The thieves apparently lifted the PINs by going after the ATMs' operating system which, wouldn’t you know it, is based on Microsoft (MSFT) Windows. The system allows ATMs to be monitored remotely and repaired via the Internet.
Low-level thieves typically swipe the numeric passwords bank customers use to tap into their accounts with “skimmers”: Devices attached to ATMs that record keystrokes and account numbers. Crooked store clerks sometimes give your card an extra swipe on a “skimmer” as you wait at the cash register.
Egghead thieves may have gained “administrative access” to the ATM machines through a network flaw or by cracking system passwords. The crooks also could have installed rogue software on the main computer to capture unencrypted PINs as they moved through the system. Whatever the method, the high-tech scam reveals a huge hole in the bank’s security system and underscores the need for better authentication and fraud detection measures.
PIN numbers are cloaked, or encrypted, to protect them from thieves - but this assumes the bad guys are on the outside looking in. So far, there’s no indication other major banks have been hit, but you can be sure Wells Fargo (WFC), JP Morgan Chase (JPM), Wachovia (WB) and others are checking their networks.
Investigators say it’s unclear how many Citibank customers were hit by the scam, which appears to have begun in October 2007 and run through March of this year. The bank has about 5,700 ATMs inside 7-Eleven stores nationwide, but doesn’t own or operate any of them. Cardtronics (CATM) of Houston owns the ATMs and splits operations with Fiserv (FISV) of Brookfield, Wisconsin.
Many customers discovered the scam only after their bank accounts had been raided. This scam is light-years ahead of typical “phishing” schemes, which send phony emails seeking personal information under the pretext of correcting a nonexistent accounting problem.
For the record, here are some tips on how to avoid identity theft.
Email
Print
Del.icio.us
Digg
Facebook
Subscribe
