PINs stolen from Citibank ATMs
We all worry about keeping our online passwords safe from prying eyes. But now our faith in ATM PIN codes is being shaken.
Three people face charges in federal court in New York for allegedly breaking into Citibank's ATM network inside 7-Eleven stores and stealing PIN codes, according to court filings reported on by The Associated Press on Tuesday.
The alleged thieves made off with about $2 million between October 2007 until March of this year. Officials believe they remotely broke into the back-end computers that approve cash withdrawals and grabbed the PINs as they were being transmitted from the ATMs to the transaction processing computers, which increasingly use Windows, the report says.
Wired News was the first to report on the ATM network breach.
Elinor Mills covers Internet security and privacy. She joined CNET News in 2005 after working as a foreign correspondent for Reuters in Portugal and writing for The Industry Standard, the IDG News Service, and the Associated Press. E-mail Elinor. 
"And despite industry standards that call for protecting PINs with strong encryption -- which means encoding them to cloak them to outsiders -- some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions."
now with this, putting your mother there won't help either, not to mention unix.
This is why it is nearly criminal to use an operating system like Windows for the back end of a banking system. Every service that an operating system runs is a potential exploit. When you are designing a secure system, the first thing you do is strip out everything you do not need (Edited to say, you don't strip things out, you start with nothing and only add what you need). Use of any GUI on a secured system is not only useless but quite crazy.
.
Windows should not be used, nor shout OS X or Linux if it is running a GUI. While Windows can not be striped to a secure level and OS X is a bit of a challenge, Linux is very easy to run with a very minimalistic build.
.
Check out the NSA version of Linux.
Regards
Surendra
IT-Solution Architect
Having worked with ATM security in a high-treat environment (Brazil), the lack of physical security of the IT part of ATMs in North America is mind-bogling. The safe with the cash inside is very secure. As to the computer, card reader wires, keyboard wires, network connections?
An ATM in an unattended place such as bars, hotels and convenience stores is an easy target. In Brazil we don?t have those anymore.
Also Windows server comes in a minimal GUI less install out of the box. With linux you have to spend ages turning off all the crap you dont need.
- by stampsman July 2, 2008 7:41 PM PDT
- For the last 30 years credit and debit card fraud has almost always increased . Criminals are much more creative and will always look for the weakest link. Once found they will continue to exploit it until a solution is put in place. Encryption and the security of PIN's is an area that needs far greater security for consumers and that is why companies like Secure Identity Systems are developing new technologies like mconfirm that can protect transactions at the point of sale and alert consumers if their accounts are at risk. New technology is the only way to offer the best protection coupled with proper procedures on how to implement.
- Reply to this comment
-
(16 Comments)Tom
Secure Identity Systems