I'll take all the 100s and 10s.
Forget why but I left citibank 15 years ago, I seem to remember they screwed me on some fee. Went to get some money for Poker last night, stopped by a citibank figuring to have to cough up $1.50 for the ATM fee. Bastards want !#$!@%$$3.00 ?? 3 Bucks? I grabbed about 1,000 of those stupid deposit envelopes and trashed 'em on the way out, I think we're about even.
It's why I moved all my purchasing from debit to credit.
The dispute resolution for M/C is a lot easier:
"I didn't buy this."
"Okay, reversed."
vs. the bank:
"I didn't make that withdrawal."
"Well, we'll have to review the security tapes, check your whereabouts, and in 12-16 months, we'll credit your account."
Also, I get 1% cash back on the M/C. And no, I don't carry a balance.
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
True. I'd much rather have $50 cash then a GC to only one store. GC's for you to either waste money, buy not spending up to the full amount, or spend your own money by going past the GC amount. At the end of the day, GC's suck.
Spelling and Grammar errors have been added to this post for your enjoyment
From the article:
Three months had passed since Citibank notified the FBI that a hacker managed to steal customer-account numbers and PIN codes, in an attack on a server that processes transactions from Citi-branded ATMs at 7-Eleven convenience stores. In late February and early March, the FBI and the U.S. Secret Service arrested two Ukrainian immigrants and two alleged co-conspirators for allegedly using the stolen PINs to steal $2 million in cash from unsuspecting Citibank customers.
Okay that answers the question on how they got the PINs. They didn't need the physical cards, they just hacked and got the bank account numbers with PINs. I'm going to guess that they let this go on to catch the bad guys, but THREE MONTHS? And obviously they weren't telling customers there had been a breach and that they should change their pin number.
Maybe that's one solution...at least for those of us who know better. A way to be able to go in and change your pin number on a regular basis. But it doesn't matter if you have 4-digit pin or a 16-digit PIN if the bank is going to keep the Acct. number together with the PIN.
I believe lawyers felt a shift in the Force.
If you've never been modded as "flamebait" or "troll," you've never tried to argue a minority viewpoint here!
Were these ATMs manufactured by Diebold? May be they left the superpassword meant to be used to steal elections in the bank ATMs by mistake? Or may be by design?
sed -e 's/Chuck Norris/Rajnikant/g' joke > fact
$800,000/$500 day withdrawal limit = 1600 human-days. Isn't that too much?
It might be that not only ATM were involved but also lax checking of the IDs at the counter.
I do not believe in karma. "Funny"=-6. Do good and forbid evil. Yours, Oft-Offtopic Flamebaiting Troll.
>Fingerprints are a terrible idea because you leave a copy of your private key on everything you touch.
A private key authenticates you because, and only because, you keep it secret. Fingerprints don't have to be secret. They authenticate you because they're attached to you. If someone replays your fingerprint or your voice, the security failure is not a secrecy breach but the fact that the biometric system is accepting a recording instead of an organism.
The measures that keep biometrics secure are humans watching the reader being used to make sure nobody's holding up a photo of a retina or a severed finger, and to the extent they can work, technical measures to detect live bodies.
The EMV-card.
On this type of card, the magnetic strip is replaced by a microcontroller with various cryptographic features (aka smart card) that are supposed to secure transactions and make the card a PITA to clone.
http://en.wikipedia.org/wiki/EMV
It is a quite recent innovation. It was only standardized oh ... 9 years ago, and its backers - VISA and Mastercard - are relatively unknown companies.
This is probably why many banks are wary about issuing EMV cards yet ... or that they are cheapskates. I'm not sure which.
There are probably certain protocols that assume that PINs are always 4 digits and only trasmit that many.
At least, that would be my guess--that it's some kind of backwards compatibility hack.
If they stole 2 Million, and they found 2 suspects each with $800,000 (800,000 x 2 = 1,600,000) leaving 400,000 unaccounted for, (20% of 2,000,000) then how was 70% (1.4 million) sent to Russia? When they say "Stole OVER 2 million" it must have been a LOT over 2 million.
just STFU up.
They were drinking out of big jugs with "XXX" on the side of them
You're confusing two issues: An ATM Withdrawal and a Purchase.
Any Debit Card with a Visa or MC logo carries fraud protection. They both require that funds be put back into your account within 5 business days, and many banks do it same-day, mine included. This includes provisions for overdrafts that happened because of the fraudulent deduction.
In fact, on the Visa website, you'll see that the Debit Card page and the CC page both point to the same "Zero Liability" page.
Of course, as I said, you confused 2 issues: Purchases and PIN-Based ATM withdrawals.
If you take a cash advance from your CC at an ATM using your PIN, it won't be so simple as "okay, reversed." It's their policy that its your duty to keep your PIN secure and secret. And that applies equally to both Credit and Debit cards.
Don't get me wrong -- I do the same thing you do. Every online purchase, and many offline, I use my Credit Card and pay it off when the statement comes. But I do it for the added benefits: Points, extra warranty on everything I buy, etc.
And because I don't always check my bank balances every day. My bank has refunded fraudulent debit card purchases for me twice, and the money was back in my account within an hour or so, but I worry about the time that I don't check it for a couple days and the money isn't there when I need it. Sure, the bank will fix it promptly, but that doesn't help if I have a cart full of groceries.
Not to mention, the worst thing that could happen if your CC is fraudmeistered is that you can't charge anything until it's fixed. There's a lot more headache involved if your checking acct was just drained.
But I wouldn't worry about fraud response from banks. Visa and Mastercard are literally making BILLIONS off Americans using the debit cards in place of cash. They don't want to scare you off.
Some of our users got hit on the business online banking accounts. They know the payroll systems as well. I've seen businesses cleaned out by wire transfer via payroll, we did start issues RSA tokens after that. All the doctors were using the same admin account so they had infighting on who actually got compromised.
Some of them used to find a mule in a want ad or Craiglist and they buy a used sofa for buy ask to put 10k in your account you keep 1000 for the sofa and transfer the rest to a bank in Florida which in turn gets sent to Russia. Now they just don't care if they are even caught or not, by the time you do catch them it's too late.
We got into the servers of the hackers and found 20 or so of our customers accounts, we are very small relative to other businesses. It's really unbelievable how much of our data that have.
Any Debit Card with a Visa or MC logo carries fraud protection. They both require that funds be put back into your account within 5 business days, and many banks do it same-day, mine included.
This is true only if you use your debit card like a credit card, rather than a debit card, right? (I.e. you give the cashier your signature rather than PIN.)
You're right overall, but I just wanted to clarify that point (both for me, since I'm not positive, and others).
My parents took out a Sears card about 5 years ago to get a deal on carpet and then put the card in the filing cabinet and left it. About 2 months ago they got a bill from Citibank stating that they purchased several thousand dollars of something in Paris. Turns out that Sears sold all their accounts off to Citibank. My father immediately called Citibank and they were absolute jerks. They couldn't understand that my Dad didn't even own a Citibank card (and had never been to Paris). Evidently, someone had gotten the number and activated the old Sears (now Citi) account. After several calls to the VERY rude customer support Dad simply drove to Citibank's fraud prevention unit which isn't very far from their home. Fraud prevention is run out of the Midwest and very helpful but the plain customer service people suck.
Further, Citibank's fraud detection must be absolutely horrible. If this was the same security breach, Citi didn't know about it even in March. Further, one large random charge in a foreign country on a card that hasn't been used in 5 years should raise some warning flags. In stark contrast, about two weeks ago Wells Fargo discovered fraud on my card. Turns out someone had my number and was testing its validity with online purchases. The sad sad sad thing is that the transaction that they found odd was a $1 purchase of a weight lifting dietary supplement. I guess even Wells Fargo knows I'm a geek.
Why have 1 person driving a backhoe when you could employ 20 with shovels?
Does anyone else find it incredibly ironic that a financial institution that so strongly marketed themselves as offering effective identity theft solutions should have this happen to them?
File under 'M' for 'Manic ranting'
You keep the ones with the dead presidents. I'll keep the others. I'll only insist on having the same number, to be fair. Deal?
You're clever--Franklin was never president. I did that report in 2nd grade, too.They ran the BERT test on the ATM machines to verify the PIN numbers at 6AM in the morning.
This is NOT a signature.
Correct me if I am wrong, but Citibank is not necessarily the company to be blaming for the breach... the article states that the actual source of the breach is unknown. Although, it would be quite ironic if the breach did occur on a Citibank server/database considering that the credit card companies drive the PCI-DSS standards that are supposed to be in place to avoid these breaches. The source of the breach obviously didn't meet the PCI compliancy requirements if the hackers had the PIN numbers (and the rest of the information) which is supposed to be encrypted.
Yes, that's how I read it, anyway. My understanding is that Visa doesn't make much money from PIN transactions, so they don't guarantee them. Goes back to the "Your PIN is your Responsibility" schtick.
Of course, I see more and more stores that actually give me an incentive to pay using a PIN-based transaction. The Jewel supermarkets around here give you 1% off your bill. I imagine that's because they're paying more than 1% to Visa when you sign. I can't imagine any other reason that they'd give you that much off!
Yeah, that's the case. I don't think the CC companies make any money for PIN-based transactions, though I could be wrong. And they charge something like 3% or so (again, could be wrong) for CC transactions, both on debit and real credit cards.
So the 1% off or whatever makes sense from their perspective. The grocery store I do my big shopping trips at (because they have the cheapest prices) don't accept credit cards at all; I suspect this is why.
(BTW, presumably if you had some permanent change like the cataract you would just go into your bank and get a new scan, or have them disable the authentication, so saying you would be locked out forever is being alarmist.)
:-)
Yes, obviously you could get a new scan done. It's just one of those things you think of just after clicking submit.
Of course it's alarmist. I was going for a +5 Alarmist mod. I haven't gotten one of those yet.
When our name is on the back of your car, we're behind you all the way!
Neither was Hamilton.
I see your informative link, and raise you a pithy comment.
I suppose you're trying to give a backhanded compliment. But if you needed to do a report on Franklin to figure out that he wasn't a president, I feel sorry for you. Your classmates must have been laughing at you.
The whole notion of greenbacks being referred to as "dead presidents" is somewhat new. I just thought of them as important historical people, many of whom had been President. It's a sad state of ignorance. FFS, it's not like it's the $1 bill, it's the highest denomination in circulation! And then there's the $10 bill... You'd think people never paid attention in class or held these denominations.
My point is it's a stupid saying because it's wrong on the most important part.
Have all the Washingtons you can carry.
Nor Salmon P Chase, for that matter...though I doubt anyone reading this would have ever seen a $10,000 bill.
"Don't blame me, I voted for Kodos!"
I am really pissed. So Citibank knew that customer's information was stolen and did do anything about it.
Guess what? I was one of the people who got the money stolen from my account. Since my bank account was connected to Citibank credit card, they also did cash advance.
What pissed me off is that they made me send a bunch of documentation to prove that it wasn't me. And they knew it wasn't me.
BTW - the branch they mentioned ( upper east side ) is one of the location the crooks took $ from me.
Citibank could have just told everyone to change their pin number and this could have all avoided.
BTW - Citibank daily limit of ATM transaction in NYC is $2,000 - kinda crazy. They are able to take $4,000 with just two transactions.
Also, I recommend people to call credit card company and ask to remove any cash advance feature. Citibank credit card was able to do it but Chase was not. So bye-bye chase.
BTW - who saves the password(pin) number plain-text...
All of the transactions I permit, require that I have to be there in person to authorise them.
Any that come in on spec, get checked first, and passed to the fraud squad when necessary.
___________________
Sig. Measure Twice
Let me see here:
$2 million * .7 = $1.4 million. $2 million - $1.4 million = $600,000. And yet there was $1.6 million recovered in cash? Either they were welching on their 70% deal, were very slow to shipping that money back, or there was more like $5.3 million stolen by just these two. I suppose they could only pin on them the $2 million they had direct evidence for.
But if the two suckers who got caught took Citibank for at least $5 million, what do you suppose the clever ones who didn't get caught walked away with?
You like splinters in your crotch? -Jon Caldara
You're confusing two issues: An ATM Withdrawal and a Purchase.
Any Debit Card with a Visa or MC logo carries fraud protection. They both require that funds be put back into your account within 5 business days, and many banks do it same-day, mine included. This includes provisions for overdrafts that happened because of the fraudulent deduction.
That is under the assumption that your debit card is a "visa debit" or a "Mastercard Debit" card.
In Canada, there is an entirely separate network (Interac) that is run basically by the big-5 banks, entirely unrelated to Visa/Mastercard (except that all the ATM's take PLUS and Maestro, but that's unrelated). Therefore, none of the Visa/Mastercard "Zero-Liability" policies apply.
However, the banks are generally fairly good. I've known people who have received calls from their bank saying "you used your debit card at an area that has reported fraud, please change your pin and double-check your account transaction history at one of our branded ATMs ASAP"
Credit Union, the most inconvenient form of banking beyond hiding something under your mattress. A throwback to 60's banking before ATMs were first rolled out in the 70's.
Fortunately, credit unions that don't suck have hookups to the ATM networks in whatever country you live in, either through PLUS or a Visa/Mastercard debit card of some type.
These are crackers not hackers
Sure, the bank will fix it promptly, but that doesn't help if I have a cart full of groceries.
Which is why you carry a second card as a backup. You never have to use it, but it can save a lot of time and/or embarrassment if anything happens about your primary card.
Some situations are really ridiculous. Many many years back, my wife took care of paying all the bills. One day, I happened to see the MC bill on the table. I took a quick look at it and saw we had $250 outstanding on it. The credit limit shown was $2000 (I said it was a long time ago). But the "available credit" box said $0.00. I thought that was odd, but paid no further attention to it.
The following weekend, we went out to get some tile for a small job. The card was rejected for a $100 purchase. We were told we'd have to call MC on Monday to find out the reason.
At this point, the store manager came by to see what was up. After hearing the story, he asked th clerk how much the tile cost -- $50. Then he sked how much the supplies cost -- $50. So he told the clerk to ring up and charge for the tile. Then to do the same for the supplies. It turned out they didn't have to get an auth number for anything less than $75.
On Monday, it turned out that MC had shut off our credit "for erratic payment". They didn't like the way my wife sometimes paid fairly early and occasionally a little late. This was before they discovered what a gold mine there was in "late fees". So they left our limit in place, but shut off access to it, all without a phone call or any other notification.
Stupid jerks. It would have been real fun if we'd been in a restaurant where the manager didn't know he could just charge the meal as two or more transactions.
The pattern on your bell end is unique. As unique as your fingerprints.
And unless you're seriously weird, you don't leave that print everywhere you go.
So whip the old man out and plonk it on the ATM!
FTW!
because they've bilked the russian mafia and all that was needed for the mafia to prove it is the statement of how much was taken.
They can do the maths.
They can hire hitmen.
Not to mention that they expire, and some even devalue over time until their expiration.
It is actually 10 business days that they have to give you provisional credit. This is under the EFTA (Electronic Funds Transfer Agreement) and regulation E. Just keep an eye on your checking account everyday and you will know when your card is comprised if you can change your pin more often.
Redundant? How does 4.22 PM come after 9.08 PM of the same day?
And you know... it's just been in the past couple years that I basically stopped carrying any cash. I usually keep about $20 or so tucked into the console in my car, but that's it.
I do it to maximize my "points," simplify budgeting, and really just because it's easier.
But god DAMN I hate the fact that I'm making banks so much $$.
Banks are crooks who make their scratch on the backs of the little guy. less than $200 in your account? Monthly Fee. Overdraft on a debit-card purchase that THEY LET GO THROUGH? $35 fee. Etc.
Generally, my motto is "Your money is like your vote, only give it to somebody you want to have it." That's why I never shop at Wal Mart, Blockbuster, etc.
But there's just no alternative for this. Even Credit Unions are only slightly better, and they're still making Visa and MC rich.
If the US Banking System could be reformed (which it probably can't), we'd all be so much better for it.
Which had used older technology which was compromised. It was a network inside 7-11s which isnt know as a bastion of integrity.
IINM it started with the Willie Dixon song Dead Presidents that was later covered more popularly by Little Walter and even later by the J. Geils Band .
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
The "expired" (ahem) presidents devalue over time, too. Washington would get you a gallon of gasoline here in Springfield when Bush took office, bow it takes four of them. In 1968 when I started driving, Washington would buy you over a quarter tank of the stuff.
mcgrew's razor: Never attribute to stupidity that which can be explained by greedy self-interest
"Which had used older technology which was compromised. It was a network inside 7-11s which isnt know as a bastion of integrity"
What was the name of the 3rd party and do you have citations to any first hand reports as to exactly how the hack was achieved?
davecb5620@gmail.com
"Citibank is regularly the target of hackers/phishers"
..
Except in this case the servers got hacked
"a hacker managed to steal customer-account numbers and PIN codes, in an attack on a server that processes transactions from Citi-branded ATMs"
davecb5620@gmail.com
"the compromised PINs seem to have been used at ATMs in 7-Eleven stores"
The PINs were stolen "in an attack on a server that processes transactions from Citi-branded ATMs at 7-Eleven"
davecb5620@gmail.com
They use magstripe writers to encode the stolen account numbers onto blank cards, then hit ATMs in New York
Someone has been watching the movie Prime Risk (currently available only as a German-only Region 2 PAL full-screen DVD).
Cop: You know, you shouldn't write your pin number on the back of your card like this. If you lose it and someone finds it they can rob you blind.
Julie: I thought you said you knew how to fly!
Michael: I do know how to fly!
[pause]
Michael: It's just landing I've never done before.
Julie: Oh, shit.
Oh, say does that Star-Spangled Banner entwine / The myrtle of Venus with Bacchus's vine?
Lets see... 10 possible combinations per digit, 4 digits = 10^4 = 10,000 possible PINs...
Even if you only had the hash, it would take an incredibly small amount of time to compare it to the hash!