Wednesday, October 8, 2008

Citibank PIN Code Hackers in Court

When using  HomeATM's patented solution, PIN codes ARE SACROSANCT so we encrypt them from the "very millisecond" they are tapped into the PIN Pad. When processed properly there is NO safer transaction than a PIN based transaction, which is why they boast the lowest interchange rates of all...

Citibank must like shortcuts, because their machines in convenience stores across America were the target of the biggest and most effective remote PIN code theft scam in US banking history about three months ago. And they shouldn't have been.  No excuses.  In addition to bringing the hackers to court, maybe the individual who made the decision to make ATM's easier to breach should be there too.

The Citibank/7-Eleven hack does NOT reflect PIN Debit as a whole.  It relates specifically to Bank ATM machines, more specifically, ATM's that employ a remote diagnostic capability designed to repair them.  (which can also apparently "leak information.")  Details of the fraud have only now been made public, as the case makes its way through the US District Court for the Southern District of New York. 

The following information is from several different articles over the last couple months. Feel free to browse through the "related articles" I've included at the bottom of this post.  Let me begin by explaining why PIN Debit has always enjoyed the lowest Interchange Rates of all the payment mechanisms: The biggest and foremost reason is that...
PIN codes have always been the most closely guarded secrets in banking transactions. They are supposed to be encrypted from the very second they are tapped into a keypad.  Until recently, it was virtually impossible to get at them without physically looking over someone’s shoulder as they punched in their digits to withdraw money. I've posted many times here about  scams involving strategically placed mirrors or tiny video cameras have become something of a common threat for banks.  That's enough to be concerned about.  Here's more than enough...


"Technology for ATM's has changed over the past few years. The infrastructure is now built on Microsoft’s Windows operating system, and the ATM cash machines themselves can be remotely diagnosed and repaired online.  Unfortunately, this means that PIN codes have started to “leak” along the way — suggesting that industry guidelines on encryption are not always being followed."  Here's the part where you can say: "Well that's just great.  In order to save the expense of sending out an ATM Repair Man, they put everybody's checking and savings account at risk" (and play with /tarnish the reputation of PIN Debit in the marketplace, I might add.)   What is Citibank thinking?  And they're one of the "survivors" of this banking fiasco?

“PINs were supposed be sacrosanct,” says Avivah Litan, a distinguished security analyst with the Gartner research firm. “What this shows is that PINs aren’t always encrypted like they’re supposed to be. The banks need much better fraud detection systems and much better authentication.”
ATM fraud is growing exponentially. I've posted several times about this in the recent past, including fraudsters setting up fake keyboards and mini-camera's to glean PINs — or PIN codes that have been obtained through “phishing” scams.   According to one article, it is not clear how many Citibank customers were affected by the hackers. The bank has nearly 5,700 Citibank-branded cash machines inside 7-Eleven stores, but it does not own or operate any of them. The maintenance of the machines is carried out by two companies: Cardtronics, based in Texas, and Fiserve, based in Wisconsin.

The alleged hackers — Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva — are accused of stealing at least $2 million through the PIN scam and have been indicted on two counts each of conspiracy and fraud. It is thought that a much larger sum of money might have already been transferred to Russian bank accounts — and there are suggestions that the actual hacking was performed by another party, with the defendants simply using second-hand information to make cash withdrawals. The wording of the indictment against them is vague.

The ring-leader of the three suspects is Mr Rakushchynets, a 32-year-old Ukrainian and a regular contributor to underground online credit card fraud forums. When he was arrested by the FBI — he was already under investigation for his suspected role in a separate $5 million hacking scam — agents found $800,000 of cash at his Brooklyn home, most of it stuffed into rubbish bags.

It remains unknown or at least undisclosed, exactly how the hackers infiltrated the closely guarded computer network, although it has been confirmed that they broke in through a server at a third-party processing company.   Once they obtained the PIN codes, the hackers could then simply make card clones (See my post and a video on how easy it is to clone a card:  "Card Cloning Quickly Becoming a Global Affair")  and use them to withdraw funds from compromised accounts at virtually any cash machine in the country.

Don Jackson, director of threat intelligence for the computer security company SecureWorks, said he had seen an “alarming” spike in the number of attacks on back-end computers for cash machine networks over the past year. “What makes this case unique is the sheer luck of happening upon these guys and catching them red-handed,” he said. “But there are a whole lot of other and PIN compromises going on that aren’t reported.”

Citibank has declined to comment on the details of the case, saying only that it has notified affected customers and issued them with new debit cards. “We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts,” it said in a statement. Cardtronics has said it is co-operating with authorities, while Fiserv insists the intrusion did not happen on any of its servers.

“Fiserv is confident in the integrity and security of our system,” said a spokeswoman.






Reblog this post [with Zemanta]

Disqus for ePayment News