Naked Citi

Scott Reeves  Jul 02, 2008 10:00 am

Naked Citi
 
High-tech scam lifts customer PINs.
 

 
Hackers have scammed at least $2 million by cracking into Citibank (C) brand ATMs at 7-Eleven stores nationwide and stealing users’ PIN numbers. Federal prosecutors in New York have filed charges against Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva, and the investigation is still ongoing.

The thieves apparently lifted the PINs by going after the ATMs' operating system which, wouldn’t you know it, is based on Microsoft (MSFT) Windows. The system allows ATMs to be monitored remotely and repaired via the Internet.

Low-level thieves typically swipe the numeric passwords bank customers use to tap into their accounts with “skimmers”: Devices attached to ATMs that record keystrokes and account numbers. Crooked store clerks sometimes give your card an extra swipe on a “skimmer” as you wait at the cash register.


Egghead thieves may have gained “administrative access” to the ATM machines through a network flaw or by cracking system passwords. The crooks also could have installed rogue software on the main computer to capture unencrypted PINs as they moved through the system. Whatever the method, the high-tech scam reveals a huge hole in the bank’s security system and underscores the need for better authentication and fraud detection measures.

PIN numbers are cloaked, or encrypted, to protect them from thieves - but this assumes the bad guys are on the outside looking in. So far, there’s no indication other major banks have been hit, but you can be sure Wells Fargo (WFC), JP Morgan Chase (JPM), Wachovia (WB) and others are checking their networks.

Investigators say it’s unclear how many Citibank customers were hit by the scam, which appears to have begun in October 2007 and run through March of this year. The bank has about 5,700 ATMs inside 7-Eleven stores nationwide, but doesn’t own or operate any of them. Cardtronics (CATM) of Houston owns the ATMs and splits operations with Fiserv (FISV) of Brookfield, Wisconsin.

Many customers discovered the scam only after their bank accounts had been raided. This scam is light-years ahead of typical “phishing” schemes, which send phony emails seeking personal information under the pretext of correcting a nonexistent accounting problem.

For the record, here are some tips on how to avoid identity theft.
Rate this article:  (0 Votes)
Comments (2) See All Comments »
07-02-2008, 4:12 pm
Could Citi be "borrowing" cash from their own customers?
Did anyone catch Citi CEO V. Pandits satirical WSJ editorial. He stated that the credit crisis had a silver lining- it is worth all the agony caused by WallStreet/Bankers bec
Read More
07-02-2008, 4:39 pm
Citi is the only bank that designs and builds its own ATMs. They have their own ATM division adjacent to Marina Del Rey, California (of all places) which employs about 200 people and does all the work. While this has some upside to Citi in terms of
Read More
discuss this article and more on the mv exchange
No positions in stocks mentioned.

Get real-time options trading ideas from Steve Smith, veteran options trader and newsletter author, plus let him show you the way to cut risk and boost your returns through the strategic use of options.  Click here for a free 14 day trial to OptionSmith by Steve Smith.



The information on this website solely reflects the analysis of or opinion about the performance of securities and financial markets by the writers whose articles appear on the site. The views expressed by the writers are not necessarily the views of Minyanville Media, Inc. or members of its management. Nothing contained on the website is intended to constitute a recommendation or advice addressed to an individual investor or category of investors to purchase, sell or hold any security, or to take any action with respect to the prospective movement of the securities markets or to solicit the purchase or sale of any security. Any investment decisions must be made by the reader either individually or in consultation with his or her investment professional. Minyanville writers and staff may trade or hold positions in securities that are discussed in articles appearing on the website. Writers of articles are required to disclose whether they have a position in any stock or fund discussed in an article, but are not permitted to disclose the size or direction of the position. Nothing on this website is intended to solicit business of any kind for a writer's business or fund. Minyanville management and staff as well as contributing writers will not respond to emails or other communications requesting investment advice.

Copyright 2009 Minyanville Media, Inc. All Rights Reserved.
Ticker Talk
Popular Tickers:
SPX »AMZN »RIMM »
Select
  •  
Talk Now
Share this Talk on your site:
Send us your feedback

Our Professors

rss article alert