Slashdot Mirror
Crooks Nab Citibank ATM Codes, Steal Millions
An anonymous reader writes "Citibank is reissuing ATM cards following a December server breach in which hackers stole customer PIN codes, Wired reports. In recent months the FBI has arrested 10 people in the New York area who were allegedly involved in using the codes to steal over $2 million from Citibank checking and savings accounts, including two Ukrainian immigrants who were each caught with $800,000 in cash stashed in boxes and shopping bags in their homes. Some of the suspects are cooperating, telling the feds that they've been working for a Russian hacker. They use magstripe writers to encode the stolen account numbers onto blank cards, then hit ATMs in New York, and transfer 70% of the loot back to Russia."
Authorities report that the two Ukrainians, identified as cousins Niko and Roman Bellic, were released from police custody after police confiscated their guns and took 10% of their money. The pair subsequently stole several cars and went on a killing spree with an RPG they found on a nearby rooftop.
SJW: Someone who has run out of real oppression, and has to fake it.
In Soviet Russia, the ATM robs you
"16MB (fuck off, MiB fascists)" - The Mighty Buzzard
My personal solution: being broke as hell.
Prediction: The real iPhone killer is going to be sex robots from Japan. Think about it.
yet only in June do they issue new pins? Nice.
Biometrics, of course. Fingerprint scanning, retinal scanning, voice recognition, or whatever. It's the only way to really verify. The problem is how expensive it would be to refit existing ATMs.
The trouble with biometrics is that it can't be changed. Additionally, the various ways have bad flaws:
As a general rule, I wouldn't use my fingerprint to protect anything that's worth more to a criminal than my finger is to me.
http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm
PINs are encrypted and sent across the network. These crooks managed to intercept the PINs at one of the servers that processed them.
If PINs were checked locally, then every ATM would need to be able to determine the correct PIN for every card inserted into it, which means that one of them could be turned into a PIN-producing machine.
I have a Bank of America ATM card that has a six-digit PIN. The really interesting thing, though -- which I discovered by accident -- is that on Bank of America ATMs you can simply enter the first four digits and then as many random digits as you want and the code works.
In other words, say my PIN is 443672. I can enter 4436, 44367, or 4436987899979 and it will always work. This seems like a fairly serious security flaw, to me.
I know what you're thinking: "Sounds like you really only have a 4-digit PIN." But no! On other kinds of machines, say at the supermarket, I always have to enter in all 6 digits accurately. It's only Bank of America ATM machines where this is true.
In the past, I have thought about raising this issue with Bank of America, but I have no idea how to approach them such that I can speak to somebody clueful.
Breakfast served all day!
You're confusing two issues: An ATM Withdrawal and a Purchase.
Any Debit Card with a Visa or MC logo carries fraud protection. They both require that funds be put back into your account within 5 business days, and many banks do it same-day, mine included. This includes provisions for overdrafts that happened because of the fraudulent deduction.
In fact, on the Visa website, you'll see that the Debit Card page and the CC page both point to the same "Zero Liability" page.
Of course, as I said, you confused 2 issues: Purchases and PIN-Based ATM withdrawals.
If you take a cash advance from your CC at an ATM using your PIN, it won't be so simple as "okay, reversed." It's their policy that its your duty to keep your PIN secure and secret. And that applies equally to both Credit and Debit cards.
Don't get me wrong -- I do the same thing you do. Every online purchase, and many offline, I use my Credit Card and pay it off when the statement comes. But I do it for the added benefits: Points, extra warranty on everything I buy, etc.
And because I don't always check my bank balances every day. My bank has refunded fraudulent debit card purchases for me twice, and the money was back in my account within an hour or so, but I worry about the time that I don't check it for a couple days and the money isn't there when I need it. Sure, the bank will fix it promptly, but that doesn't help if I have a cart full of groceries.
Not to mention, the worst thing that could happen if your CC is fraudmeistered is that you can't charge anything until it's fixed. There's a lot more headache involved if your checking acct was just drained.
But I wouldn't worry about fraud response from banks. Visa and Mastercard are literally making BILLIONS off Americans using the debit cards in place of cash. They don't want to scare you off.