PINs stolen from Citibank ATMs

We all worry about keeping our online passwords safe from prying eyes. But now our faith in ATM PIN codes is being shaken.

Three people face charges in federal court in New York for allegedly breaking into Citibank's ATM network inside 7-Eleven stores and stealing PIN codes, according to court filings reported on by The Associated Press on Tuesday.

The alleged thieves made off with about $2 million between October 2007 until March of this year. Officials believe they remotely broke into the back-end computers that approve cash withdrawals and grabbed the PINs as they were being transmitted from the ATMs to the transaction processing computers, which increasingly use Windows, the report says.

Wired News was the first to report on the ATM network breach.

[zanely]

When are we going to start to critical of the people in charge of the "back-end computers" for leaving the door unlocked for the thieves? Where is their responsibility? This sort of thing has been going on far too long. If bank vaults were being broken into this often Feds would be looking for terrorists, but since the banks money is not as risk, just access to peoples bank accounts, well that's seems to be ok.

[styymy]

This is absolutely dispicable. So all they did was issue new bank cards?? How about assuring and letting account holders know that should their accounts be compromised, that they (the bank) would provide resources to straighten things out for them with minimal hassle.

[amandachuck]

No back-end for ATMs should be based on Windows. Period. If they don't want to pay for a proprietary system (much more secure) then they should be running a brand of Unix.

[epr_epr]

sadly, MS is again the victim of paid reporters and trolls.

"And despite industry standards that call for protecting PINs with strong encryption -- which means encoding them to cloak them to outsiders -- some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions."

now with this, putting your mother there won't help either, not to mention unix.

[ralfthedog]

epr_epr,

This is why it is nearly criminal to use an operating system like Windows for the back end of a banking system. Every service that an operating system runs is a potential exploit. When you are designing a secure system, the first thing you do is strip out everything you do not need (Edited to say, you don't strip things out, you start with nothing and only add what you need). Use of any GUI on a secured system is not only useless but quite crazy.

.

Windows should not be used, nor shout OS X or Linux if it is running a GUI. While Windows can not be striped to a secure level and OS X is a bit of a challenge, Linux is very easy to run with a very minimalistic build.

.

Check out the NSA version of Linux.

[iamarcin]

Why use an atm at a 7eleven anyway. You have to be a moron to not want to gor the extra mile to a local bank which has to be alot more secure. ATMs at strip clubs and bars and such. I would never use those. This is the reason why.

[Surendra-Sambana]

If citi allows me, I'll give a solution to prevent this. But i am not sure with whom should i discuss. Can some one help me with the contact details.

Regards
Surendra
IT-Solution Architect

[atm_vet]

I've been in the business for a long, long time...from cash to hardware, up to processing...it comes down to what it usually comes down to...money. They save money by using readily available Internet connections in stores. This usually means Windows platforms. Before the internet became popular, sites used secure dedicated (aka: expensive) circuits which sounded alarms with any voltage deviation...but PIN security was weak. Now PIN security is strong and the comm is weak! BTW, 'back end' computers are within the atm kiosk, not the processor. The PIN leaves the keypad encrypted...there are strict banking regulations for that, but these yahoos want to save every penny so...stick a windows pc in the kiosk that apparently decrypts the PIN before sending the packet...the problem is...there is no one to 'come down hard' on these companies with these 'back end solutions'...banks usually don't own these atms, they pay for 'branding'. I feel if they are going to put their name on it, they need to take responsibility for whatever happens...and not just to Citibank customers.

[atm_vet]

the AP states it plainly...."All that's known is they broke into the ATM network through a server at a third-party processor..." You can't stop inside jobs! The processing company needs to practice due diligence in their network! Has nothing to do with atms or Citibank...

[mscatena]

Windows has nothing to do with it.

Having worked with ATM security in a high-treat environment (Brazil), the lack of physical security of the IT part of ATMs in North America is mind-bogling. The safe with the cash inside is very secure. As to the computer, card reader wires, keyboard wires, network connections?

An ATM in an unattended place such as bars, hotels and convenience stores is an easy target. In Brazil we don?t have those anymore.

[richto]

Why would anyone use Linux when security is the issue. Windows server has far fewer vulnerabilities and those that it does have are fixed much faster than Linux.

Also Windows server comes in a minimal GUI less install out of the box. With linux you have to spend ages turning off all the crap you dont need.

[Dalkorian]

You do realize you have that exactly backwards, don't you. Oh wait, I get it ... it's satire. Sorry, my funny fuse blew out the other day ...

[Get_Bent]

Spoken like a true Microsoft fanboy.... Did you get paid to post this misinformation, or are you really that naive/ignorant?

[alegr]

Folks, why an ATM needs a backend? This looks so 1980. Any encryption can be implemented inside the box.

[atm_vet]

The PIN leaves the keypad on the ATM encrypted. My belief is that PANs were stolen. The reporter probably got it wrong. These are the card numbers. You can do more damage for a lot longer without getting caught by using the PAN. PINs are really only needed at ATMs and would leave far too big of a trail. PINs are useless with any other application.

[stampsman]

For the last 30 years credit and debit card fraud has almost always increased . Criminals are much more creative and will always look for the weakest link. Once found they will continue to exploit it until a solution is put in place. Encryption and the security of PIN's is an area that needs far greater security for consumers and that is why companies like Secure Identity Systems are developing new technologies like mconfirm that can protect transactions at the point of sale and alert consumers if their accounts are at risk. New technology is the only way to offer the best protection coupled with proper procedures on how to implement.


Tom
Secure Identity Systems