Slashdot Mirror
Crooks Nab Citibank ATM Codes, Steal Millions
An anonymous reader writes "Citibank is reissuing ATM cards following a December server breach in which hackers stole customer PIN codes, Wired reports. In recent months the FBI has arrested 10 people in the New York area who were allegedly involved in using the codes to steal over $2 million from Citibank checking and savings accounts, including two Ukrainian immigrants who were each caught with $800,000 in cash stashed in boxes and shopping bags in their homes. Some of the suspects are cooperating, telling the feds that they've been working for a Russian hacker. They use magstripe writers to encode the stolen account numbers onto blank cards, then hit ATMs in New York, and transfer 70% of the loot back to Russia."
...other than just a pin code?
/. have any ideas?
Maybe it's just me, but a simple 4 digit number doesn't provide all that much security in my mind. How easy is it to simply glance over someone's shoulders and read their pin? Aren't there any means of verifying user identity in a quick secure manner?
I know that some banks will send their users a text message with a confirmation code, but this seems a bit inconvenient (cell battery can die, text can take a long time to arrive, etc.). Anyone on
I have a Bank of America ATM card that has a six-digit PIN. The really interesting thing, though -- which I discovered by accident -- is that on Bank of America ATMs you can simply enter the first four digits and then as many random digits as you want and the code works.
In other words, say my PIN is 443672. I can enter 4436, 44367, or 4436987899979 and it will always work. This seems like a fairly serious security flaw, to me.
I know what you're thinking: "Sounds like you really only have a 4-digit PIN." But no! On other kinds of machines, say at the supermarket, I always have to enter in all 6 digits accurately. It's only Bank of America ATM machines where this is true.
In the past, I have thought about raising this issue with Bank of America, but I have no idea how to approach them such that I can speak to somebody clueful.
Breakfast served all day!
I'm a Citibank customer here in New York and I am one of those who is getting their card reissued. Citibank did notify me of the breach through one of those alerts on their web site but the alert was several months after the breach was discovered (I got it on June 3rd to be precise). They didn't specifically mention the date of the incidents and I have no good way of validating all the charges to my ATM card. Pouring over several months of statements is not easy when you don't know what you are looking for.
In the alert they claim that a third party ATM network was breached but they didn't say which company's ATMs where hit. I even called and tried to find out but they wouldn't/couldn't tell me. The customer support person just kept saying "Sir, Your card was breached" as if the problem was with my ATM card. Here in NY there are tons of independent ATMs around which charge anywhere from $1-$3 for withdrawal (Maybe they could use some of those fees for security). If I knew which one f'ed up I would spend my withdrawal fees elsewhere.
Citi also botched sending me a new card twice so now they've disabled my old card and have yet to send me a new one. I guess I don't have to worry about those pesky fees for a while.
I don't know enough about this to have a real opinion I guess, but I had sort of made the assumption that PINs worked like passwords in Linux and Windows - the server wouldn't know your password (PIN), but would know the HASH only. I guess these folks are saying that you can actually steal the PIN itself from a bank's server? I'd think it more likely that you could steal the hashes and then knowing that the PINs are generally 4 digit numbers, crack the hash. But if they directly store the PIN on their servers - that seems like a stupid idea.