Thursday, July 03, 2008
Hackers steal $2M from Citi ATMs
Hackers steal $2M from Citi ATMs
ATM breach highlights security issues with unencrypted PIN numbers.
Last Updated: July 2, 2008: 10:45 AM EDT
SAN JOSE, Calif. (AP) -- Hackers broke into Citibank's network of ATMs inside 7-Eleven stores and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.
The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs - the numeric passwords that theoretically are among the most closely guarded elements of banking transactions - by attacking the back-end computers responsible for approving the cash withdrawals.
The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem.
Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s (MSFT, Fortune 500) Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption - which means encoding them to cloak them to outsiders - some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.
"PINs were supposed be sacrosanct - what this shows is that PINs aren't always encrypted like they're supposed to be," said Avivah Litan, a security analyst with the Gartner research firm. "The banks need much better fraud detection systems and much better authentication."
It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March of this year and was first reported by technology news Web site Wired.com. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the United States, but it doesn't own or operate any of them.
That responsibility falls on two companies: Houston-based Cardtronics Inc. (CATM), which owns all the machines but only operates some, and Brookfield, Wis.-based Fiserv Inc. (FISV, Fortune 500), which operates the others.
A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn't been answered publicly.
All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.
They could have gained administrative access to the machines - which means they had carte blanche to grab information - through a flaw in the network or by figuring out those computers' passwords. Or it's possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.
What that means for consumers is that their PINs were stolen from machines that showed no signs of tampering they could detect. In previous PIN thefts, thieves generally took steps that might draw notice - sending "phishing" e-mails, for example, or installing false-front keypads or even tiny cameras on ATMs.
Getting the PINs is a key step for identity thieves. It lets criminals encode stolen account information onto blank ATM cards and withdraw piles of cash from compromised accounts.
Don Jackson, director of threat intelligence for SecureWorks Inc., said he has seen an "alarming" spike in the number of attacks on back-end computers for ATM networks over the past year.
"This was fairly large, but I don't think it's anything out of the ordinary - these kinds of scams go on every day," Jackson said. "What makes this case unique is the sheer luck of happening upon these guys and catching them red-handed. But there are a whole lot of other ATM and PIN compromises going on that aren't reported."
The alleged plot is outlined in court papers supporting the prosecution of three people - Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva. They were indicted in March on two counts each of conspiracy and fraud. Prosecutors say their activities generated at least $2 million in illegal profits.
Defense lawyers for all three people did not return calls for comment, and it was not clear where they had been living. The main defendant, Rakushchynets, was described as having Michigan and Florida's driver licenses in a February FBI affidavit for an arrest warrant.
Citibank, part of Citigroup Inc. (C, Fortune 500), has declined to comment on the technique or how many customers' accounts were compromised. It said it notified affected customers and issued them new debit cards.
"We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts," the bank said in a statement.
Cardtronics said it is cooperating with authorities but otherwise declined to comment. Fiserv spokeswoman Melanie Tolley said the intrusion didn't happen on Fiserv's servers.
"Fiserv," she said, "is confident in the integrity and security of our system."
ATM breach highlights security issues with unencrypted PIN numbers.
Last Updated: July 2, 2008: 10:45 AM EDT
SAN JOSE, Calif. (AP) -- Hackers broke into Citibank's network of ATMs inside 7-Eleven stores and stole customers' PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.
The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs - the numeric passwords that theoretically are among the most closely guarded elements of banking transactions - by attacking the back-end computers responsible for approving the cash withdrawals.
The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem.
Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s (MSFT, Fortune 500) Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption - which means encoding them to cloak them to outsiders - some ATM operators apparently aren't properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.
"PINs were supposed be sacrosanct - what this shows is that PINs aren't always encrypted like they're supposed to be," said Avivah Litan, a security analyst with the Gartner research firm. "The banks need much better fraud detection systems and much better authentication."
It's unclear how many Citibank customers were affected by the breach, which extended at least from October 2007 to March of this year and was first reported by technology news Web site Wired.com. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the United States, but it doesn't own or operate any of them.
That responsibility falls on two companies: Houston-based Cardtronics Inc. (CATM), which owns all the machines but only operates some, and Brookfield, Wis.-based Fiserv Inc. (FISV, Fortune 500), which operates the others.
A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn't been answered publicly.
All that's known is they broke into the ATM network through a server at a third-party processor, which means they probably didn't have to touch the ATMs at all to pull off the heist.
They could have gained administrative access to the machines - which means they had carte blanche to grab information - through a flaw in the network or by figuring out those computers' passwords. Or it's possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.
What that means for consumers is that their PINs were stolen from machines that showed no signs of tampering they could detect. In previous PIN thefts, thieves generally took steps that might draw notice - sending "phishing" e-mails, for example, or installing false-front keypads or even tiny cameras on ATMs.
Getting the PINs is a key step for identity thieves. It lets criminals encode stolen account information onto blank ATM cards and withdraw piles of cash from compromised accounts.
Don Jackson, director of threat intelligence for SecureWorks Inc., said he has seen an "alarming" spike in the number of attacks on back-end computers for ATM networks over the past year.
"This was fairly large, but I don't think it's anything out of the ordinary - these kinds of scams go on every day," Jackson said. "What makes this case unique is the sheer luck of happening upon these guys and catching them red-handed. But there are a whole lot of other ATM and PIN compromises going on that aren't reported."
The alleged plot is outlined in court papers supporting the prosecution of three people - Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva. They were indicted in March on two counts each of conspiracy and fraud. Prosecutors say their activities generated at least $2 million in illegal profits.
Defense lawyers for all three people did not return calls for comment, and it was not clear where they had been living. The main defendant, Rakushchynets, was described as having Michigan and Florida's driver licenses in a February FBI affidavit for an arrest warrant.
Citibank, part of Citigroup Inc. (C, Fortune 500), has declined to comment on the technique or how many customers' accounts were compromised. It said it notified affected customers and issued them new debit cards.
"We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts," the bank said in a statement.
Cardtronics said it is cooperating with authorities but otherwise declined to comment. Fiserv spokeswoman Melanie Tolley said the intrusion didn't happen on Fiserv's servers.
"Fiserv," she said, "is confident in the integrity and security of our system."
Labels: Citibank
Tuesday, July 01, 2008
Boeing Insider Theft
Boeing Insider Theft
Passing along those documents to reporters did not sway prosecutors in Seattle. Eastman, a former Boeing employee, has been charged with 16 counts of felony computer trespass.
The Seattle Times noted in its report that Eastman had been in touch with reporters on its staff and that of the Seattle Post-Intelligencer. Contact information for them had been found in a Hotmail account used by Eastman.
Neither of the reporters named wrote anything about quality control issues raised by Eastman, they said in the article. Both of their papers have run stories that contained details Eastman had obtained.
Other evidence seized by authorities showed Eastman had met with unnamed reporters, and given them information obtained from Boeing.
A lack of internal controls and monitoring allowed Eastman to obtain those documents. As Eastman had been able to transfer these sensitive files to an easily-concealed thumb drive, it seems Boeing had no effective preventative measures in place to thwart that kind of activity.
Likewise, Eastman had access to the documents in question. It also appears no regular auditing or controls of his activity took place, even though he could get to data he had not been entitled to reach per company policy.
Passing along those documents to reporters did not sway prosecutors in Seattle. Eastman, a former Boeing employee, has been charged with 16 counts of felony computer trespass.
The Seattle Times noted in its report that Eastman had been in touch with reporters on its staff and that of the Seattle Post-Intelligencer. Contact information for them had been found in a Hotmail account used by Eastman.
Neither of the reporters named wrote anything about quality control issues raised by Eastman, they said in the article. Both of their papers have run stories that contained details Eastman had obtained.
Other evidence seized by authorities showed Eastman had met with unnamed reporters, and given them information obtained from Boeing.
A lack of internal controls and monitoring allowed Eastman to obtain those documents. As Eastman had been able to transfer these sensitive files to an easily-concealed thumb drive, it seems Boeing had no effective preventative measures in place to thwart that kind of activity.
Likewise, Eastman had access to the documents in question. It also appears no regular auditing or controls of his activity took place, even though he could get to data he had not been entitled to reach per company policy.
Boeing Employee Unauthorized Access
Boeing Employee Unauthorized Access
Former employee Gerald Eastman calls himself a whistle-blower, but Boeing Co. says he is a thief who stole more than 320,000 pages of confidential company documents.
In July, the former quality-assurance inspector pleaded not guilty to 16 counts of unlawfully accessing a computer to steal company information, according to the Seattle PostIntelligencer (Seattle P-I). If convicted on all charges, he faces 57 months in prison.
Eastman, who had worked for Boeing for 18 years, said he copied the files to document and support his allegations that Boeing engaged in fraud, which, he said, consisted of taking inspection shortcuts that included failing to inspect a plane at all as it was being built.
But while Eastman twice formally informed the Federal Aviation Administration (FAA) of problems with Boeing's inspection process, the agency has never acted against the company. The FAA said Eastman filed complaints about Boeing in 2002 and 2003. The federal agency investigated and found nothing that required enforcement action against Boeing, according to the Seattk P-I.
According to Boeing's complaint, Eastman copied the sensitive company documents to a thumb drive during 12 periods between September 2004 and April 2006 and stored them on his home computer - a violation of company policy. Eastman was arrested at his desk in June while downloading data onto the drive, InformationWeek reported.
According to InformationWeek, detectives also found password-cracking software on Eastman's computers. "Although the files Eastman took were not encrypted or password protected, Eastman had to exploit a weakness in Boeing's computer system to access them," the criminal complaint noted. "Eastman methodically searched the Boeing system looking for unprotected file shares and was routinely denied access to many."
Not only did he violate company policy, according to a case summary, but Eastman also leaked the confidential information to at least two newspapers. Police said a forensic investigation showed that Eastman had corresponded with reporters, allegedly providing them with proprietary Boeing information. According to a charging document, Eastman's MSN hotmail account contained contact information for Seattle PI and Seattle Times reporters who cover Boeing. The document also says stories in both papers contained "sensitive information that we (detectives) found in corresponding documents on Eastman's personal computers and storage media/devices."
Boeing first learned of Eastman's activities when an anonymous e-mail was sent April 12, 2006, to its senior vice president for human resources. The e-mail identified Eastman as a Boeing employee who had been downloading highly sensitive files for more than two years and was providing them to The Seattle Times, according to the Seattle P-I,
Boeing estimates that the financial damage to the company that could result if even a few of the stolen documents fell into the wrong hands could range between $5 billion and $15 billion.
A Boeing spokesperson said the company has increased its computer security since Eastman's theft was discovered, but this isn't the first time it has dealt with proprietary data leaks.
Last December, according to InformationWeek, Boeing fired an employee whose laptop - which contained identifying information on 382,000 current and former employees - was stolen from his office.
Former employee Gerald Eastman calls himself a whistle-blower, but Boeing Co. says he is a thief who stole more than 320,000 pages of confidential company documents.
In July, the former quality-assurance inspector pleaded not guilty to 16 counts of unlawfully accessing a computer to steal company information, according to the Seattle PostIntelligencer (Seattle P-I). If convicted on all charges, he faces 57 months in prison.
Eastman, who had worked for Boeing for 18 years, said he copied the files to document and support his allegations that Boeing engaged in fraud, which, he said, consisted of taking inspection shortcuts that included failing to inspect a plane at all as it was being built.
But while Eastman twice formally informed the Federal Aviation Administration (FAA) of problems with Boeing's inspection process, the agency has never acted against the company. The FAA said Eastman filed complaints about Boeing in 2002 and 2003. The federal agency investigated and found nothing that required enforcement action against Boeing, according to the Seattk P-I.
According to Boeing's complaint, Eastman copied the sensitive company documents to a thumb drive during 12 periods between September 2004 and April 2006 and stored them on his home computer - a violation of company policy. Eastman was arrested at his desk in June while downloading data onto the drive, InformationWeek reported.
According to InformationWeek, detectives also found password-cracking software on Eastman's computers. "Although the files Eastman took were not encrypted or password protected, Eastman had to exploit a weakness in Boeing's computer system to access them," the criminal complaint noted. "Eastman methodically searched the Boeing system looking for unprotected file shares and was routinely denied access to many."
Not only did he violate company policy, according to a case summary, but Eastman also leaked the confidential information to at least two newspapers. Police said a forensic investigation showed that Eastman had corresponded with reporters, allegedly providing them with proprietary Boeing information. According to a charging document, Eastman's MSN hotmail account contained contact information for Seattle PI and Seattle Times reporters who cover Boeing. The document also says stories in both papers contained "sensitive information that we (detectives) found in corresponding documents on Eastman's personal computers and storage media/devices."
Boeing first learned of Eastman's activities when an anonymous e-mail was sent April 12, 2006, to its senior vice president for human resources. The e-mail identified Eastman as a Boeing employee who had been downloading highly sensitive files for more than two years and was providing them to The Seattle Times, according to the Seattle P-I,
Boeing estimates that the financial damage to the company that could result if even a few of the stolen documents fell into the wrong hands could range between $5 billion and $15 billion.
A Boeing spokesperson said the company has increased its computer security since Eastman's theft was discovered, but this isn't the first time it has dealt with proprietary data leaks.
Last December, according to InformationWeek, Boeing fired an employee whose laptop - which contained identifying information on 382,000 current and former employees - was stolen from his office.
