Page 1 of 2 12 LastLast
Results 1 to 10 of 15

Thread: Citibank ATM Scare: Who Has Your PIN?

  1. #1
    Senior Member phernandez's Avatar
    Join Date
    Aug 2003
    Location
    NYC
    Posts
    246

    Citibank ATM Scare: Who Has Your PIN?

    Though all the details behind the intrusion haven't been disclosed, this operation was plundering people's accounts for some insane amounts. And is that a hint of GTA4 I detect?

    Stakeouts, Lucky Breaks Snare Six More in Citibank ATM Heist - Threat Level Blog, Wired

    Three months had passed since Citibank notified the FBI that a hacker managed to steal customer-account numbers and PIN codes, in an attack on a server that processes transactions from Citi-branded ATMs at 7-Eleven convenience stores. In late February and early March, the FBI and the U.S. Secret Service arrested two Ukrainian immigrants and two alleged co-conspirators for allegedly using the stolen PINs to steal $2 million in cash from unsuspecting Citibank customers.

    But the arrests didn't stop the fraud, which sprang from perhaps the most serious computer intrusion into a bank system to date. The FBI has recently made at least six more arrests in New York -- bringing the total to 10 -- thanks to information from arrested scam suspects, a lucky traffic stop, and an undercover operation that at one point had Eastern European hackers chasing a female FBI agent through the streets of New York, trying to mug her for ATM-card-programming gear.
    Signs point to a third-party transaction processor as the source of the intrusion, not that it comes as much of a shock.

  2. #2
    Just a Virtualized Geek MrLinus's Avatar
    Join Date
    Sep 2001
    Location
    Redondo Beach, CA
    Posts
    7,323
    Why are we still seeing this stuff? What does it take to get people -- both corporations and individuals -- to protect themselves more?
    Goodbye, Mittens (1992-2008). My pillow will be cold without your purring beside my head
    Extra! Extra! Get your FREE copy of Insight Newsletter||MsMittens' HomePage

  3. #3
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Quote Originally Posted by MsMittens
    Why are we still seeing this stuff? What does it take to get people -- both corporations and individuals -- to protect themselves more?
    Computer security is a bit of a mirage. There's so many holes in
    systems. Close one, another opens. I think admins are flying blind
    more often than they're willing to admit. And as much as we want
    to think security is based on technical reasoning, it's true basis is
    legal. And law often fails to keep up with tech. IMHO.

    It's no accident ID theft has become the crime-du-jour with the
    centralization of databases. It's too much power, and too much
    temptation.

    I love computers, but sometimes I think we're eff'ed because of
    them.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  4. #4
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Why are we still seeing this stuff? What does it take to get people -- both corporations and individuals -- to protect themselves more?
    In these cases because it is being conducted by organised, professional, criminals against disorganised, unprofessional, IT operations. No customer intervention required.

    If you want to stop it, just criminalise the negligence and make the CEO/CFO/CIO responsible.

  5. #5
    Quote Originally Posted by nihil
    If you want to stop it, just criminalise the negligence and make the CEO/CFO/CIO responsible.
    It may improve things, but there is a caveat: In the particular case of Citibank - if you've read the article in Wired, Citibank DENIES that actual PIN theft happened from their systems. According to Wired, there is a new possible suspect whose systems may have been compromised and passwords were stolen from there.

    In that scenario, the CEO/CFO/CTO won't be held responsible.
    What bugs me much more is that actual PINs are stored anywhere instead of offsets or hashes

  6. #6
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    In that scenario, the CEO/CFO/CTO won't be held responsible.
    Yes they would, the question would be whose? In this current age of specialisation, sub-contracting, and outsourcing, it is quite reasonable to expect that there will be some sort of "audit trail" search to find where the breach occurred.


  7. #7
    Dissident 4dm1n brokencrow's Avatar
    Join Date
    Feb 2004
    Location
    Shawnee country
    Posts
    1,243
    Lot of these are inside jobs. Happens more than you think. Much
    harder to guard against that.

    Too much power, too much temptation. Sometimes I think we need
    a new model decentralizing data.
    “Everybody is ignorant, only on different subjects.” — Will Rogers

  8. #8
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    1. Too much power, 2. too much temptation. 3. Sometimes I think we need a new model decentralizing data.
    1. No, it is actually "too much empowerment" resulting from weak security models, that in turn have been spawned by corporate and executive greed.

    Jobs have become de-skilled, staff have been cut and the checks and balances of old have gone out the window. All in the name of corporate profit and executive bonuses.

    Security is looked upon by some senior management in much the same way as insurance and fire extinguishers. It doesn't bring in any revenue and is a drain on profits.................. until the tornado and the fire come along

    2. Temptation is an interesting one I would argue that there has always been temptation to perpetrate fraud or to steal. What has changed in my observations is that in the past you had far more checks and balances, stricter manual authorisation and internal audit, and were surrounded by people who were trained career personnel.

    Furthermore, junior staff had training, career progression and other incentives. You would get a decent pension and you were regarded as a professional. Not the sort of things you threw away lightly for a few quick bucks?

    These days that is mostly gone, and you don't have to be a rocket scientist to skim credit card details and sell them.

    3. This is catch 22. If you don't centralise most of your operation won't work. Also, decentralisation just means that you have more targets to defend, and you won't get the extra staff

  9. #9
    Junior Member
    Join Date
    Jul 2008
    Posts
    5
    I think we need to start storing all pins with encryption, that can only be decoded with a specific password that is typed in by the customer at the time of access. That way if they reset the pin, they can determine who jacked the account. Why have we yet to swap from 4 digit pins to say... 8 character strong passwords... I'm ok with chicken pecking a keyboard on an atm if it keeps my pin safe...

  10. #10
    Senior Member nihil's Avatar
    Join Date
    Jul 2003
    Location
    United Kingdom: Bridlington
    Posts
    17,188
    Tex,

    I hear what you are saying, but I don't believe that what you are suggesting is a total solution. My problem with cards is that they basically hold static data for a year or three years or whatever.

    Up until a while ago, I worked in the defence sector over here. We had those RSA token devices. They created a once valid authentication, and I would imagine are one hell of a lot more difficult to clone than a chip and pin device.

    Even if what is generated is intercepted, it is useless until you get your cash, and then it is obsolete?

    OK, I see that there is a problem in dealing with making actual purchases, as you don't go through your bank?.............. I would guess that one is down to processes and procedures?


Similar Threads

  1. Replies: 0
    Last Post: November 15th, 2004, 11:41 PM
  2. Bank accounts in online security scare
    By SDK in forum Miscellaneous Security Discussions
    Replies: 18
    Last Post: November 10th, 2004, 04:24 PM
  3. Be Scare if you live in UK
    By SDK in forum AntiOnline's General Chit Chat
    Replies: 2
    Last Post: June 3rd, 2004, 11:48 PM
  4. Check Point Firewall security scare
    By phishphreek in forum Firewall & Honeypot Discussions
    Replies: 1
    Last Post: January 30th, 2004, 01:30 AM
  5. Citibank Canada
    By sweet_angel in forum Microsoft Security Discussions
    Replies: 4
    Last Post: January 2nd, 2003, 08:27 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •