backtop

Print E-mail del.icio.us 40 comment(s) - last by erple2.. on Jul 10 at 3:07 PM
Citibank ATMs in 7-Eleven stores across America were compromised by hackers

More consumers are beginning to use their debit cards in places other than a bank ATM machine, with many grocery stores and department outlets now accepting debit cards as a legitimate method of payment.  

A recent breach involving the use of debit cards has been unveiled after thousands of Citibank customers may have had their data compromised when they used ATM machines located in 7-Eleven convenience stores.

It appears Citibank's systems were not directly compromised and 7-Eleven's networks were the only ones affected.  The network, which is Microsoft Windows-based, can be more easily repaired and diagnosed remotely, but comes with a security flaw that the hackers exploited.  

The companies that operate the ATMs in 7-Eleven, Fiserv and Cardtronics, are working closely with authorities in their investigation.  But Fiserv said it is not directly involved in the case and has not returned e-mails or phone calls from journalists.  Cardtronics also said that it uses encrypted pin pads and triple data encryption to help protect user information.

The most frightening aspect is that the criminals were able to make off with millions, effectively attacking the back-end computers that are responsible for transactions.  Until recently, however, using the four digit pin has been the most reliable and closely guarded method to deal with banking in public spaces, and banks must now deal with potential problems of hackers successfully hacking back-end computer networks.  

"PINs were supposed be sacrosanct — what this shows is that PINs aren't always encrypted like they're supposed to be," said Gartner security analyst Avivah Litan.  "The banks need much better fraud detection systems and much better authentication."

To date, seven suspects have been arrested in the case, with more arrests possible, police authorities said.  Three people from the group have already been charged and now facing charges ranging from conspiracy to fraud.

Citibank did not disclose how the hackers compromised the network, but did say all affected customers have been notified of the security breach.

Comments     Threshold


This article is over a month old, voting and posting comments is disabled
eftpos
By 4wardtristan on 7/4/2008 9:03:12 AM , Rating: 4
quote:
More consumers are beginning to use their debit cards in places other than a bank ATM machine, with many grocery stores and department outlets now accepting debit cards as a legitimate method of payment.


now i have never been overseas from Australia before, so i dunno what goes on where, but as far as i can remember pretty much everything here in Aust. has had eftpos for ages??




RE: eftpos
By Indianapolis on 7/4/2008 10:12:46 AM , Rating: 2
Oh yeah, eftpos...

What?


RE: eftpos
By omnicronx on 7/4/2008 10:44:10 AM , Rating: 2
Thats Aussie for ATM, stands for something like 'electronic funds transfer POS'(point of sale I assume) . I remember the first time my aussie friend called it that, never quite understood why anyone would use an acronym that takes almost as long to say as the full name.


RE: eftpos
By Ticholo on 7/4/2008 1:47:52 PM , Rating: 3
Judging from the article, the "eftpos" in the 7-elevens were a different kind of electronic fund transfer POS ;)


RE: eftpos
By jajig on 7/4/2008 5:01:32 PM , Rating: 2
We have ATM's they are things we get cash from. EFTPOS is what we use at a point of sale instead of cash.

For example; if I wanted to buy groceries I would swipe either my ATM card or credit card at the check out and the funds will be taken directly from my bank account. No physical cash will change hands.


RE: eftpos
By xphile on 7/6/08, Rating: 0
RE: eftpos
By xphile on 7/9/2008 7:50:21 PM , Rating: 2
Like I care but this is just typical of this site - you post a factual group of statements based on REALITY - since I actually live in New Zealand and work on and off in Australia, unlike the OP I commented on, and you get slammed for stating the truth, with absolutely No supporting comments whatsoever - since there can be none as everything I said is fact.

This is why people shy away from this site and stop posting, why bother when this kind of rubbish is allowed. Oh well - I will leave it back in the safe hands of the 14 year olds that cause all the carnage.


RE: eftpos
By FreeTard on 7/4/2008 10:51:59 AM , Rating: 2
I think I know what you're referring to. Canada they call it using Interac, which is the name of the network. Or here in the States it's using your Debit card.

You'd actually be surprised coming over here, and seeing how slow the adoption of it is. While it is picking up, it's definately not as widespread as it is in other countries. I stopped carrying cash in Canada because everywhere I went, even if it was just to buy a pack of gum, I could just use my bank card.


RE: eftpos
By omnicronx on 7/4/2008 11:13:16 AM , Rating: 2
quote:
You'd actually be surprised coming over here, and seeing how slow the adoption of it is. While it is picking up, it's definately not as widespread as it is in other countries.
Thats because it was a joint venture between the 4 big Canadian banks, its much easier to have a national solution, when 95% of the people are customers of the big 4. You are right though, Interac is so widespread in Canada, that pretty much any business not using it will probably have their taxes reviewed because it is out of the norm ;)


RE: eftpos
By JoshuaBuss on 7/4/2008 5:06:03 PM , Rating: 2
debit (and credit even moreso) cards have been accepted pretty much everywhere in chicago for well over a decade as well.. i'm not quite sure what the article was trying to say.


RE: eftpos
By sxr7171 on 7/5/2008 2:03:26 PM , Rating: 2
You mean like a debit card? You must be very young.


Eh?
By Oroka on 7/4/2008 2:00:48 PM , Rating: 2
You Yankees only use your bank cards for cash at ATMs? I rarely use cash, as do alot of people here in Canuckastan.




RE: Eh?
By chmilz on 7/4/2008 2:45:32 PM , Rating: 1
Americans are way behind the rest of the world when it comes to things like this.

We (Canadians) have debit cards with rewards programs, the metric system, Celsius temperature scale... you know, the same things that the entire rest of the world uses, other than the US.
I get reward miles or free movies depending on which debit card I use, screw credit cards with annual fees and, more importantly, debt.

3 countries on the planet don't use Metric, the US and two that don't matter http://en.wikipedia.org/wiki/Metric_system

Entire planet other than US on Celsius scale http://en.wikipedia.org/wiki/Celsius


RE: Eh?
By chmilz on 7/4/2008 2:49:43 PM , Rating: 1
Did I say reward miles? Stupid Americanisms in my head! Make the voices stop! OH PLEASE MAKE THEM STOP!


RE: Eh?
By TomZ on 7/4/2008 3:15:18 PM , Rating: 2
Credit cards, when used responsibly, are better than debit cards. Here are a few reasons off the top of my head:

1. If you pay your statement balance every month, it is basically a floating interest-free loan

2. Credit cards help you establish a credit history; debit cards do not

3. Debit cards are not universally accepted in place of credit cards; for example, most car rental companies will not accept debit cards

I've never paid an annual fee in my 20+ years of having credit cards. In fact, I usually get a few hundred dollars back every year for using them (cash-back rewards).

Wow, you have Celsius there?!? I'm surprised Canada isn't completely inundated with Americans moving there for that reason alone! :o)


RE: Eh?
By erple2 on 7/10/2008 3:07:50 PM , Rating: 2
Credit cards are, in more or less all categories, superior to Debit cards. In fact, I can't for the life of me figure out why anyone would ever want to use a Debit card over a credit card - with the possible exception of the Credit Card fees charged at a Point of Sale (2-4%). However, that impacts the vendor, not the consumer...

I suppose if you were completely irresponsible with your finances, then maybe a debit card will help you to stay out of debt, but really, are you that dumb that you don't understand how credit works?

The HUGE advantage of a Credit Card is that you don't actually pay anything until the bill comes - that means that if someone steals your credit card and charges some things, you still have access to your money. With a debit card, there's no such guarantee. Essentially, you're left holding nothing if someone steals your Debit Card.

I honestly don't at all understand what the point of a Debit Card is, at least from a consumer's perspective. I get all of the benefits of tight regulation on the Credit Card Industry (I am a responsible user, so I could care less about morons thinking that the minimum payment is sufficient). Namely, if I disupte a charge, the Credit Card Company (which has a LOT more time and resources than I do) tries to get their money back. If someone empties my bank account with my stolen debit card, I have to work very hard to get my money back.

That simple fact is so often overlooked..

Do Debit Cards (eftpos?) work differently in other countries?

Credit Cards aren't evil. People who get themselves in trouble aren't evil either - they're just ignorant of how Credit really works.


RE: Eh?
By rcc on 7/7/2008 10:50:29 AM , Rating: 2
We are horribly behind. Then again, I haven't been anywhere that didn't accept my debit card in the last 10-15 years, so I'm not sure what podunk part of the country you've been visiting.


RE: Eh?
By JediJeb on 7/7/2008 5:25:04 PM , Rating: 2
Outside the large cities, like where I live, the credit/debit machines at the counter are only receintly appearing. Many small businesses around me still don't have them. Some that do you can't get the charge through if someone else is using the telephone, since the stores only have one line. And yes most are still using credit/debit machines that dial up, because nothing else is available. Where I eat lunch is cash only, they don't take cards at all.


RE: Eh?
By Seemonkeyscanfly on 7/7/2008 3:41:42 PM , Rating: 2
You know you are an American, correct? After reading your post, I'm not sure if you realize this or not.....

There are about 30 or 40 countries that the people can be classified as Americans – I looked it up a couple months back to get listing of them all (thought there were 10 to 15 countries) and there were many more then I realized. Not the people from the USA.


RE: Eh?
By kake on 7/5/2008 1:54:59 AM , Rating: 2
I was just looking at a map of Canada and I see ten provinces (BC, Manitoba, Quebec, Nova Scotia, etc), but for the life of me I can't find Canuckastan. Am I not looking hard enough or have you clever people managed to carve yourselves a piece of the Middle East as well?


Windows?
By Flunk on 7/4/2008 12:28:25 PM , Rating: 2
"The network, which is Microsoft Windows-based" Why would anyone use a consumer-level desktop OS (or a variant like WinCE) for this? Performance would be terrible, buggy and the patches that Windows constantly needs to stay ahead of hackers would be hard to deploy and monitor. The overall abundance of features in itself is a liability. Not only that they could have had a more stripped down system with Linux, which is free. Then they could have saved on hardware as well.

The only reason I can think of to do this is that it was easier than trying a bit harder and designing a real ATM system.

Before I get flamed I think I should mention that I love Windows (if you check some of my older posts I have previously defended Windows Vista). But this is just not a good application for Windows (even CE).




RE: Windows?
By TomZ on 7/4/2008 1:44:37 PM , Rating: 2
I'm not sure I agree. ATMs require graphics, sound, touch screen, they don't have to be real-time, the software needs to be updated often, they need good networking, good encryption, probably want to leverage cheap X86-based hardware, probably want a good development environment (e.g., Visual Studio). Sounds like a good fit to me.

Also, what OS do you think is more robust than modern Windows, if the design requirements to be on a public network (e.g., the Internet)? Most commercial RTOS'es, for example, don't get even a small fraction of the hacking against them that Windows does.

I would think Linux would also be a fine choice, for most of the same reasons. But I think the software would be slightly easier to develop and maintain with Visual Studio.


RE: Windows?
By rasmith260 on 7/4/2008 9:17:01 PM , Rating: 2
“Also, what OS do you think is more robust than modern Windows”

Just off the top of my head UNIX. As far as the need for Graphics, Sound, and a Touch Screen, while all of that gives the illusion of living in a futuristic world I guess, the reality is most people spend about 1 minute or less in front of an ATM and all that modern hardware is mostly used to advertise products offered by the banks or their partners. When I go to an ATM I go to get cash and get on with my life, I don’t require a sound and light show with every step I take. Those old black screens with green letters from the 80’s accomplished the same thing that modern ATM’s do and were far more secure. From my understanding the real reasons for these moves was based on the licensing being cheaper with Windows and even though it was less secure than UNIX the banks figured the savings were worth the risk of their systems being compromised.


RE: Windows?
By kake on 7/5/2008 1:58:49 AM , Rating: 3
Yes, and who doesn't enjoy waiting behind someone who can't figure out which blinking graphic to repeatedly hurl their finger against to start the transfer process?

I've seen one or two machines whose ads were so intrusive I wasn't sure when I was actually supposed to input my pin. Please, not everything needs to be Flash-ified.


RE: Windows?
By mindless1 on 7/6/2008 5:19:28 AM , Rating: 2
If by more robust you mean not perpetually hacked by script kiddies, how about EVERY OS? Seriously, it was an idiotic move to use windows for this application. No matter how much you want to fein ideals about why it's ok, windows only falls down and reveals it's flaws when it matters most.

Windows is a desktop PC OS. It's the best one we have, but it's only that, not fit for other uses.


RE: Windows?
By Chudilo on 7/7/2008 12:25:43 PM , Rating: 2
And what makes you think that Linux can't do graphics, Flash, touchscreens, and so on.
Have you seen ubuntu lately, it's got more eye candy then windows.(if you want to have it that is, and it doesn't require DX 10 hardware either)


Wow...
By Dark Legion on 7/4/2008 8:59:01 AM , Rating: 2
quote:
The network, which is Microsoft Windows-based, can be more easily repaired and diagnosed remotely, but comes with a security flaw that the hackers exploited.


So am I right in understanding that this could have been avoided if they had "repaired and diagnosed" the network on-site? How could a bank leave a security flaw like that in their system?




RE: Wow...
By aeroxander on 7/4/2008 9:10:21 AM , Rating: 2
No I think what they're saying is that they use windows based network on these ATM's as it is easier for them to remotely repair them and diagnose problems, but in doing so it also meant that it "came with a security flaw" not that they could have fixed the flaw remotely.


RE: Wow...
By Gul Westfale on 7/4/2008 9:37:35 AM , Rating: 1
no worries, in about 2 years MS will release a patch for it :)


RE: Wow...
By FreeTard on 7/4/2008 10:39:09 AM , Rating: 1
If it makes anyone feel better, not all banks use an MS solution for thier POS/ATMs.

In a former career I was a mainframe guy for a medium sized bank. I used to be able to watch the encrypted transactions go across the ATM network. I can say that while the ATM might be a windows based machine, the back-end stuff was definately not. While it still can theoretically be cracked open and money scooped out, it wouldn't be as easy as using a known M$ exploit, that you can read about on any tech site, and should have been patched years ago. Some banks might opt for the cheaper solution of using WinME cobbled together to be a server, but others don't.

Like I said on another site... I'm guessing the Citibank employees set the server passwords to something like:

Username: Admin
Password: Password1 <--- the 1 makes it harder to guess


RE: Wow...
By mindless1 on 7/6/2008 5:24:44 AM , Rating: 2
Except that if they owned the atm, they don't necessarily need to crack the back-end, they are hacking it through the trust of the atm connection.


heh
By ryedizzel on 7/4/08, Rating: 0
RE: heh
By MRwizard on 7/5/2008 12:53:05 AM , Rating: 2
You know, i'm very upset with that comment. I am sure if the whole world (ok 85-90%) was using a linux/unix based OS they probably would be getting the same bashing.
What MS have done is a hell of an achievement and deserve alot of respect for it. There systems are as secure as any other OS! The only way you would ever ever get a really really secure system is when you write you software for the hardware and only that hardware. Almost the same as what MAC does.


RE: heh
By sxr7171 on 7/5/2008 3:36:07 PM , Rating: 2
Yeah pretty much what an ATM needs. Not Windows. Windows has its place, but not on ATMs.


RE: heh
By essjae on 7/5/2008 9:59:37 PM , Rating: 2
For a long time, a lot of banks were using OS/2 on ATMs. WaMu was (still is?) one of them.


RE: heh
By mindless1 on 7/6/2008 5:22:39 AM , Rating: 2
Complete nonsense. What windows does is try to be everything plus the kitchen sink which leaves more holes for hackers to slime through. The sane secure solution is minimalism, you don't strip down a modularized excessive OS, rather a feature specific small codebase OS with only what you need and small size makes the fewer bugs all the easier to find.

If in doubt, note how these weren't problems for the many years of ATMs/etc, until now.


"ATM Machine"
By GDstew4 on 7/4/2008 6:47:08 PM , Rating: 3
Heh, love it. Long live the automated teller machine machine :) It's where I enter my personal identification number number!




RE: "ATM Machine"
By sxr7171 on 7/5/2008 3:42:43 PM , Rating: 2
Ha Ha!


From the original article
By GaryJohnson on 7/4/2008 11:48:41 AM , Rating: 3
From the original article:
quote:
And despite industry standards that call for protecting PINs with strong encryption — which means encoding them to cloak them to outsiders — some ATM operators apparently aren't properly doing that.

Not from the original article:
quote:
The network, which is Microsoft Windows-based, can be more easily repaired and diagnosed remotely, but comes with a security flaw that the hackers exploited.

The AP quote makes it sound like the PINs weren't being encrypted because whoever configured the ATM network didn't set it up to do so. Whereas your quote directly blames a security flaw in windows that the AP article only speculates about.

Is there another source that made it clear the attack was made possible by a windows security flaw?




Another nail in the coffin
By TomCorelis (blog) on 7/4/2008 4:04:08 PM , Rating: 2
Ever since Citi dropped the APY on my e-Savings account from 5% to 1%ish, I've found little use for its services when compared to my local credit union and USAA accounts.




"Game reviewers fought each other to write the most glowing coverage possible for the powerhouse Sony, MS systems. Reviewers flipped coins to see who would review the Nintendo Wii. The losers got stuck with the job." -- Andy Marken









botimage
Copyright 2009 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki