Hackers steal $2.1 million from Citibank ATMs
July 2, 2008
According to various court filings that revealed disturbing security holes in some of the most sensitive part of banking records, from October 2007 to March of this year, Internet hackers successfully compromised Citibank's network of ATMs inside 7-Eleven stores and ultimately robbed customers' secret PIN codes.
The Court case against three criminals in the U.S. Southern District of New York underscores a critical and growing problem in the banking and financial industry.
The illegal breach of security netted the alleged identity thieves over 2.1 million dollars. But more importantly for consumers, it indicates that the hackers were able to access PINs - the numeric passwords that theoretically are among the most closely guarded elements of banking transactions - by simply attacking the back-end computers responsible for approving the cash withdrawals in the first place.
Avivah Litan, senior security analyst with the Gartner research firm said "as far as I'm concerned, PINs were supposed to be sacrosanct! What this shows is that PINs aren't always encrypted like they should be."
"Overall, banks need much better fraud detection and protection systems and much closer user authentication than what is currently used today. This is totally unacceptable with today's sophisticated technology," added Litan.
Potential hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft's Windows operating system and allows machines to be remotely diagnosed and repaired over the public Internet.
Also, and despite much tougher industry standards that call for protecting PINs with strong encryption, some ATM operators apparently aren't properly doing that at all. The PINs seem to be 'leaking' while in transit between the ATMs and the very computers that process those banking transactions.
At the time of this report, it's unclear how many Citibank customers were affected by the breach, which extended at least from October of last year to March 2008. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven stores throughout the U.S., but it doesn't own or operate any of them.
That ultimate responsibility falls on two companies: Houston-based Cardtronics, which owns all the machines but only operates some, and Brookfield, Wis.-based Fiserv, which operates all the others. A critical issue in the investigation is how the hackers actually infiltrated the system, a question that still hasn't been answered publicly yet.
They could have gained administrative access to the machines - which means they had carte blanche to grab information - through a flaw in the network or by figuring out those computers' passwords. Or it is also possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.
For the time being, all that's known is that they successfully broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off their crimes.
The alleged plot is outlined in numerous court documents supporting the prosecution of three individuals - Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva. They were indicted four months ago on two counts each of conspiracy and fraud. Prosecutors say their activities generated at least $2.1 million in illegal profits.
What that means for consumers is that their PINs were stolen from machines that showed no signs of tampering, at least that they could detect. In previous PIN thefts, thieves generally took steps that might draw some notice, like sending phishing e-mails, for example, or installing false-front keypads or even tiny cameras on ATMs or in some gas and service stations located throughout the United States.
Don Jackson, director of threat intelligence for Secure Works Inc. said he has seen an alarming increase in the number of attacks on back-end computers for ATM networks, both in 2007 and 2008.
Getting the PINs in the first place is a key step for identity thieves. It lets criminals encode stolen account information onto blank ATM cards and withdraw huge amounts of cash from compromised ATMs and their accounts.
Jackson added "this was fairly large, but I don't think it's anything out of the ordinary. These kinds of security breaches and crimes go on almost every day. What makes this case really unique is the rare luck of happening upon these guys and catching them with their hands directly in the cookie jar... But there are a whole lot of other ATM and PIN compromises going on that are either undetected or worse, unreported by banks for fear of bad publicity or other reasons."
Defense lawyers for all three alleged criminals didn't return calls for comment, and it was not clear where they had been residing. The main defendant, Rakushchynets, was described as having Michigan and Florida's driver licenses in a February FBI affidavit for an outstanding arrest warrant.
Source: IT Blog.
Become an authorized reseller of Proxy Sentinel™ and Firewall Sentinel™. Do like the rest of our authorized resellers and have your clients benefit the important security features of our products and solutions, while increasing your sales at the same time. Click here for all the details.
You can link to the
Internet Security web site as
much as you like. Read our section on how your company can participate in our
reciprocal link exchange program
and increase your rankings
in the major search engines such as
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing