Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crooks Nab Citibank ATM Codes, Steal Millions

Posted by timothy on from the ha-ha-you-can't-steal-it-if-I-lose-it-first dept.

An anonymous reader writes "Citibank is reissuing ATM cards following a December server breach in which hackers stole customer PIN codes, Wired reports. In recent months the FBI has arrested 10 people in the New York area who were allegedly involved in using the codes to steal over $2 million from Citibank checking and savings accounts, including two Ukrainian immigrants who were each caught with $800,000 in cash stashed in boxes and shopping bags in their homes. Some of the suspects are cooperating, telling the feds that they've been working for a Russian hacker. They use magstripe writers to encode the stolen account numbers onto blank cards, then hit ATMs in New York, and transfer 70% of the loot back to Russia."

10 of 282 comments (clear)

  1. Re:Time to look into other means of security by pclminion · · Score: 4, Insightful

    What difference is the PIN going to make when the way they were acquired in the first place was by breaking into a database?

    This problem is already solved. It's called an RSA dongle. "Oh, but it's a pain!" So is having your checking account cleared out.

  2. Server was breached in December.... by zonky · · Score: 5, Insightful

    yet only in June do they issue new pins? Nice.

  3. Re:Time to look into other means of security by The+Warlock · · Score: 4, Insightful

    I imagine it's a lot easier to type in a PIN stolen from a database than it is to, um, change your thumbprint or the pattern of the veins in your retina to one stolen from a database.

    Perhaps I'm missing something.

    --
    I've upped my standards, so up yours.
  4. Re:Time to look into other means of security by Kickersny.com · · Score: 5, Insightful

    Biometrics, of course. Fingerprint scanning, retinal scanning, voice recognition, or whatever. It's the only way to really verify. The problem is how expensive it would be to refit existing ATMs.

    The trouble with biometrics is that it can't be changed. Additionally, the various ways have bad flaws:

    • Fingerprints are a terrible idea because you leave a copy of your private key on everything you touch.
    • Voice recognition is a terrible idea because everyone within earshot can hear your private key.
    • Retinal scanning would fail if someone was in an accident or had surgery or something.

    As a general rule, I wouldn't use my fingerprint to protect anything that's worth more to a criminal than my finger is to me.
    http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm

  5. Re:Tall on story, light on details by supersat · · Score: 5, Insightful

    PINs are encrypted and sent across the network. These crooks managed to intercept the PINs at one of the servers that processed them.

    If PINs were checked locally, then every ATM would need to be able to determine the correct PIN for every card inserted into it, which means that one of them could be turned into a PIN-producing machine.

  6. My favorite part... by InlawBiker · · Score: 4, Insightful

    From the article: "...What's more, neither Citibank nor the third-party transaction processor involved in the breach has warned consumers to watch for fraudulent withdrawals, raising questions about the disclosure policies in the financial industry. Citibank spokesman Robert Julavits says the bank "has complied with all applicable notification requirements."

    But according to the Payment Card Industry's own rules and the disclosure laws of NY, in the event of a breach the company must follow these rules:

    * Notification: Most expedient time possible, without unreasonable delay

    * Civil or criminal penalty for failure to promptly disclose

    So in other words they were more than happy to keep this secret to themselves.

  7. Re:Time to look into other means of security by gnick · · Score: 4, Insightful

    No - he's spot on. Of course biometric scanners can be deceived. His point is that it's much more difficult to trick a fingerprint scanner than it is to type in four numbers. There's no infallible way to secure the machines - But they could be made much more secure without a major inconvenience to the end user.

    The big problem is the expense of implementation.

    --
    He's getting rather old, but he's a good mouse.
  8. Re:Time to look into other means of security by j00r0m4nc3r · · Score: 4, Insightful

    Of course biometric scanners can be deceived. His point is that it's much more difficult to trick a fingerprint scanner than it is to type in four numbers.

    When there's $2+ million on the line you can bet the baddies will take the time to work out a solution.

  9. Re:Thats why... by Beardo+the+Bearded · · Score: 4, Insightful

    It's why I moved all my purchasing from debit to credit.

    The dispute resolution for M/C is a lot easier:

    "I didn't buy this."

    "Okay, reversed."

    vs. the bank:

    "I didn't make that withdrawal."

    "Well, we'll have to review the security tapes, check your whereabouts, and in 12-16 months, we'll credit your account."

    Also, I get 1% cash back on the M/C. And no, I don't carry a balance.

    --

    ---
    ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
  10. The Solution by IMustBeNewHere · · Score: 4, Insightful

    The EMV-card.

    On this type of card, the magnetic strip is replaced by a microcontroller with various cryptographic features (aka smart card) that are supposed to secure transactions and make the card a PITA to clone.

    http://en.wikipedia.org/wiki/EMV

    It is a quite recent innovation. It was only standardized oh ... 9 years ago, and its backers - VISA and Mastercard - are relatively unknown companies.

    This is probably why many banks are wary about issuing EMV cards yet ... or that they are cheapskates. I'm not sure which.