According to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record, Citibank customer PIN codes were stolen by hackers who broke into Citibank's network of ATM machines inside 7-Eleven stores.
Not only did the scam net millions of dollars for the thieves, the frightening fact is that the criminals were able to access customer PIN numbers.
Definition - PIN number: A PIN number is a numeric password used by a customer to limit access; or to prevent unauthorized access, to his/her account.
The identity thieves obtained the PIN numbers by attacking the backend computers responsible for approving cash withdrawals.
Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption - which means encoding them to cloak them to outsiders - some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.
According to Avivah Litan (a security analyst with the Gartner research firm), PINs are supposed to be encrypted and the banks need much better fraud-detection systems and much better authentication.
It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March of this year. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the U.S., but it doesn't own or operate any of them. That responsibility falls on two companies: Houston-based Cardtronics Inc., which owns all the machines but operates only some, and Brookfield, Wis.-based Fiserv Inc., which operates the others.
A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn't been answered publicly. All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.
They could have gained administrative access to the machines - which means they had carte blanche to grab information - through a flaw in the network or by figuring out those computers' passwords. Or it's possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.
What that means for consumers is their PINs were stolen from machines that showed no signs of tampering they could detect. In previous PIN thefts, thieves generally took steps that might draw notice - sending "phishing" e-mails, for example, or installing false-front keypads or even tiny cameras on ATMs.
Getting the PINs is a key step for identity thieves. It lets criminals encode stolen account information onto blank ATM cards and withdraw piles of cash from compromised accounts.
Don Jackson, director of threat intelligence for SecureWorks Inc., said he has seen an "alarming" spike in the number of attacks on back-end computers for ATM networks over the past year.
"This was fairly large, but I don't think it's anything out of the ordinary - these kinds of scams go on every day," Jackson said. "What makes this case unique is the sheer luck of happening upon these guys and catching them red-handed. But there are a whole lot of other ATM and PIN compromises going on that aren't reported."
The alleged plot is outlined in court papers supporting the prosecution of three people - Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva. They were indicted in March on two counts each of conspiracy and fraud. Prosecutors say their activities generated at least $2 million in illegal profits.
Defense lawyers for all three people did not return calls for comment, and it was not clear where they had been living. The main defendant, Rakushchynets, was described as having Michigan and Florida's driver licenses in a February FBI affidavit for an arrest warrant.
Citibank, part of Citigroup Inc., has declined to comment on the technique or how many customers' accounts were compromised. It said it notified affected customers and issued them new debit cards.
"We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts," the bank said in a statement.
Cardtronics said it is cooperating with authorities but otherwise declined to comment. Fiserv spokeswoman Melanie Tolley said the intrusion didn't happen on Fiserv's servers. "Fiserv," she said, "is confident in the integrity and security of our system."
If you have a Citibank ATM card account, you may want to check your bank statement and your credit report for fraudulent activity or identity theft.
More identity theft resources.
Debit Card Fraud Facts - Federal law also does not give consumers the right to stop payment when a debit card is used. Problems must be resolved with sellers. By using a debit card and personal identification number (PIN), Automated Teller Machines (ATM) can be used to withdraw cash, make deposits, or transfer funds between accounts. There can be charges using the ATMs whether you are a member or not a member, so be sure to review the terms for the card. A debit card looks like a credit card, yet the money for purchases is transferred immediately from your bank account to the store's account.
When a debit card has been lost or stolen, it is urgent to call the card issuer immediately. When you report the card missing and it has not be used, you are not responsible for any unauthorized withdrawals. The liability is limited to $50 if reported within two business days after it is missing, $500 if the loss is reported after two days, but before 60 days. When it is not reported and you get the statement documenting unauthorized uses, you could lose all the money in your bank account. If the thief has used all the money and your overdraft protection is being used, you can be responsible for all the money you lost. Be sure to review the policies of your card issuer.
Debit cards are directly connected to your bank account, and each time you swipe your card, the money is deducted from your checking account. Check the account before swiping or soon after to make sure the money is in the account for all purchases. Some debit cards charge fees when you use your card with your PIN number. It can be better to use a credit card instead of a debit card to make reservations for hotels or car rentals. When a debit card is used for reservations, a hold is placed on your debit card and it affects other pending transactions. Even if the hold is removed, it can take days to make the funds available again. Debit cards are great to use when you don't want to use regular credit cards that you must payoff. By using a debit card, you only use the money that has been placed into your account. You can get statements and online tools just like a regular credit card has.
