Crooks Nab Citibank ATM Codes, Steal Millions

← Back to Stories (view on slashdot.org)

Crooks Nab Citibank ATM Codes, Steal Millions

Posted by timothy on Thursday June 26, 2008 @08:07AM from the ha-ha-you-can't-steal-it-if-I-lose-it-first dept.

An anonymous reader writes "Citibank is reissuing ATM cards following a December server breach in which hackers stole customer PIN codes, Wired reports. In recent months the FBI has arrested 10 people in the New York area who were allegedly involved in using the codes to steal over $2 million from Citibank checking and savings accounts, including two Ukrainian immigrants who were each caught with $800,000 in cash stashed in boxes and shopping bags in their homes. Some of the suspects are cooperating, telling the feds that they've been working for a Russian hacker. They use magstripe writers to encode the stolen account numbers onto blank cards, then hit ATMs in New York, and transfer 70% of the loot back to Russia."

2 of 282 comments (clear)

Min score:

Reason:

Sort:

Re:Time to look into other means of security by edraven · 2008-06-26 08:31 · Score: 5, Interesting

Retinal scanning would fail if someone was in an accident or had surgery or something. Or just went on a bender last night. I knew a guy who loved to tell the story of when he was consulting at a military installation that employed retinal scanners among other security measures. He went out drinking one night and the next day when he reported for work he was a little bloodshot and the scanners didn't recognize him. And the metal walls came down while the guys with shotguns were summoned...
Mine is more than 4 digits... maybe by PCM2 · 2008-06-26 08:34 · Score: 5, Interesting

I have a Bank of America ATM card that has a six-digit PIN. The really interesting thing, though -- which I discovered by accident -- is that on Bank of America ATMs you can simply enter the first four digits and then as many random digits as you want and the code works.
In other words, say my PIN is 443672. I can enter 4436, 44367, or 4436987899979 and it will always work. This seems like a fairly serious security flaw, to me.
I know what you're thinking: "Sounds like you really only have a 4-digit PIN." But no! On other kinds of machines, say at the supermarket, I always have to enter in all 6 digits accurately. It's only Bank of America ATM machines where this is true.
In the past, I have thought about raising this issue with Bank of America, but I have no idea how to approach them such that I can speak to somebody clueful.

--
Breakfast served all day!