-
June 25th, 2008, 05:43 PM
#1
Citibank ATM Scare: Who Has Your PIN?
Though all the details behind the intrusion haven't been disclosed, this operation was plundering people's accounts for some insane amounts. And is that a hint of GTA4 I detect?
Stakeouts, Lucky Breaks Snare Six More in Citibank ATM Heist - Threat Level Blog, Wired
Three months had passed since Citibank notified the FBI that a hacker managed to steal customer-account numbers and PIN codes, in an attack on a server that processes transactions from Citi-branded ATMs at 7-Eleven convenience stores. In late February and early March, the FBI and the U.S. Secret Service arrested two Ukrainian immigrants and two alleged co-conspirators for allegedly using the stolen PINs to steal $2 million in cash from unsuspecting Citibank customers.
But the arrests didn't stop the fraud, which sprang from perhaps the most serious computer intrusion into a bank system to date. The FBI has recently made at least six more arrests in New York -- bringing the total to 10 -- thanks to information from arrested scam suspects, a lucky traffic stop, and an undercover operation that at one point had Eastern European hackers chasing a female FBI agent through the streets of New York, trying to mug her for ATM-card-programming gear.
Signs point to a third-party transaction processor as the source of the intrusion, not that it comes as much of a shock.
-
June 25th, 2008, 06:15 PM
#2
Why are we still seeing this stuff? What does it take to get people -- both corporations and individuals -- to protect themselves more?
-
June 26th, 2008, 10:36 AM
#3
Originally Posted by MsMittens
Why are we still seeing this stuff? What does it take to get people -- both corporations and individuals -- to protect themselves more?
Computer security is a bit of a mirage. There's so many holes in
systems. Close one, another opens. I think admins are flying blind
more often than they're willing to admit. And as much as we want
to think security is based on technical reasoning, it's true basis is
legal. And law often fails to keep up with tech. IMHO.
It's no accident ID theft has become the crime-du-jour with the
centralization of databases. It's too much power, and too much
temptation.
I love computers, but sometimes I think we're eff'ed because of
them.
“Everybody is ignorant, only on different subjects.” — Will Rogers
-
June 26th, 2008, 11:35 AM
#4
Why are we still seeing this stuff? What does it take to get people -- both corporations and individuals -- to protect themselves more?
In these cases because it is being conducted by organised, professional, criminals against disorganised, unprofessional, IT operations. No customer intervention required.
If you want to stop it, just criminalise the negligence and make the CEO/CFO/CIO responsible.
-
June 26th, 2008, 12:08 PM
#5
Banned
Originally Posted by nihil
If you want to stop it, just criminalise the negligence and make the CEO/CFO/CIO responsible.
It may improve things, but there is a caveat: In the particular case of Citibank - if you've read the article in Wired, Citibank DENIES that actual PIN theft happened from their systems. According to Wired, there is a new possible suspect whose systems may have been compromised and passwords were stolen from there.
In that scenario, the CEO/CFO/CTO won't be held responsible.
What bugs me much more is that actual PINs are stored anywhere instead of offsets or hashes
-
June 26th, 2008, 12:27 PM
#6
In that scenario, the CEO/CFO/CTO won't be held responsible.
Yes they would, the question would be whose? In this current age of specialisation, sub-contracting, and outsourcing, it is quite reasonable to expect that there will be some sort of "audit trail" search to find where the breach occurred.
-
July 7th, 2008, 04:46 PM
#7
Junior Member
I think we need to start storing all pins with encryption, that can only be decoded with a specific password that is typed in by the customer at the time of access. That way if they reset the pin, they can determine who jacked the account. Why have we yet to swap from 4 digit pins to say... 8 character strong passwords... I'm ok with chicken pecking a keyboard on an atm if it keeps my pin safe...
-
July 7th, 2008, 09:41 PM
#8
Tex,
I hear what you are saying, but I don't believe that what you are suggesting is a total solution. My problem with cards is that they basically hold static data for a year or three years or whatever.
Up until a while ago, I worked in the defence sector over here. We had those RSA token devices. They created a once valid authentication, and I would imagine are one hell of a lot more difficult to clone than a chip and pin device.
Even if what is generated is intercepted, it is useless until you get your cash, and then it is obsolete?
OK, I see that there is a problem in dealing with making actual purchases, as you don't go through your bank?.............. I would guess that one is down to processes and procedures?
-
July 8th, 2008, 05:25 PM
#9
Jobs have become de-skilled, staff have been cut and the checks and balances of old have gone out the window.
Furthermore, junior staff had training, career progression and other incentives. You would get a decent pension and you were regarded as a professional. Not the sort of things you threw away lightly for a few quick bucks?
Boy, I think you've summed up the root cause of a grand multitude of IT and IT security problems abroad right there.
Today you have more and more IT people not knowing what they're doing, yet in charge of a volume of sensitive data. In their defense (as I've been that ignorant IT person myself in past jobs), the problem is often a lack of training as opposed to a lack of competence. No one's seriously investing in them.
And consequently, IT is no longer (if it ever was) a well regarded profession. Ya know, there's a world of difference between "IT Professional" and "computer guy", and nowadays everyone is seen as the latter.
-
July 8th, 2008, 06:14 PM
#10
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
Similar Threads
-
By devildell in forum Tech Humor
Replies: 0
Last Post: November 15th, 2004, 11:41 PM
-
By SDK in forum Miscellaneous Security Discussions
Replies: 18
Last Post: November 10th, 2004, 04:24 PM
-
By SDK in forum AntiOnline's General Chit Chat
Replies: 2
Last Post: June 3rd, 2004, 11:48 PM
-
By phishphreek in forum Firewall & Honeypot Discussions
Replies: 1
Last Post: January 30th, 2004, 01:30 AM
-
By sweet_angel in forum Microsoft Security Discussions
Replies: 4
Last Post: January 2nd, 2003, 08:27 PM
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|