Citibank ’s Customers ATM PIN have been Compromised!
Alrite, let’s take a break for a while.. Put the whole search engine optimization tipsy tricks a side for a minute or two.. and take a look at our daily life a bit. It’s been a while since my last post about vulnerability, and it’s kinda answering my oldest call about how much I care to this security world years ago.
The subject above should tell us the idea of the topic I ‘m gonna write. Uh huh, you got it right buddy, Citibank ’s Customers ATM PIN have been compromised! This subject is kinda spooky, but the real life situations are even more frightening!
I just finished this scary headline in yahoo, that hackers broke into Citibank’s network of ATMs inside 7-Eleven stores and stole customers’ PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record.
The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs — the numeric passwords that theoretically, I repeat, theoretically, are among the most closely guarded elements of banking transactions — by attacking the back-end computers responsible for approving the cash withdrawals.
Is it even possible to do?
Well, from my experiences in the past when I still work on this “un-paid job not even a dime called being a freelance security adviser which most people not even know we were existed since we’re all writing security advisories using a cyber-nickname” group, there ‘re no such thing as “impossible” in hacker ’s dictionary.
This group I used to work for ( for free ), our everyday activities is scanning for network vulnerabilities, and checking some software bugs, writing the advisories about it, and issued them in major security sites, contacting the vendors, and the best part of it, without getting paid. Whoa..
Yup, you heard me right, there still such people doing it, for some noble purposes. Me? I ‘m just a former, not anymore one of them now. As I built this tiny wonderful world we used to call “a family”, I should work my a55 out to monetize my expertize — ( is it even called an expertize? lol ) — to survive this rude world!
Back to the main issue, Yup it’s possible, nothing is impossible, the word impossible is not even existed in hacker ’s glossary, not even in their vocabulary. You know most known hacker ’s quote? “We did it because we can”. Whatta spirit!
From here, I ‘m gonna use the word “the bad guy” to replace the word hacker, coz I don’t agree to this public opinion that hackers always being referred to the bad guys.
How this Scary thing even possible from Happening?
Okay, we’re step into the mechanism, the how to, and the hole they’re into.
The bad guys are targeting the ATM system’s infrastructure, which is increasingly built on Microsoft Corp.’s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet. And despite industry standards that call for protecting PINs with strong encryption — which means encoding them to cloak them to outsiders — some ATM operators apparently aren’t properly doing that. The PINs seem to be leaking while in transit between the automated teller machines and the computers that process the transactions.
In plain english:
There ’s a hole, which, it’s possible for us who know how to manage to get there, could take the advantages of the PIN data leaking.
This hole is created, from un-clean practices of some ATM operators who don’t properly doing the most basic known security practice called encryption.
Where’s the hole exactly? It’s between the automated teller machines and the computers that process the transactions, while in transit.
Avivah Litan, a security analyst with the Gartner research firm said:
“PINs were supposed be sacrosanct — what this (read: the hole and the PIN data leaking) shows is that PINs aren’t always encrypted like they’re supposed to be. The banks need much better fraud detection systems and much better authentication.”
The How to..
Woohoo.. The How to.. The best part of all advisories articles. Let’s conclude a bit. So.. There ’s a hole, where the PIN data are leaking, and they’re leaking badly. How the bad guys (or should I say: we wannabe. lol) managed to get there?
Well.. It’s still a mystery.
Are you expecting some thing like: copy and paste the whole part of the script below, compile it to be a php executable file, execute it through a web interface using any favorite browser you used to use. Do you?
The most recent updates on this situation:
A critical issue in the investigation is how the bad guys infiltrated the system, a question that still hasn’t been answered publicly.
All that’s known is they broke into the ATM network through a server at a third-party processor, which means they probably didn’t have to touch the ATMs at all to pull off the heist.
They could have gained administrative access to the machines — which means they had carte blanche to grab information — through a flaw in the network or by figuring out those computers’ passwords. Or it’s possible they installed a piece of malicious software on a banking server to capture unencrypted PINs as they passed through.
All I can say is, in some hacker’s glossary meaning, it’s a direct attack.
If the bad guy finally found the leak, means the hole of this system has been there since the day its build, right? Actually it help us finally figured, that there ‘re something not right ( please notice: i don ‘t use the word “wrong”) from the first place.
Vendor ’s Respond
Citibank, part of Citigroup Inc., has declined to comment on the technique or how many customers’ accounts were compromised. It said it notified affected customers and issued them new debit cards.
“We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts,” the bank said in a statement.
Oh well, we ‘re all agreed, the most interesting part of any vulnerability articles is the vendor responses.
The great part is It said it notified affected customers and issued them new debit cards… We do not hold them responsible for fraudulent activity in their accounts..
Refunded all the loss? Have no idea, hoping so..
Alrite guys… Be aware. Be safe.
