|
Advertisements
Posted : Wednesday, July 2, 2008
SAN JOSE: Hackers broke into
Citibank's network of ATMs inside 7-Eleven stores In US and stole customers' PIN
codes, according to recent court filings that revealed a disturbing security
hole in the most sensitive part of a banking record.
The scam netted
the alleged identity thieves millions of dollars. But more importantly for
consumers, it indicates criminals were able to access PINs -- the numeric
passwords that theoretically are among the most closely guarded elements of
banking transactions -- by attacking the back-end computers responsible for
approving the cash withdrawals.
The case against three people in US
District Court for the Southern District of New York highlights a significant
problem.
Hackers are targeting the ATM system's infrastructure, which
is increasingly built on Microsoft Corp's Windows operating system and allows
machines to be remotely diagnosed and repaired over the Internet.
And despite industry standards that call for protecting PINs with
strong encryption -- which means encoding them to cloak them to outsiders --
some ATM operators apparently aren't properly doing that.
The PINs
seem to be leaking while in transit between the automated teller machines and
the computers that process the transactions.
"PINs were supposed be
sacrosanct -- what this shows is that PINs aren't always encrypted like they're
supposed to be," said Avivah Litan, a security analyst with the Gartner research
firm. "The banks need much better fraud detection systems and much better
authentication."
It's unclear how many Citibank customers were
affected by the breach, which extended at least from October 2007 to March of
this year and was first reported by technology news Web site Wired.com. The bank
has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc stores throughout the
US, but it doesn't own or operate any of them.
That responsibility
falls on two companies: Houston-based Cardtronics Inc, which owns all the
machines but only operates some, and Brookfield, Wis-based Fiserv Inc, which
operates the others.
A critical issue in the investigation is how the
hackers infiltrated the system, a question that still hasn't been answered
publicly.
All that's known is they broke into the ATM network through
a server at a third-party processor, which means they probably didn't have to
touch the ATMs at all to pull off the heist.
|
|
|
