Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Crooks Nab Citibank ATM Codes, Steal Millions

timothy posted more than 6 years ago | from the ha-ha-you-can't-steal-it-if-I-lose-it-first dept.

Security 282

An anonymous reader writes "Citibank is reissuing ATM cards following a December server breach in which hackers stole customer PIN codes, Wired reports. In recent months the FBI has arrested 10 people in the New York area who were allegedly involved in using the codes to steal over $2 million from Citibank checking and savings accounts, including two Ukrainian immigrants who were each caught with $800,000 in cash stashed in boxes and shopping bags in their homes. Some of the suspects are cooperating, telling the feds that they've been working for a Russian hacker. They use magstripe writers to encode the stolen account numbers onto blank cards, then hit ATMs in New York, and transfer 70% of the loot back to Russia."

cancel ×

282 comments

Sorry! There are no comments related to the filter you selected.

Further development on the case (5, Funny)

elrous0 (869638) | more than 6 years ago | (#23955685)

Authorities report that the two Ukrainians, identified as cousins Niko and Roman Bellic, were released from police custody after police confiscated their guns and took 10% of their money. The pair subsequently stole several cars and went on a killing spree with an RPG they found on a nearby rooftop.

Re:Further development on the case (1)

cryptodan (1098165) | more than 6 years ago | (#23955933)

Authorities report that the two Ukrainians, identified as cousins Niko and Roman Bellic, were released from police custody after police confiscated their guns and took 10% of their money. The pair subsequently stole several cars and went on a killing spree with an RPG they found on a nearby rooftop.
The Media blames Grand Theft Auto and other Violent video games on their actions. Jack Thompson represents them in a court of LAW.

Re:Further development on the case (0)

Anonymous Coward | more than 6 years ago | (#23957425)

Inside news revealed that their release could be related to local Deputy Commissioner Francis McReary.

Thats why... (-1, Offtopic)

Gr33n3gg (1256070) | more than 6 years ago | (#23955691)

...I carry cash, you insensitive clod!

Re:Thats why... (1)

sm62704 (957197) | more than 6 years ago | (#23956395)

The best gift cards in the US are green and have pictures of dead presidents on them.

Re:Thats why... (2, Funny)

statemachine (840641) | more than 6 years ago | (#23956989)

You keep the ones with the dead presidents. I'll keep the others. I'll only insist on having the same number, to be fair. Deal?

Re:Thats why... (0)

Anonymous Coward | more than 6 years ago | (#23957279)

Cool, you can have the ones with dead presidents on them and I'll take all the 100s and 10s.

Re:Thats why... (4, Insightful)

Beardo the Bearded (321478) | more than 6 years ago | (#23957585)

It's why I moved all my purchasing from debit to credit.

The dispute resolution for M/C is a lot easier:

"I didn't buy this."

"Okay, reversed."

vs. the bank:

"I didn't make that withdrawal."

"Well, we'll have to review the security tapes, check your whereabouts, and in 12-16 months, we'll credit your account."

Also, I get 1% cash back on the M/C. And no, I don't carry a balance.

FP (5, Funny)

Anonymous Coward | more than 6 years ago | (#23955697)

In Soviet Russia, the ATM robs you

Clever... (0)

VeNoM0619 (1058216) | more than 6 years ago | (#23955707)

who were each caught with $800,000 in cash stashed in boxes and shopping bags in their home
Now that is the most clever thing ever when dealing with theft of this magnitude, almost as good as the "under the mattress" trick.

Re:Clever... (0)

Anonymous Coward | more than 6 years ago | (#23956403)

Use it to buy gold and then dissolve it in aqua regia. If it was good enough to hide Jew gold from the Nazis, it will be good enough to hide gold from the FBI.

Re:Clever... (-1, Troll)

Bombula (670389) | more than 6 years ago | (#23956497)

Amazing that anyone smart enough to steal that much money could be dumb enough to get caught. My guess is they were just bagmen. Literally, in this case...

Re:Clever... (1)

davester666 (731373) | more than 6 years ago | (#23957149)

And yet, from an article I read yesterday, Citibank still denies that their machine was compromised...

[sorry, couldn't be bothered to track it down right now...]

Re:Clever... (1)

ewhac (5844) | more than 6 years ago | (#23957147)

almost as good as the "under the mattress" trick.

...Or the in-the-freezer [cnn.com] trick.

Schwab

Re:Clever... (1)

slawo (1210850) | more than 6 years ago | (#23957473)

If I were them I would have put the money on a new account... at City Bank...

Fixed. (5, Funny)

bigstrat2003 (1058574) | more than 6 years ago | (#23955749)

Citibank is reissuing ATM cards following a December server breach in which hackers stole customer PIN codes...
I believe you misspelled "ATM machine cards" and "PIN numbers", sir. Please correct this oversight as soon as is convenient for you.

Re:Fixed. (1)

stewbacca (1033764) | more than 6 years ago | (#23955913)

They forgot to run the BIT test on the ATM machines to verify the PIN numbers.

Re:Fixed. (Again) (-1, Redundant)

Anonymous Coward | more than 6 years ago | (#23956029)

that would be verify PI numbers or PINs.

Re:Fixed. (Again) (1, Funny)

Anonymous Coward | more than 6 years ago | (#23956299)

WOOSH! How some people even log on I'll never understand...

Re:Fixed. (Again) (1)

MightyYar (622222) | more than 6 years ago | (#23956995)

You've got mail!

Re:Fixed. (Again) (0)

Anonymous Coward | more than 6 years ago | (#23957181)

Good laugh (not related to the story, just the parent post:) http://www.thewebsiteisdown.com/salesguy.html [thewebsiteisdown.com]

Re:Fixed. (1)

JayAitch (1277640) | more than 6 years ago | (#23956087)

On an unrelated note I'm still getting used to not calling them MAC machines. Had no idea it was a trademarked term until it went away.

Re:Fixed. (1)

MightyYar (622222) | more than 6 years ago | (#23957023)

Are you from the Philly area? My wife and I still call them MAC machines and MAC cards, which causes trouble since we don't live in Philly anymore.

Re:Fixed. (-1, Offtopic)

whisper_jeff (680366) | more than 6 years ago | (#23956199)

The Country's Best Yogurt yogurt?

Re:Fixed. (0, Redundant)

dreamchaser (49529) | more than 6 years ago | (#23956771)

Technically it's just ATM, because the M stands for Machine. If you're going to be pedantic then do it correctly.

Re:Fixed. (2, Funny)

c6gunner (950153) | more than 6 years ago | (#23956999)

Technically it's just ATM, because the M stands for Machine. If you're going to be pedantic then do it correctly.

WHOOOOOSH!

Re:Fixed. (4, Funny)

statemachine (840641) | more than 6 years ago | (#23957093)

Wait, wait! I need to attach a wind turbine to this thread.

OK, go.

Re:Fixed. (1)

Dancindan84 (1056246) | more than 6 years ago | (#23957021)

Whoosh...

Re:Fixed. (1)

maxume (22995) | more than 6 years ago | (#23957357)

You missed that he put number after PIN, so you didn't get it write either.

initialisms (4, Funny)

syrinx (106469) | more than 6 years ago | (#23955775)

two Ukrainian immigrants who were each caught with $800,000 in cash stashed in boxes and shopping bags in their homes.

I assume the boxes and bags all had big dollar signs on the side of them.

Also, I'm extremely impressed that TFS (I didn't RTFA, of course) had no incidents of "ATM machine" or "PIN number".

Re:initialisms (3, Funny)

Gat0r30y (957941) | more than 6 years ago | (#23955907)

I assume the boxes and bags all had big dollar signs on the side of them.
Not mentioned in the article is the neighbor who turned them in noting to the police, there's something funny about the two guys living there: they are always wearing black and white horizontal stripped jumpsuits and running around with masks and bags marked $.

Time to look into other means of security (4, Interesting)

pwnies (1034518) | more than 6 years ago | (#23955797)

...other than just a pin code?

Maybe it's just me, but a simple 4 digit number doesn't provide all that much security in my mind. How easy is it to simply glance over someone's shoulders and read their pin? Aren't there any means of verifying user identity in a quick secure manner?

I know that some banks will send their users a text message with a confirmation code, but this seems a bit inconvenient (cell battery can die, text can take a long time to arrive, etc.). Anyone on /. have any ideas?

Re:Time to look into other means of security (4, Insightful)

pclminion (145572) | more than 6 years ago | (#23955873)

What difference is the PIN going to make when the way they were acquired in the first place was by breaking into a database?

This problem is already solved. It's called an RSA dongle. "Oh, but it's a pain!" So is having your checking account cleared out.

Re:Time to look into other means of security (1)

AKAImBatman (238306) | more than 6 years ago | (#23956599)

This problem is already solved. It's called an RSA dongle. "Oh, but it's a pain!" So is having your checking account cleared out.

No need for a dongle. Just build it into the ATM card. That way the machine could authorize no more than one transaction every minute. (One transaction per token generated.) If bad guys got hold of your account number, they'd still need to physical card to crack the PIN. It might be slightly annoying that multiple transactions at an ATM would take a little longer, but the vast majority of people would never notice.

That being said, if it WAS Citibank's servers that were compromised, these guys would have been able to heist the shared secret as well. Then they'd be able to reproduce the RSA token in your card. According to Citibank, however, their servers were not compromised. They claim that a third party clearing service was responsible for the leak. (Who knows?)

Re:Time to look into other means of security (1)

necrogram (675897) | more than 6 years ago | (#23957563)

ever try using a rsa dongle? you have to be looking at said dongle to use it. I'd rather keep it on my keys for that reason, *plus* your rsa key is seperate from the card. so you have to have two things and your pin to access the account.
 
yes, i have one of these dongles hanging off my keys, and its used quite frequently.

Re:Time to look into other means of security (2, Insightful)

The Warlock (701535) | more than 6 years ago | (#23955905)

Biometrics, of course. Fingerprint scanning, retinal scanning, voice recognition, or whatever. It's the only way to really verify. The problem is how expensive it would be to refit existing ATMs.

Re:Time to look into other means of security (2, Insightful)

Gat0r30y (957941) | more than 6 years ago | (#23955979)

That sounds all well and good until russian hackers break into the fingerprint, retinal scan, and colon map database the bank keeps. The real solution here is security at the server.

Re:Time to look into other means of security (4, Insightful)

The Warlock (701535) | more than 6 years ago | (#23956047)

I imagine it's a lot easier to type in a PIN stolen from a database than it is to, um, change your thumbprint or the pattern of the veins in your retina to one stolen from a database.

Perhaps I'm missing something.

Re:Time to look into other means of security (1)

edraven (45764) | more than 6 years ago | (#23956307)

You are. There are ways to deceive biometric scanners.

Re:Time to look into other means of security (4, Insightful)

gnick (1211984) | more than 6 years ago | (#23956475)

No - he's spot on. Of course biometric scanners can be deceived. His point is that it's much more difficult to trick a fingerprint scanner than it is to type in four numbers. There's no infallible way to secure the machines - But they could be made much more secure without a major inconvenience to the end user.

The big problem is the expense of implementation.

Re:Time to look into other means of security (4, Insightful)

j00r0m4nc3r (959816) | more than 6 years ago | (#23956765)

Of course biometric scanners can be deceived. His point is that it's much more difficult to trick a fingerprint scanner than it is to type in four numbers.

When there's $2+ million on the line you can bet the baddies will take the time to work out a solution.

Re:Time to look into other means of security (1)

edraven (45764) | more than 6 years ago | (#23956945)

If that was his point, then that's what he ought to have said, and I wouldn't have disagreed with him. But it isn't. What he actually said strongly implied that the only way to fool a biometric scanner is to have surgery. Possibly very involved surgery.
Of course there's no such thing as perfect security, there is only a balance between the expense you force on the potential intruder compared to the risk of loss from the intrusion, taking into account the expense you incur for implementing the security itself. It's all an equation, and if one variable is overstated it does throw the equation off.

Re:Time to look into other means of security (1)

The Warlock (701535) | more than 6 years ago | (#23957019)

No, I meant what he said. When it comes down to it, you only need to make the machine secure enough so that it's less of a hassle, risk, and expense to just tie it to the back of a pickup truck and pull it out of the wall. A four-digit code doesn't do that. Biometrics probably would.

Re:Time to look into other means of security (1)

edraven (45764) | more than 6 years ago | (#23957421)

If I say you ought to have said that, I'd be repeating myself, wouldn't I? ;)
Biometrics does have its own problems, of course, chief among them being that if it's defeated once you have to throw it out. For exactly the reason you originally mentioned: that it's easier to change a PIN than a fingerprint, which is what you'd have to ask the legitimate account-holder to do if someone actually did defeat the system. That, or go to the expense of implementing something completely different. If someone steals PINs from a database, you can change the PINs and beef up security on the database. You don't have that option with biometrics. So even if it does raise the bar sufficiently to prevent 99.999% of intruders from even attempting it, it only takes one person who perceives it as a personal challenge to force you to start over.
But really, I think we all agree: the system currently in place is grossly insufficient, and it's the banks' responsibility to do better. They can just do better than biometrics.

Re:Time to look into other means of security (1)

camperdave (969942) | more than 6 years ago | (#23957233)

Yes, you're missing the fact that biometrics change over time. If you get a cut on your thumb you won't be able to get cash out of the ATM until it heals. A cataract could lock you out of your account forever. Etc.

And the biggest thing you're missing is that outfitting hundreds of thousands, if not millions, of ATMs and Point of Sale machines with biometric sensors is going to run up far more of a bill than covering loss from ATM fraud to begin with.

Re:Time to look into other means of security (1)

Hordeking (1237940) | more than 6 years ago | (#23957255)

I imagine it's a lot easier to type in a PIN stolen from a database than it is to, um, change your thumbprint or the pattern of the veins in your retina to one stolen from a database.

Perhaps I'm missing something.

Or you could just overload the fingerprint/vein-pattern/retinal data in the database with your own...or a dedicated patsy.

Re:Time to look into other means of security (5, Insightful)

Kickersny.com (913902) | more than 6 years ago | (#23956129)

Biometrics, of course. Fingerprint scanning, retinal scanning, voice recognition, or whatever. It's the only way to really verify. The problem is how expensive it would be to refit existing ATMs.

The trouble with biometrics is that it can't be changed. Additionally, the various ways have bad flaws:

  • Fingerprints are a terrible idea because you leave a copy of your private key on everything you touch.
  • Voice recognition is a terrible idea because everyone within earshot can hear your private key.
  • Retinal scanning would fail if someone was in an accident or had surgery or something.

As a general rule, I wouldn't use my fingerprint to protect anything that's worth more to a criminal than my finger is to me.
http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm [bbc.co.uk]

Re:Time to look into other means of security (5, Interesting)

edraven (45764) | more than 6 years ago | (#23956251)

Retinal scanning would fail if someone was in an accident or had surgery or something.
Or just went on a bender last night. I knew a guy who loved to tell the story of when he was consulting at a military installation that employed retinal scanners among other security measures. He went out drinking one night and the next day when he reported for work he was a little bloodshot and the scanners didn't recognize him. And the metal walls came down while the guys with shotguns were summoned...

Depends on how you use biometrics (4, Informative)

cheros (223479) | more than 6 years ago | (#23956755)

Disclaimer: I just joined the company that has dreamt up this stuff..

For the use of biometrics to be safe you need the following conditions:

1 - it must still be a combination of what you KNOW and what you have. The solution is to name the fingers, i.e. think of a word like "fox" and then give a character to each finger. Only you know which finger you have called "f", "o" and "x".
2 - biometrics are yours. They have no place in a central database where anyone can make a mess by replacing or erasing them, and what isn't stored cannot be abused. Thus: using biometrics to replace PIN code is fine by me, provided it stays local to the device. In other words, the prints are a device/token enabler, not the actual method of authentication and/or authorisation. Oh, and the relevant storage area should not be accessible other than by the token comparator engine - export MUST be made verifiably impossble.
3 - "detached" and fake fingerprints should be rejected. Solution: don't be a cheapskate when you build this stuff and use the best, RF based reader. Even if you make the fake prints conductive it's going to be VERY hard (we've tried).

Biometrics are good because you can't forget them. But they're yours, and yours only.

Re:Depends on how you use biometrics (1)

maxume (22995) | more than 6 years ago | (#23957415)

How do you verify that export is impossible without knowing what attacks someone else might dream up?

I'm sure it is easy to make it rather difficult.

Re:Time to look into other means of security (1)

Hordeking (1237940) | more than 6 years ago | (#23957299)

Biometrics, of course. Fingerprint scanning, retinal scanning, voice recognition, or whatever. It's the only way to really verify. The problem is how expensive it would be to refit existing ATMs.

The trouble with biometrics is that it can't be changed. Additionally, the various ways have bad flaws:

  • Fingerprints are a terrible idea because you leave a copy of your private key on everything you touch.
  • Voice recognition is a terrible idea because everyone within earshot can hear your private key.
  • Retinal scanning would fail if someone was in an accident or had surgery or something.

As a general rule, I wouldn't use my fingerprint to protect anything that's worth more to a criminal than my finger is to me. http://news.bbc.co.uk/2/hi/asia-pacific/4396831.stm [bbc.co.uk]

Fingerprints would be useless for an amputee.

Re:Time to look into other means of security (1)

tattood (855883) | more than 6 years ago | (#23957331)

* Fingerprints are a terrible idea because you leave a copy of your private key on everything you touch.
* Voice recognition is a terrible idea because everyone within earshot can hear your private key.
* Retinal scanning would fail if someone was in an accident or had surgery or something.
* Even though you leave your finger print that wont help the thieves. They are not going to follow around the thousands of people to capture their fingerprints.
* Voice recognition, same as fingerprints.
* So you get in an accident, you go in and get your retinal scan updated.

I think they should use biometrics, in addition to a PIN. As other people have stated, security should be what you know, and who you are.

Re:Time to look into other means of security (0)

Anonymous Coward | more than 6 years ago | (#23957523)

So the retinal scan wouldn't work if I had my tits surgically enlarged? Typical male ATMs...

Re:Time to look into other means of security (5, Funny)

Gat0r30y (957941) | more than 6 years ago | (#23955935)

My personal solution: being broke as hell.

What is a "bank" again? (1, Funny)

Anonymous Coward | more than 6 years ago | (#23956073)

Oh yeah...a bank is where poor people keep their money...

The honorable Judge Whitey presiding. (1)

attemptedgoalie (634133) | more than 6 years ago | (#23956803)

Futurama is such a wonderful show.

Mine is more than 4 digits... maybe (5, Interesting)

PCM2 (4486) | more than 6 years ago | (#23956331)

I have a Bank of America ATM card that has a six-digit PIN. The really interesting thing, though -- which I discovered by accident -- is that on Bank of America ATMs you can simply enter the first four digits and then as many random digits as you want and the code works.

In other words, say my PIN is 443672. I can enter 4436, 44367, or 4436987899979 and it will always work. This seems like a fairly serious security flaw, to me.

I know what you're thinking: "Sounds like you really only have a 4-digit PIN." But no! On other kinds of machines, say at the supermarket, I always have to enter in all 6 digits accurately. It's only Bank of America ATM machines where this is true.

In the past, I have thought about raising this issue with Bank of America, but I have no idea how to approach them such that I can speak to somebody clueful.

Re:Mine is more than 4 digits... maybe (1)

ShibaInu (694434) | more than 6 years ago | (#23956853)

I have a seven digit PIN on my Wells Fargo card. I like the longer length, but when I was in Spain, I couldn't use the card because Wells Fargo told me that European ATMs only take four digit pins. Is this still true? Four digits doesn't seem like much to me.

Re:Mine is more than 4 digits... maybe (1)

PCM2 (4486) | more than 6 years ago | (#23956963)

OK, you've actually hit on the thing that really bugs me. I was often told this, too. "European ATMs can only use 4-digit PINs." It's still in all the travel guidebooks. But in my experience it is absolutely, in no way true, having successfully used ATMs everywhere from Singapore to Norway with my 6-digit PIN.

But wait! Having told you what I told you in the earlier post -- how do I know it's not true? Maybe it really is true, and my ATM card just has some "cheater" property that lets me get away with it?

Europeans, chime in, please! Have you ever had an ATM card that had a PIN longer than 4 digits?

Re:Mine is more than 4 digits... maybe (1)

EvilIdler (21087) | more than 6 years ago | (#23957587)

Nope. Never. 4 digits all the way. Last time I asked for a new code, they sent me a new card and eventually the same old code, even!

Online, the security gives the impression of being better. My current bank uses a stupid java app which in no way improves security, though.

Re:Time to look into other means of security (1)

nine-times (778537) | more than 6 years ago | (#23956647)

It seems to me the bigger problem is not issuing new PIN codes when you *know* they've been compromised. They notified the FBI and then sat around for months doing nothing, when they could have contacted the affected customers and said, "Here is your new PIN".

Re:Time to look into other means of security (0)

Anonymous Coward | more than 6 years ago | (#23956827)

It's not all that hard to obscure it. I shield the keypad with my wallet while I enter my PIN (number) into the ATM (Machine).

- R

Re:Time to look into other means of security (4, Funny)

sm62704 (957197) | more than 6 years ago | (#23956845)

Maybe it's just me, but a simple 4 digit number doesn't provide all that much security in my mind. How easy is it to simply glance over someone's shoulders and read their pin?

I no longer use a debit card for that very reason - my bank account was cleaned out by a woman I took pity on. She'd been strung out on crack and had nothing left but the clothes on her back. She wanted to dry out and get into rehab. So I stupidly let her stay at my apartment for a week.

During that week she obviously watched over my sholder at the ATM, then stole a book of checks. And the keys to my car I'd only made one payment on.

The bank made good on the forged checks, but not the ATM. Their rationale was that if the person had the PIN the only way to get it was have it given to them!

I journaled about it her:
Ask Slashdot: Women [slashdot.org]
The Crackwhore and the Nerd [slashdot.org]
Party Like It's 1976 [slashdot.org]

Re:Time to look into other means of security (2, Funny)

LandDolphin (1202876) | more than 6 years ago | (#23957539)

Seems the problem was more wiht you letting a crackhead into your life then with the bank's debit card.

Re:Time to look into other means of security (3, Informative)

Anonymous Coward | more than 6 years ago | (#23956903)

As someone who works for a company that makes banking software, I have to tell you - the entire banking industry isn't worried about security.

Sounds surprising right? That 4 digit little code is just like putting a lock on the front door - it stops casual passer-bys from just walking in and taking things.

What banks are actually worried about is accountability. Accountability is WAY more important than security. When you use your debit card to withdraw 20$, or pay for a meal at a fast food location, your transaction (and balance check, and debit hold, and finalization and 3-4 other behind-the-scenes transactions) are noted by every machine and institution they pass through.

That's how they could know exactly which accounts were compromised.

In fact, most of the security that exists in banking networks is of the most simple type: They keep it physically separate from the 'internet' as a whole.

So, you can slap a device on an outgoing ATM and record cards & pins, but, these still nail you down to physical locations. In the end, that's what they rely on to catch thieves, and they have no problems moving the numbers back to their starting positions in the meanwhile.

Remember: Security is a compromise with usability and accessibility. More of one means less of the other. Would you use an ATM if it took you 5 minutes to pass a security muster?

Re:Time to look into other means of security (1)

kiehlster (844523) | more than 6 years ago | (#23956973)

I would opt for even a simple face recognition check. For one, the criminal will likely not have a picture of the person they stole the card from. If they stopped to take a picture of the person, it'd buy the victim time to subdue the thief. Additionally, if someone steals money, the bank could block both the card and the criminal's face. If they show their face again, the ATM booth could sound an alarm or lock them up if it's a card-access booth.

Tall on story, light on details (2, Insightful)

Anonymous Coward | more than 6 years ago | (#23955853)

It seems clear that insider fraud is responsible. PIN codes are not afaik transmitted anywhere, they are checked locally by the terminal, not sent to any server. The fact that Citibank are taking respobsibility for the fraud is unusual, if PIN codes are stolen they would normally try to blame the customer first. What probably happened is that an insider stole the PIN codes and account information being sent to new card users and provided these to accomplices who used them to create fake cards.

Re:Tall on story, light on details (5, Insightful)

supersat (639745) | more than 6 years ago | (#23956161)

PINs are encrypted and sent across the network. These crooks managed to intercept the PINs at one of the servers that processed them.

If PINs were checked locally, then every ATM would need to be able to determine the correct PIN for every card inserted into it, which means that one of them could be turned into a PIN-producing machine.

Isn't PIN on the card? (1)

wsanders (114993) | more than 6 years ago | (#23956547)

As far as I know, I still have to take my ATM card into the bank to change the PIN on it. So something is still encoded on the card, whether it's the PIN itself or another factor used in addition to the PIN to authenticate me.

Assuming I still have to take my card in to change the PIN (I can't seem to find a place to do it online), this could serve as a 2nd line against a server hack. Hopefully.

Server was breached in December.... (5, Insightful)

zonky (1153039) | more than 6 years ago | (#23955937)

yet only in June do they issue new pins? Nice.

Re:Server was breached in December.... (2, Interesting)

autocracy (192714) | more than 6 years ago | (#23956209)

The best comment I have to that is, "Think back to Fight Club."

The cost of the lawsuits versus the cost of the recall just isn't enough, so a few soccer moms can burn. I do have to say, though, I'm way more comfy with a bank saying, "Ehh, we'll lose the money in customer's accounts," provided the bank is the one that takes the loss.

If you're a Citibank customer (4, Informative)

Solandri (704621) | more than 6 years ago | (#23957435)

And wondering if you're affected, the compromised PINs seem to have been used at ATMs in 7-Eleven stores. Reposting here since the summary didn't mention it and it was buried near the end of the article.

Citibank emphasizes that customers aren't responsible for fraudulent withdrawals. But the bank won't say how many consumers had their information stolen in the attack. Court documents suggest the breach is limited to those who made withdrawals during the period that the server was actively compromised. But the bank won't reveal what that period was.

Also unclear is who was responsible for the server that was attacked, and why PIN codes, which are supposed to be transmitted only in encrypted form, were vulnerable. An FBI affidavit in the case blames a Citibank-owned server responsible for processing transactions from 7-Eleven convenience stores. But Citibank blames an unnamed "third party" transaction processing firm.

shit... (-1, Troll)

SheepLauncher (1025544) | more than 6 years ago | (#23955961)

where the hell is mcarthy when you need him THE COMMIES ARE BACK

Bad Summary (0, Insightful)

Anonymous Coward | more than 6 years ago | (#23955973)

Hacker != Criminal

And of course Citibank .... (0)

Anonymous Coward | more than 6 years ago | (#23955977)

plays the innocent victim and whenever Congress tries to pass legislation to protect the consumer from this incompetence, Citi has their K-St. goons to lobby one of the most corrupt Congresses in history.

Oh, you don't have to take bribes to be corrupt for those you who think you have to accept hard money to be a crook.

I was hoping... (4, Funny)

Lester67 (218549) | more than 6 years ago | (#23955981)

...that with the U.S. Dollar in the shitter, the Russians would start picking on someone else.

Re:I was hoping... (1)

phobos13013 (813040) | more than 6 years ago | (#23956259)

No. You must not have mercy on a failing opponent. You have to go for the kill to win. Otherwise they come back bigger and stronger than before.

Re:I was hoping... (2, Funny)

east coast (590680) | more than 6 years ago | (#23956383)

My good friend,

My late uncle, a wealthy American senator, had a large bank account in the United States. I currently can not remove the funds due to a legal dispute but an outside source such as yourself may be able to help me. I will let you have the majority of his 23 million dollar bankroll if you simply transfer the funds into your Russian account until I can leave the country. All I need from you is $5000 transfered into my account for verification of your account and processing and legal fees...

Reiser lol (0)

Anonymous Coward | more than 6 years ago | (#23955993)

yes I designed the Higher Standards html and I went to jail too?

Niko! (1, Funny)

Anonymous Coward | more than 6 years ago | (#23956143)

Here I was, thinking Grand Theft Auto IV was a game and all. But I was actually *really* stealing the money! Now I feel bad for shooting the hooker and then burning her in a 10-car inferno. Really bad.

Citibank (2, Insightful)

whisper_jeff (680366) | more than 6 years ago | (#23956267)

Ok, I'm Canadian so I could be very wrong, but it certainly seems that Citibank is regularly the target of hackers/phishers/scammers. I often get emails from Citibank asking me to update my account information (obviously, I don't have an account...) but other banks seem to be subject to similar attacks far less often. Were I American, methinks I'd be picking just about any bank other than Citibank...

Re:Citibank (0)

Anonymous Coward | more than 6 years ago | (#23956675)

methinks I'd be picking just about any bank other than Citibank...

I have a student loan through Citibank and can say with absolute certainty that they are an evil organization that doesn't give a shit about their customers.

They are a horrible business, and it shows in the 10% stock hit they took today. To all the "C" investors out there... sell now. The company is going the way of Nationwide and Bear Sterns towards a buyout at a much lower value than they are at today.

Re:Citibank (0)

Anonymous Coward | more than 6 years ago | (#23956929)

Ok, I'm Canadian so I could be very wrong, but it certainly seems that Citibank is regularly the target of hackers/phishers/scammers. ... Were I American, methinks I'd be picking just about any bank other than Citibank...
So let me get this strait: you would change your business decisions based on the contents of unsolicited email?


You sir, are repugnant. A pox on the internet, and the reason we can't have nice, spam-free, things. Die. </glaring hatefully>

Re:Citibank (2, Insightful)

Arccot (1115809) | more than 6 years ago | (#23957003)

Ok, I'm Canadian so I could be very wrong, but it certainly seems that Citibank is regularly the target of hackers/phishers/scammers. I often get emails from Citibank asking me to update my account information (obviously, I don't have an account...) but other banks seem to be subject to similar attacks far less often. Were I American, methinks I'd be picking just about any bank other than Citibank...
It's just because they're huge, they get targeted more often. It's the same problem with Chase Bank.

But yes, using a smaller bank would help, even if it is possibly less convenient.

Something's Off (1)

raijinsetsu (1148625) | more than 6 years ago | (#23956285)

These figures seem off. Numbers: they stole over 2 million (you have to assume it's less than 2.5, or they would have said 3 mill); two out of the 10 had $800k on hand each (total $1.6m); 70% of the cash had been transferred to Russia. (30%)(1.6m) + (70%)(X) = (100%)(Y2.5)... Somethings not right (could be me).

Re:Something's Off (1)

rayzat (733303) | more than 6 years ago | (#23956661)

I was thinking the same thing and I re-read it. I think the newly arrested individuals stole over 2 mil, the whole organization has probably stolen quite a bit more.

Re:Something's Off (1)

gnick (1211984) | more than 6 years ago | (#23956683)

I think the summary just misspoke a little. It says that they were each caught with $800k but, if you assume that $800k was the total between the two, it works out to ~$2.7M with ~$1.9M going to Russia.

Re:Something's Off (1)

raijinsetsu (1148625) | more than 6 years ago | (#23956783)

Unfortunately, I think that if it were ~2.7m they would have said "almost 3 million". After all, they're going for sensationalism. Doesn't mean it's wrong though.

My favorite part... (4, Insightful)

InlawBiker (1124825) | more than 6 years ago | (#23956287)

From the article: "...What's more, neither Citibank nor the third-party transaction processor involved in the breach has warned consumers to watch for fraudulent withdrawals, raising questions about the disclosure policies in the financial industry. Citibank spokesman Robert Julavits says the bank "has complied with all applicable notification requirements."

But according to the Payment Card Industry's own rules and the disclosure laws of NY, in the event of a breach the company must follow these rules:

* Notification: Most expedient time possible, without unreasonable delay

* Civil or criminal penalty for failure to promptly disclose

So in other words they were more than happy to keep this secret to themselves.

Re:My favorite part... (1)

nine-times (778537) | more than 6 years ago | (#23956659)

Sure, why do they care? It's not their money.

Re:My favorite part... (1)

bryce4president (1247134) | more than 6 years ago | (#23957011)

Citibank has been run like shit for years. Hence the reason why I dumped their asses a couple months back. I got tired of their shit. Not to mention that before this happened, I had been notified by them at least twice that I could be at risk of having my identity stolen. I've never had those problems with my credit union or any other company I deal with.

Hand in the cookie jar? (1)

sandysnowbeard (1297619) | more than 6 years ago | (#23956381)

The whole problem with stealing money is that it's rarely NOT economical for the robbed to come after you.

It's not like you can steal a million dollars from a corporation that has hundreds of millions and they're not going to have the resources to track you down, cut you up, and feed your fun parts to the gimp.

Another step (1)

geekoid (135745) | more than 6 years ago | (#23956473)

to no more online digital financial transactions.

Considering how they did this, there is no security ID method that is actually secure.

Obligatory (0)

Anonymous Coward | more than 6 years ago | (#23956717)

Obligatory:
In Soviet Russia, ATM cards cash YOU!!!

Glad to know our partners are secure... (2, Interesting)

Bomarc (306716) | more than 6 years ago | (#23956799)

Whew, I'm glad to know that our business partners are secure. Our business just decided to use "Citi", and they have assured us that they are secure. Oh - wait, isn't Citi the same as "CitiBank"?

On the more serious side: They insist on using REAL customer data for testing, their test systems are not in sync with production, their test practices are VERY bad....

It comes as no surprise that they've had a break-in.

Citibank is not the only bank recently. (1)

gblackwo (1087063) | more than 6 years ago | (#23956957)

I do my banking with 1st Source Bank, They just recently replaced my debit/atm card for the same exact reason. Their database had been compromised by hackers. The hackers had all the account information along with social security numbers and names. I was assured that they were not likely to be using the information for identity theft. What do you think?

I'm a Citibank customer (4, Interesting)

drusifer2 (1092019) | more than 6 years ago | (#23957153)

I'm a Citibank customer here in New York and I am one of those who is getting their card reissued. Citibank did notify me of the breach through one of those alerts on their web site but the alert was several months after the breach was discovered (I got it on June 3rd to be precise). They didn't specifically mention the date of the incidents and I have no good way of validating all the charges to my ATM card. Pouring over several months of statements is not easy when you don't know what you are looking for.

In the alert they claim that a third party ATM network was breached but they didn't say which company's ATMs where hit. I even called and tried to find out but they wouldn't/couldn't tell me. The customer support person just kept saying "Sir, Your card was breached" as if the problem was with my ATM card. Here in NY there are tons of independent ATMs around which charge anywhere from $1-$3 for withdrawal (Maybe they could use some of those fees for security). If I knew which one f'ed up I would spend my withdrawal fees elsewhere.

Citi also botched sending me a new card twice so now they've disabled my old card and have yet to send me a new one. I guess I don't have to worry about those pesky fees for a while.

With their rip off ATM's that's what they get. (0, Offtopic)

XHIIHIIHX (918333) | more than 6 years ago | (#23957405)

Forget why but I left citibank 15 years ago, I seem to remember they screwed me on some fee. Went to get some money for Poker last night, stopped by a citibank figuring to have to cough up $1.50 for the ATM fee. Bastards want !#$!@%$$3.00 ?? 3 Bucks? I grabbed about 1,000 of those stupid deposit envelopes and trashed 'em on the way out, I think we're about even.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>