Citibank and Microsoft to blame?

Jul 2, 2008 12:33 GMT  ·  By

Three hackers, Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva, managed to get access to Citibank ATM machines placed in 7-Eleven stores and steal $2 million. Citibank is not the only one to blame since the entire system is owned and operated alongside two other companies (Cardtronics Inc. and Fiserv Inc.). All the attacks took place from September 2007 until March the current year. The hackers are just now being brought to justice, all of them being charged with conspiracy and fraud.

It seems that the hackers managed to acquire the PIN numbers of numerous Citibank customers by targeting the back-end computers that determine whether a withdrawal is legitimate or not. They did not attack the ATM itself, but a 3rd party processor. The exact number of clients affected by the hackers is yet to be determined. What we do know is that a total of 5,700 Citibank ATMs are placed in 7-Eleven shops all across the US.

Citibank representatives have declined to comment in regard to how the hackers were successful. This statement was issued: "We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts". If you are a Citibank customer and this affects you, the bank will most likely contact you with detailed info as well as issue you a new debit card.

The Microsoft Corporation has also come under scrutiny because the Windows OS is used as a building block for the ATM infrastructure. The bank can remotely access the ATM and diagnose it or even repair it. The network must be set up in a secure way and all PIN numbers must be kept confidential. There are industry standards in this regard, but not all financial institutions follow them.

Avivah Litan, security consultant with Gartner (a company that specializes in providing IT management solutions) had this to say: "PINs were supposed to be sacrosanct - what this shows is that PINs aren't always encrypted like they're supposed to be. The banks need much better fraud detection systems and much better authentication."