Slashdot Mirror

← Back to Stories (view on slashdot.org)

Crooks Nab Citibank ATM Codes, Steal Millions

Posted by timothy on from the ha-ha-you-can't-steal-it-if-I-lose-it-first dept.

An anonymous reader writes "Citibank is reissuing ATM cards following a December server breach in which hackers stole customer PIN codes, Wired reports. In recent months the FBI has arrested 10 people in the New York area who were allegedly involved in using the codes to steal over $2 million from Citibank checking and savings accounts, including two Ukrainian immigrants who were each caught with $800,000 in cash stashed in boxes and shopping bags in their homes. Some of the suspects are cooperating, telling the feds that they've been working for a Russian hacker. They use magstripe writers to encode the stolen account numbers onto blank cards, then hit ATMs in New York, and transfer 70% of the loot back to Russia."

3 of 282 comments (clear)

  1. Server was breached in December.... by zonky · · Score: 5, Insightful

    yet only in June do they issue new pins? Nice.

  2. Re:Time to look into other means of security by Kickersny.com · · Score: 5, Insightful

    Biometrics, of course. Fingerprint scanning, retinal scanning, voice recognition, or whatever. It's the only way to really verify. The problem is how expensive it would be to refit existing ATMs.

    The trouble with biometrics is that it can't be changed. Additionally, the various ways have bad flaws:

    • Fingerprints are a terrible idea because you leave a copy of your private key on everything you touch.
    • Voice recognition is a terrible idea because everyone within earshot can hear your private key.
    • Retinal scanning would fail if someone was in an accident or had surgery or something.

    As a general rule, I wouldn't use my fingerprint to protect anything that's worth more to a criminal than my finger is to me.
    http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm

  3. Re:Tall on story, light on details by supersat · · Score: 5, Insightful

    PINs are encrypted and sent across the network. These crooks managed to intercept the PINs at one of the servers that processed them.

    If PINs were checked locally, then every ATM would need to be able to determine the correct PIN for every card inserted into it, which means that one of them could be turned into a PIN-producing machine.