Thursday, July 03, 2008
Hackers steal $2M from Citi ATMs
Hackers steal $2M from Citi ATMs
ATM breach highlights security issues with unencrypted PIN numbers.
Last Updated: July 2, 2008: 10:45 AM EDT
SAN JOSE, Calif. (AP) -- Hackers broke into Citibank's network of ATMs inside 7-Eleven stores and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.
The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs - the numeric passwords that theoretically are among the most closely guarded elements of banking transactions - by attacking the back-end computers responsible for approving the cash withdrawals.
The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem.
Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s (MSFT, Fortune 500) Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption - which means encoding them to cloak them to outsiders - some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.
"PINs were supposed be sacrosanct - what this shows is that PINs aren't always encrypted like they're supposed to be," said Avivah Litan, a security analyst with the Gartner research firm. "The banks need much better fraud detection systems and much better authentication."
It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March of this year and was first reported by technology news Web site Wired.com. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the United States, but it doesn't own or operate any of them.
That responsibility falls on two companies: Houston-based Cardtronics Inc. (CATM), which owns all the machines but only operates some, and Brookfield, Wis.-based Fiserv Inc. (FISV, Fortune 500), which operates the others.
A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn't been answered publicly.
All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.
They could have gained administrative access to the machines - which means they had carte blanche to grab information - through a flaw in the network or by figuring out those computers' passwords. Or it's possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.
What that means for consumers is that their PINs were stolen from machines that showed no signs of tampering they could detect. In previous PIN thefts, thieves generally took steps that might draw notice - sending "phishing" e-mails, for example, or installing false-front keypads or even tiny cameras on ATMs.
Getting the PINs is a key step for identity thieves. It lets criminals encode stolen account information onto blank ATM cards and withdraw piles of cash from compromised accounts.
Don Jackson, director of threat intelligence for SecureWorks Inc., said he has seen an "alarming" spike in the number of attacks on back-end computers for ATM networks over the past year.
"This was fairly large, but I don't think it's anything out of the ordinary - these kinds of scams go on every day," Jackson said. "What makes this case unique is the sheer luck of happening upon these guys and catching them red-handed. But there are a whole lot of other ATM and PIN compromises going on that aren't reported."
The alleged plot is outlined in court papers supporting the prosecution of three people - Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva. They were indicted in March on two counts each of conspiracy and fraud. Prosecutors say their activities generated at least $2 million in illegal profits.
Defense lawyers for all three people did not return calls for comment, and it was not clear where they had been living. The main defendant, Rakushchynets, was described as having Michigan and Florida's driver licenses in a February FBI affidavit for an arrest warrant.
Citibank, part of Citigroup Inc. (C, Fortune 500), has declined to comment on the technique or how many customers' accounts were compromised. It said it notified affected customers and issued them new debit cards.
"We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts," the bank said in a statement.
Cardtronics said it is cooperating with authorities but otherwise declined to comment. Fiserv spokeswoman Melanie Tolley said the intrusion didn't happen on Fiserv's servers.
"Fiserv," she said, "is confident in the integrity and security of our system."
ATM breach highlights security issues with unencrypted PIN numbers.
Last Updated: July 2, 2008: 10:45 AM EDT
SAN JOSE, Calif. (AP) -- Hackers broke into Citibank's network of ATMs inside 7-Eleven stores and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.
The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs - the numeric passwords that theoretically are among the most closely guarded elements of banking transactions - by attacking the back-end computers responsible for approving the cash withdrawals.
The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem.
Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s (MSFT, Fortune 500) Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption - which means encoding them to cloak them to outsiders - some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.
"PINs were supposed be sacrosanct - what this shows is that PINs aren't always encrypted like they're supposed to be," said Avivah Litan, a security analyst with the Gartner research firm. "The banks need much better fraud detection systems and much better authentication."
It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March of this year and was first reported by technology news Web site Wired.com. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the United States, but it doesn't own or operate any of them.
That responsibility falls on two companies: Houston-based Cardtronics Inc. (CATM), which owns all the machines but only operates some, and Brookfield, Wis.-based Fiserv Inc. (FISV, Fortune 500), which operates the others.
A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn't been answered publicly.
All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.
They could have gained administrative access to the machines - which means they had carte blanche to grab information - through a flaw in the network or by figuring out those computers' passwords. Or it's possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.
What that means for consumers is that their PINs were stolen from machines that showed no signs of tampering they could detect. In previous PIN thefts, thieves generally took steps that might draw notice - sending "phishing" e-mails, for example, or installing false-front keypads or even tiny cameras on ATMs.
Getting the PINs is a key step for identity thieves. It lets criminals encode stolen account information onto blank ATM cards and withdraw piles of cash from compromised accounts.
Don Jackson, director of threat intelligence for SecureWorks Inc., said he has seen an "alarming" spike in the number of attacks on back-end computers for ATM networks over the past year.
"This was fairly large, but I don't think it's anything out of the ordinary - these kinds of scams go on every day," Jackson said. "What makes this case unique is the sheer luck of happening upon these guys and catching them red-handed. But there are a whole lot of other ATM and PIN compromises going on that aren't reported."
The alleged plot is outlined in court papers supporting the prosecution of three people - Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva. They were indicted in March on two counts each of conspiracy and fraud. Prosecutors say their activities generated at least $2 million in illegal profits.
Defense lawyers for all three people did not return calls for comment, and it was not clear where they had been living. The main defendant, Rakushchynets, was described as having Michigan and Florida's driver licenses in a February FBI affidavit for an arrest warrant.
Citibank, part of Citigroup Inc. (C, Fortune 500), has declined to comment on the technique or how many customers' accounts were compromised. It said it notified affected customers and issued them new debit cards.
"We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts," the bank said in a statement.
Cardtronics said it is cooperating with authorities but otherwise declined to comment. Fiserv spokeswoman Melanie Tolley said the intrusion didn't happen on Fiserv's servers.
"Fiserv," she said, "is confident in the integrity and security of our system."
Labels: Citibank
Friday, March 10, 2006
PIN Scandal "Worst Hack Ever"
By Gregg Keizer, TechWeb News
The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs "the worst consumer scam to date."
Wednesday, Citibank confirmed that an ongoing fraud had forced it to reissue debit cards and block PIN-based transactions for users in Canada, Russia, and the U.K.
But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam -- and scandal -- has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks.
"This is the worst hack ever," Litan maintained. "It's significant because not only is it a really wide-spread breach, but it affects debit cards, which everyone thought were immune to these kinds of things."
Unlike credit cards, debit cards offer an additional level of security: the password-like Personal Identification Number, or PIN.
"That's the irony, the PIN was supposed to make debit cards secure," Litan said. "Up until this breach, everyone thought ATMS and PINs could never be compromised."
Litan's sources in the financial industry have told her that thieves hacked into a as-yet-unknown system, and made off with data stored on debit cards' magnetic stripes, the associated "PIN blocks," or encrypted PIN data, and the key for that encrypted data.
The problem, she continued, is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.
In this case, Litan said, the thieves used the information to crank out counterfeit debit cards, then emptied accounts at ATMs. She estimated that they absconded with "at least a couple of thousand records, maybe more" and have cashed out to the tune of "millions already."
The victim of the hack attack isn't yet known, although some banks have pointed fingers at OfficeMax, which has denied that its system was penetrated.
Litan believes it much more likely that a third-party processor or terminal supplier was involved; the silence about the victim could point to a processor, she said, because they have the most to lose by the negative publicity.
Last summer, credit card processor CardSystems was hit with a massive breach that involved millions of accounts; CardSystems essentially sank under the publicity, and was later bought by Pay By Touch. In February 2006, the FTC reached a settlement with CardSystems that require it to adopt more stringent security measures, but the company remains open to consumer lawsuits that could mean millions in payouts.
No matter who is to blame, the bank industry is only about halfway through cleaning up the breach, said Litan. And more of the same is on the way.
"This will become a trend with criminals," she bet. "Hackers will do this as much as they can" because it's far easier to empty checking accounts at ATMs than to buy goods with purloined credit cards, then sell the goods to generate cash.
So what's a consumer to do?
"Security is tight at the ATM, but point-of-sale is a whole other story," said Litan. "Look at your [debit card] account on a regular basis, and don't use a PIN-based debit card at point-of-sale," she recommended. "I never do."
The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs "the worst consumer scam to date."
Wednesday, Citibank confirmed that an ongoing fraud had forced it to reissue debit cards and block PIN-based transactions for users in Canada, Russia, and the U.K.
But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam -- and scandal -- has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks.
"This is the worst hack ever," Litan maintained. "It's significant because not only is it a really wide-spread breach, but it affects debit cards, which everyone thought were immune to these kinds of things."
Unlike credit cards, debit cards offer an additional level of security: the password-like Personal Identification Number, or PIN.
"That's the irony, the PIN was supposed to make debit cards secure," Litan said. "Up until this breach, everyone thought ATMS and PINs could never be compromised."
Litan's sources in the financial industry have told her that thieves hacked into a as-yet-unknown system, and made off with data stored on debit cards' magnetic stripes, the associated "PIN blocks," or encrypted PIN data, and the key for that encrypted data.
The problem, she continued, is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.
In this case, Litan said, the thieves used the information to crank out counterfeit debit cards, then emptied accounts at ATMs. She estimated that they absconded with "at least a couple of thousand records, maybe more" and have cashed out to the tune of "millions already."
The victim of the hack attack isn't yet known, although some banks have pointed fingers at OfficeMax, which has denied that its system was penetrated.
Litan believes it much more likely that a third-party processor or terminal supplier was involved; the silence about the victim could point to a processor, she said, because they have the most to lose by the negative publicity.
Last summer, credit card processor CardSystems was hit with a massive breach that involved millions of accounts; CardSystems essentially sank under the publicity, and was later bought by Pay By Touch. In February 2006, the FTC reached a settlement with CardSystems that require it to adopt more stringent security measures, but the company remains open to consumer lawsuits that could mean millions in payouts.
No matter who is to blame, the bank industry is only about halfway through cleaning up the breach, said Litan. And more of the same is on the way.
"This will become a trend with criminals," she bet. "Hackers will do this as much as they can" because it's far easier to empty checking accounts at ATMs than to buy goods with purloined credit cards, then sell the goods to generate cash.
So what's a consumer to do?
"Security is tight at the ATM, but point-of-sale is a whole other story," said Litan. "Look at your [debit card] account on a regular basis, and don't use a PIN-based debit card at point-of-sale," she recommended. "I never do."
Labels: Citibank
Debit card fraud outbreak raises questions about data breach
by Jaikumar Vijayan
MARCH 09, 2006 (COMPUTERWORLD) - The continued refusal by major credit card associations and financial institutions to identify the source of a data compromise that has resulted in a wave of debit card fraud worldwide is fueling concerns about the scope of the problem.
It is also shining a spotlight on what may be growing attempts by criminal gangs to try to compromise PIN-based card transactions, which have until now been considered extremely secure, analysts said.
The immediate furor was ignited earlier this week by Citibank, which acknowledged that it had put transaction holds on an unspecified number of Citi-branded MasterCard debit cards after detecting fraudulent cash withdrawals in Canada, Russia and the U.K. (see "Citibank probes ATM withdrawals, cites potential U.S. ‘retailer breaches' ">).
In a brief statement, Citibank said that the fraud was the result of a “third-party business information breach” that took place last year. To protect its customers, the company said it “blocked PIN-based transactions in those locations for the customers affected by the breach." A spokesman for the company, however, refused to name the third-party retailer involved in the breach.
Citibank’s disclosure made it the latest in a fast growing list of financial institutions that during the past several weeks have reissued thousands of debit cards or blocked access to certain transactions in countries where ATM cards were used fraudulently to withdraw cash and make purchases on U.S. accounts.
The list includes banks such as Bank of America Corp., Wells Fargo Bank and Washington Mutual Bank, as well as numerous credit unions around the country. One example is $13 billion North Carolina State Employees Credit Union in Raleigh, N.C., which over the past two weeks has reissued more than 27,500 debit cards after being told by Visa U.S.A. Inc. of a security breach involving a U.S. retailer.
According to Leigh Brady, senior vice president at the credit union, many of the compromised debit cards were being used fraudulently in several countries, including Romania, Russia, Spain and the U.K. “This is the largest [card reissue] we’ve had one in quite a while,” Brady said.
In an advisory this week, analyst firm Gartner Inc. said the combined bank actions “reflect the largest PIN theft to date and point to a new wave of 'PIN block' card fraud."
Avivah Litan, author of the Gartner report, said that PIN-based fraud schemes involve hackers somehow gaining access to the encrypted PIN data that is sent along with card numbers to processors that execute PIN debit transactions. The thieves also steal terminal keys used to encrypt PINs, which are typically stored on a retailer's terminal controllers, she said. The encrypted PIN information, together with the key for decrypting it and the card numbers, allow criminals to make counterfeit cards, she said.
The widening scope of the fraud has already prompted calls from one congressman for more disclosure and is likely to spur more attention from lawmakers, according to analysts.
In February, Rep. Barney Frank (D-Mass.), the leading Democrat on the House Financial Services Committee, sent a letter to both MasterCard International Inc. and Visa urging the companies to disclose the source or sources of the compromise or take responsibility themselves.
In response to a request for comment on Frank’s letter, Visa said in an e-mailed statement that it understood the need for quickly giving financial institutions the information needed to protect themselves and cardholders from losses in the event of a security breach.
However, “accusing a single source of the compromise before the investigation is complete could be inaccurate and unfair,” the company said. “Similarly, disclosing the name of the compromised entity would become a powerful disincentive for the compromised entity to share time-sensitive information with Visa” going forward, the statement said.
MasterCard did not respond to requests for comment.
According to a source working for a company now helping law enforcement officials investigate the fraud, most evidence suggests that point-of-sale systems at a California store of retailer OfficeMax were somehow involved in the compromise.
“All roads are pointing in that direction,” said the source, who requested anonymity. But it is still not clear exactly how the debit card and PIN information was accessed and by whom, he said, adding that about 200,000 cards may have been compromised.
OfficeMax did not respond to calls for comment, but a company spokesman has been quoted in various other media reports this week as denying any breach at the retailer.
According to Gartner's Litan, OfficeMax officials’ outright denial suggests that the source of the compromise may well be a third-party processor used by the company to process card transactions.
Another company whose name has been mentioned in connection with the debit card fraud wave is wholesaler Sam’s Club, a division of Bentonville Ark.-based Wal-Mart Stores Inc.
In December 2005, Sam's Club acknowledged that it was cooperating with credit card associations in investigating reports of fraud involving approximately 600 cards used to purchase gas at its gas stations between Sept. 21 and Dec. 5, 2005. The company on March 3 issued another statement responding to "persistent rumors and false media reports " tying it to the current wave of PIN debit fraud. The company denied that any of its internal systems had been compromised and said that a review of its gas payment systems by its own staff and an outside party revealed no breach.
"If any compromise occurred, it appears to have been limited to the Sam's Club fuel station point-of-sale system" and did not involve PIN-based transactions, the statement said.
The spate of recent breach disclosures suggests a shift in focus by criminals from credit card fraud to PIN-based debit card fraud, said Mike Urban, director of fraud technology operations at Fair Isaac Co., a Minneapolis-based company that is helping investigate the recent incidents.
Though PIN-based ATM and point-of-sale transactions continue to be one of the most secure methods of executing sales, criminals are employing a variety of sophisticated ways to compromise them, he said.
“In general, what we’ve seen over the years is that criminals tend to favor trying to capture PINs at ATMs or point-of-sale devices” using hidden cameras or sometimes “overlays” on the pinpad to capture data, Urban said.
Also employed are so called “key ghosts,” which are attached to the inside of point-of-sale systems to capture card track data and PINs, he said. Other techniques include the use of “card throat” readers that fit over existing ATM card readers and skim card data without interfering with legitimate transactions, Urban said.
MARCH 09, 2006 (COMPUTERWORLD) - The continued refusal by major credit card associations and financial institutions to identify the source of a data compromise that has resulted in a wave of debit card fraud worldwide is fueling concerns about the scope of the problem.
It is also shining a spotlight on what may be growing attempts by criminal gangs to try to compromise PIN-based card transactions, which have until now been considered extremely secure, analysts said.
The immediate furor was ignited earlier this week by Citibank, which acknowledged that it had put transaction holds on an unspecified number of Citi-branded MasterCard debit cards after detecting fraudulent cash withdrawals in Canada, Russia and the U.K. (see "Citibank probes ATM withdrawals, cites potential U.S. ‘retailer breaches' ">).
In a brief statement, Citibank said that the fraud was the result of a “third-party business information breach” that took place last year. To protect its customers, the company said it “blocked PIN-based transactions in those locations for the customers affected by the breach." A spokesman for the company, however, refused to name the third-party retailer involved in the breach.
Citibank’s disclosure made it the latest in a fast growing list of financial institutions that during the past several weeks have reissued thousands of debit cards or blocked access to certain transactions in countries where ATM cards were used fraudulently to withdraw cash and make purchases on U.S. accounts.
The list includes banks such as Bank of America Corp., Wells Fargo Bank and Washington Mutual Bank, as well as numerous credit unions around the country. One example is $13 billion North Carolina State Employees Credit Union in Raleigh, N.C., which over the past two weeks has reissued more than 27,500 debit cards after being told by Visa U.S.A. Inc. of a security breach involving a U.S. retailer.
According to Leigh Brady, senior vice president at the credit union, many of the compromised debit cards were being used fraudulently in several countries, including Romania, Russia, Spain and the U.K. “This is the largest [card reissue] we’ve had one in quite a while,” Brady said.
In an advisory this week, analyst firm Gartner Inc. said the combined bank actions “reflect the largest PIN theft to date and point to a new wave of 'PIN block' card fraud."
Avivah Litan, author of the Gartner report, said that PIN-based fraud schemes involve hackers somehow gaining access to the encrypted PIN data that is sent along with card numbers to processors that execute PIN debit transactions. The thieves also steal terminal keys used to encrypt PINs, which are typically stored on a retailer's terminal controllers, she said. The encrypted PIN information, together with the key for decrypting it and the card numbers, allow criminals to make counterfeit cards, she said.
The widening scope of the fraud has already prompted calls from one congressman for more disclosure and is likely to spur more attention from lawmakers, according to analysts.
In February, Rep. Barney Frank (D-Mass.), the leading Democrat on the House Financial Services Committee, sent a letter to both MasterCard International Inc. and Visa urging the companies to disclose the source or sources of the compromise or take responsibility themselves.
In response to a request for comment on Frank’s letter, Visa said in an e-mailed statement that it understood the need for quickly giving financial institutions the information needed to protect themselves and cardholders from losses in the event of a security breach.
However, “accusing a single source of the compromise before the investigation is complete could be inaccurate and unfair,” the company said. “Similarly, disclosing the name of the compromised entity would become a powerful disincentive for the compromised entity to share time-sensitive information with Visa” going forward, the statement said.
MasterCard did not respond to requests for comment.
According to a source working for a company now helping law enforcement officials investigate the fraud, most evidence suggests that point-of-sale systems at a California store of retailer OfficeMax were somehow involved in the compromise.
“All roads are pointing in that direction,” said the source, who requested anonymity. But it is still not clear exactly how the debit card and PIN information was accessed and by whom, he said, adding that about 200,000 cards may have been compromised.
OfficeMax did not respond to calls for comment, but a company spokesman has been quoted in various other media reports this week as denying any breach at the retailer.
According to Gartner's Litan, OfficeMax officials’ outright denial suggests that the source of the compromise may well be a third-party processor used by the company to process card transactions.
Another company whose name has been mentioned in connection with the debit card fraud wave is wholesaler Sam’s Club, a division of Bentonville Ark.-based Wal-Mart Stores Inc.
In December 2005, Sam's Club acknowledged that it was cooperating with credit card associations in investigating reports of fraud involving approximately 600 cards used to purchase gas at its gas stations between Sept. 21 and Dec. 5, 2005. The company on March 3 issued another statement responding to "persistent rumors and false media reports " tying it to the current wave of PIN debit fraud. The company denied that any of its internal systems had been compromised and said that a review of its gas payment systems by its own staff and an outside party revealed no breach.
"If any compromise occurred, it appears to have been limited to the Sam's Club fuel station point-of-sale system" and did not involve PIN-based transactions, the statement said.
The spate of recent breach disclosures suggests a shift in focus by criminals from credit card fraud to PIN-based debit card fraud, said Mike Urban, director of fraud technology operations at Fair Isaac Co., a Minneapolis-based company that is helping investigate the recent incidents.
Though PIN-based ATM and point-of-sale transactions continue to be one of the most secure methods of executing sales, criminals are employing a variety of sophisticated ways to compromise them, he said.
“In general, what we’ve seen over the years is that criminals tend to favor trying to capture PINs at ATMs or point-of-sale devices” using hidden cameras or sometimes “overlays” on the pinpad to capture data, Urban said.
Also employed are so called “key ghosts,” which are attached to the inside of point-of-sale systems to capture card track data and PINs, he said. Other techniques include the use of “card throat” readers that fit over existing ATM card readers and skim card data without interfering with legitimate transactions, Urban said.
Labels: Citibank
Citibank probes US retailer breach
by Jaikumar Vijayan
MARCH 07, 2006 (COMPUTERWORLD) - Citibank has put a transaction block on an unspecified number of Citi-branded MasterCard debit and credit cards used in three countries because of fraudulent automated teller machine (ATM) cash-withdrawal activity, the company said in a statement yesterday.
The statement was issued after Boing Boing, a popular online blog site, carried a story detailing the problems a Citibank customer had while trying to access his account from Canadian ATM machines. The story suggested that the individual may have been the victim of ATM fraud involving Citibank cards in Canada, Russia and the U.K.
Apparently in response to widespread publicity about the blog posting, Citibank issued a brief statement confirming the ATM fraud without disclosing any details. “Recently, we became aware of fraudulent ATM cash withdrawals on Citi-branded MasterCard credit and debit cards used in three countries on customer accounts that had been possibly compromised in previous retailer breaches in the U.S.,” the company said. “To protect customer accounts that were affected, we placed a special transaction block in those three countries on PIN-based transactions.”
The statement went on to add that Citibank is currently reissuing cards to affected customers. “Protecting our customers’ accounts and personal information is one of our highest priorities,” the statement said.
The fact that the fraud involves ATM cash withdrawals using personal identification numbers (PIN) suggests that it may be the result of massive "card-skimming" activity, said Avivah Litan, an analyst at Gartner Inc. in Stamford, Conn.
“What seems to be happening at Citibank is that they are stopping ATM cash withdrawals, which means somebody got their PINs,” Litan said. “There are two general ways you can steal a PIN. One is through card skimming; the other is through phishing,”
Given the apparent scope of the fraud, Litan pointed to card skimming as a likely cause.
Card skimming involves the use of illegal card-reading devices that intercept and record data stored on magnetic strips on credit and debit cards which are then later used to create counterfeit cards. Such devices, which have long been used to steal card information in places such as restaurants, have been proliferating widely and have made skimming one of the most prevalent forms of credit card fraud these days.
In fact, skimmers were believed to have been behind a massive credit card theft in December involving wholesaler Sam’s Club, a division of Wal-Mart Stores Inc.
In that incident, card skimmers were thought to have used skimming devices at Sam’s Club gas stations to steal debit card information from potentially thousands of consumers. At that time, Sam’s Club acknowledged that a breach had taken place, but did not disclose what exactly transpired saying only that “electronic systems and databases used inside its stores” were not involved.
Litan said it is likely that Citibank’s current ATM fraud problems are related to the Sam’s Club breach.
MARCH 07, 2006 (COMPUTERWORLD) - Citibank has put a transaction block on an unspecified number of Citi-branded MasterCard debit and credit cards used in three countries because of fraudulent automated teller machine (ATM) cash-withdrawal activity, the company said in a statement yesterday.
The statement was issued after Boing Boing, a popular online blog site, carried a story detailing the problems a Citibank customer had while trying to access his account from Canadian ATM machines. The story suggested that the individual may have been the victim of ATM fraud involving Citibank cards in Canada, Russia and the U.K.
Apparently in response to widespread publicity about the blog posting, Citibank issued a brief statement confirming the ATM fraud without disclosing any details. “Recently, we became aware of fraudulent ATM cash withdrawals on Citi-branded MasterCard credit and debit cards used in three countries on customer accounts that had been possibly compromised in previous retailer breaches in the U.S.,” the company said. “To protect customer accounts that were affected, we placed a special transaction block in those three countries on PIN-based transactions.”
The statement went on to add that Citibank is currently reissuing cards to affected customers. “Protecting our customers’ accounts and personal information is one of our highest priorities,” the statement said.
The fact that the fraud involves ATM cash withdrawals using personal identification numbers (PIN) suggests that it may be the result of massive "card-skimming" activity, said Avivah Litan, an analyst at Gartner Inc. in Stamford, Conn.
“What seems to be happening at Citibank is that they are stopping ATM cash withdrawals, which means somebody got their PINs,” Litan said. “There are two general ways you can steal a PIN. One is through card skimming; the other is through phishing,”
Given the apparent scope of the fraud, Litan pointed to card skimming as a likely cause.
Card skimming involves the use of illegal card-reading devices that intercept and record data stored on magnetic strips on credit and debit cards which are then later used to create counterfeit cards. Such devices, which have long been used to steal card information in places such as restaurants, have been proliferating widely and have made skimming one of the most prevalent forms of credit card fraud these days.
In fact, skimmers were believed to have been behind a massive credit card theft in December involving wholesaler Sam’s Club, a division of Wal-Mart Stores Inc.
In that incident, card skimmers were thought to have used skimming devices at Sam’s Club gas stations to steal debit card information from potentially thousands of consumers. At that time, Sam’s Club acknowledged that a breach had taken place, but did not disclose what exactly transpired saying only that “electronic systems and databases used inside its stores” were not involved.
Litan said it is likely that Citibank’s current ATM fraud problems are related to the Sam’s Club breach.
Labels: Citibank
