05 March 2006

Citibank ATM network pwned

According to multiple sources, Citibank is saying its ATM system has been compromised, and that the bank is locking out travelers who try to access funds from outside of the US.

The San Francisco Chronicle ran an article in February that may be connected to this. Some BofA clients find debit cards canceled. From the article: "Bank of America customers have had their debit cards canceled ... after an unnamed company experienced what appears to be a major security breach. BofA is refusing to identify the company.... BofA confirmed Wednesday that the breach in this latest case wasn't at a processing center used by the bank or any other affiliate."

Adweek has created a parody Citibank ad about the ATM fiasco.

New: The story continues:

TechWeb: The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs "the worst consumer scam to date."

[R]etailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.

The victim of the hack attack isn't yet known, although some banks have pointed fingers at OfficeMax, which has denied that its system was penetrated.

Chiucago Tribune

A story in Wednesday's New York Times, citing unidentified sources, said it appeared that the Citibank debit card information was obtained through a security breach at OfficeMax Inc., the Itasca-based office supplies retailer.

OfficeMax said Wednesday that it had "no knowledge of a security breach."

ComputerWorld

Slashdot's take on the issue.

No comments: