Sunday, November 29, 2015

Hackers target PIN codes

SAN JOSE, Calif. - Hackers broke into Citibank's network of ATMs inside 7-Eleven stores this year and stole customers' PIN codes, according to recent federal court filings in New York. The documents reveal a disturbing security hole in the most sensitive part of an individual's banking record.

The scam netted the alleged identity thieves millions of dollars. But more significantly for consumers, it indicates criminals were able to access PINs - the numeric passwords that theoretically are among the most closely guarded elements of banking transactions - by attacking the computers responsible for approving the cash withdrawals.

The case against three individuals in U.S. District Court for the Southern District of New York highlights an important problem: Hackers are targeting the ATM system's infrastructure, which is increasingly built on Microsoft Corp.'s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet.

Despite industry standards that call for protecting PINs with strong encryption - which means encoding them to cloak them to outsiders - some ATM operators apparently are not properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.

What that means for consumers is that PINs were stolen from machines that showed no signs of tampering they could detect.

It is unclear how many customers of Citibank, a unit of Citigroup Inc., were affected by the breach, which extended at least from October 2007 to March. The bank has nearly 5,700 Citibank-branded ATMs inside 7-Eleven Inc. stores throughout the country, but it does not own or operate any of them.


Associated Press
We encourage respectful comments but reserve the right to delete anything that doesn't contribute to an engaging dialogue.
Help us moderate this thread by flagging comments that violate our guidelines.

Comment policy: comments are intended to be civil, friendly conversations. Please treat other participants with respect and in a way that you would want to be treated. You are responsible for what you say. And please, stay on topic. If you see an objectionable post, please report it to us using the "Report Abuse" option.

Please note that comments are monitored by staff. We reserve the right at all times to remove any information or materials that are unlawful, threatening, abusive, libelous, defamatory, obscene, vulgar, pornographic, profane, indecent or otherwise objectionable. Personal attacks, especially on other participants, are not permitted. We reserve the right to permanently block any user who violates these terms and conditions.

Additionally comments that are long, have multiple paragraph breaks, include code, or include hyperlinks may not be posted.

Read 0 comments
comments powered by Disqus