Log In | Register
5 Comments
PrintImages 
(showing 1 of 4 photos)
(showing 1 of 4 photos)advertisement
SAN JOSE — Hackers broke into Citibank's network of ATMs inside 7-Eleven stores and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.
The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs — the numeric passwords that theoretically are among the most closely guarded elements of banking transactions — by attacking the back-end computers responsible for approving the cash withdrawals.
The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem.
Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption — which means encoding them to cloak them to outsiders — some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.
"PINs were supposed be sacrosanct — what this shows is that PINs aren't always encrypted like they're supposed to be," said Avivah Litan, a security analyst with the Gartner research firm. "The banks need much better fraud detection systems and much better authentication."
It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March of this year and was first reported by technology news Web site Wired.com. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the U.S., but it doesn't own or operate any of them.
That responsibility falls on two companies: Houston-based Cardtronics Inc., which owns all the machines but only operates some, and Brookfield, Wis.-based Fiserv Inc., which operates the others.
A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn't been answered publicly.
All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.
They could have gained administrative access to the machines — which means they had carte blanche to grab information — through a flaw in the network or by figuring out those computers' passwords. Or it's possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.
What that means for consumers is that their PINs were stolen from machines that showed no signs of tampering they could detect. In previous PIN thefts, thieves generally took steps that might draw notice — sending "phishing" e-mails, for example, or installing false-front keypads or even tiny cameras on ATMs.
Getting the PINs is a key step for identity thieves. It lets criminals encode stolen account information onto blank ATM cards and withdraw piles of cash from compromised accounts.
Don Jackson, director of threat intelligence for SecureWorks Inc., said he has seen an "alarming" spike in the number of attacks on back-end computers for ATM networks over the past year.
"This was fairly large, but I don't think it's anything out of the ordinary — these kinds of scams go on every day," Jackson said. "What makes this case unique is the sheer luck of happening upon these guys and catching them red-handed. But there are a whole lot of other ATM and PIN compromises going on that aren't reported."
The alleged plot is outlined in court papers supporting the prosecution of three people — Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva. They were indicted in March on two counts each of conspiracy and fraud. Prosecutors say their activities generated at least $2 million in illegal profits.
Defense lawyers for all three people did not return calls for comment, and it was not clear where they had been living. The main defendant, Rakushchynets, was described as having Michigan and Florida's driver licenses in a February FBI affidavit for an arrest warrant.
Citibank, part of Citigroup Inc., has declined to comment on the technique or how many customers' accounts were compromised. It said it notified affected customers and issued them new debit cards.
"We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts," the bank said in a statement.
Cardtronics said it is cooperating with authorities but otherwise declined to comment. Fiserv spokeswoman Melanie Tolley said the intrusion didn't happen on Fiserv's servers.
"Fiserv," she said, "is confident in the integrity and security of our system."
© 2009 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten or redistributed.
4 Votes- Enjoy this article? Help vote it up the 'Vine.
Published to:
- Jordan Robertson's Column, All of Newsvine
- Groups: none
- Regions: United States , San Francisco/Oakland/San Jose
- Public Discussion (5)
What's this?
Who's leading the conversation?
This visualization below allows you to see the impact that each user
has on the current conversation.
The top row contains the group of users who have had the most impact, the 2nd
row the group of users who have had the 2nd most impact (et cetera).
Users with similar impact are grouped together, and the average score of the group
is shown to the left of the group. The author of the article is also shown on the
left, in their corresponding group.
Each user's score is based on the number of comments the user has made plus the
number of votes their comments have received. The scores are calculated relative
one another, so while their absolute value is not particularly important, their
relative difference does indicate a larger difference in impact on the conversation.
0.2
{"commentId":2199114,"authorDomain":"lana-1"}
The ATM Industry Association (ATMIA) (www.atmia.com) would like to address the inaccurate reporting and statements made in your report and by your professed experts.
The ATM Industry in general, and the ATM Personal Identification Number (PIN) in particular, are extremely secure and safe for consumer use. Further, while the Industry works diligently to prevent fraud, a combination of banking laws and network rules ensure that consumers are fully protected from monetary losses that arise through any fraudulent use of their ATM card, PIN, or personal financial information. In the United States, whether consumers opt to use credit or debit cards to access cash at the ATM, Federal Reserve Regulation E ensures that consumers are covered and do not bare the financial burden of fraud.
Since its inception, the ATM Industry has worked diligently to provide a safe and secure way for consumers to conduct financial transactions at the time and place of their choosing. As criminals who would attempt to exploit ATMs have modified their methods over time, the ATM Industry has proactively developed new technologies and safeguards to prevent fraud.
When criminals developed electronic means to attempt to steal PIN numbers several years ago, the Industry reacted by implementing Encrypted PIN Pads (EPP) and Triple DES Encryption (Triple DES). These security enhancements, which instantaneously encrypt PINs within the PIN Pad itself using strong encryption standards, are now mandatory on all ATMs operating in the United States and have effectively eliminated the electronic theft of PINs from the ATM.
As a consequence of TDES and EPP, the criminal element has shifted its focus to: •POS terminals and pay at the pump •Merchant IT systems
I would be more than happy to provide you with a chart constructed by Fair Isaac demonstrating this fact. They provide actual statistics from actual experts that show the dramatic decline in PIN compromise at all ATMs and especially the privately owned or "NonBank" ATM.
Today, criminals attempting to acquire PINs at the ATM are more likely to do so by using physical skimming devices coupled with PIN Pad overlay devices or camera systems to capture card data and PINs. This relatively rare type of fraud is particularly difficult to accomplish with ATMs placed in retail locations – those ATMs are under constant scrutiny by store staff during business hours and are unavailable to would be criminals during non-business hours making it particularly difficult to install and retrieve the equipment required to steal card data and PINs.
However, as the chart will demonstrate, such skimming attacks are much more likely to occur at a POS terminal than an ATM.
Due to the EPP and TDES requirements by the various Networks, PIN based transactions have far less incidences of fraud than signature based transactions and are much harder to compromise than card numbers.
Most of what is commonly reported by the press as "ATM Fraud" is actually PIN Fraud (or Debit Card Fraud). This fraud occurs when criminals obtain counterfeit cards and PINs from skimming of either Point of Sale terminals or databases operated in the retail environment.
In these cases, the ATM is simply used as a means to retrieve cash – it is not the point where the cardholder's card number and PIN were stolen or copied and in no way represents a threat to consumers.
The ATM Industry has proactively developed and initiated security technologies and best practices to cope with ATM crime. The Industry has worked to fight crime through the use of risk assessments, implementation of best practices, formation of joint law enforcement-industry crime fighting groups, hardening of targets, and sharing of fraud monitoring and fraud alert system. In the rare case when ATM fraud does occur, ATM transactions create an electronic audit trail that can provide valuable information in tracking and prosecuting ATM fraud.
It is reasonably estimated that World-wide there are 49 billion cash withdrawals each year at ATMs of which over 14 billion such cash withdrawals are at ATMs located in the United States. The amount of cash withdrawn from ATMs, just in the United States, on an annual basis is several hundred billion dollars. The ATM Industry's estimated fraud losses are considerably less than one-tenth of one percent of cash dispensed at ATMs in the United States. Further, such loss is totally borne by the issuing banks and networks and not by the consumer. The ATMIA acknowledges that any dollar lost to fraudulent activity is undesirable and will continue to cooperate with law enforcement agencies across the globe to fight any and all criminal activities directed at the electronic payment system, of which the ATM is but one of many parts.
About ATMIA
www.atmia.com
The ATM Industry Association is a global non-profit trade association with over 1,050 members in 50 countries. Its mission is to promote ATM convenience, growth and usage worldwide, protect the ATM industry's assets, interests, good name and public trust; and provide education, best practices, political voice and networking opportunities for member organizations. In June 2003, ATMIA established the Global ATM Security Alliance (GASA) (www.globalasa.com) with the mission to employ global security resources in a united alliance in order to protect the ATM industry from criminal activity.
{"commentId":2199114,"threadId":"313508","contentId":"1629600","authorDomain":"lana-1"}
#1 - Tue Jul 15, 2008 4:43 PM EDT{"commentId":10405708,"authorDomain":"breelaboy"}
{"commentId":10405710,"authorDomain":"breelaboy"}
{"commentId":10433792,"authorDomain":"brianalampton"}
{"commentId":10433804,"authorDomain":"brianalampton"}
{"canLink":false,"threadId":"313508","isPrivate":false}
You're in Easy Mode. If you prefer, you can use XHTML Mode instead. |
As a new user, you may notice a few temporary content restrictions. Click here for more info.
Start Tracking
Stop TrackingCOMPANY STUFF:
LEGAL STUFF:
- © 2005-2009 Newsvine, Inc. |
- Newsvine® is a registered trademark of Newsvine, Inc. |
- Newsvine is a property of
