Thursday, June 19, 2008

How did Citbank lose customers' money?

Wired is reporting that "a computer intrusion into a Citibank server that processes ATM withdrawals led to two Brooklyn men making hundreds of fraudulent withdrawals from New York City cash machines in February, pocketing at least $750,000 in cash, according to federal prosecutors".

But the explanation of how they did it is a bit confusing - did someone steal PINs by hacking into a server, as is suggested by the article? It's possible, but my guess (backed up by someone I spoke to who knows a lot more about this subject than I do) is that someone actually installed software on the server that approves the transactions. If you do that, you don't need to know anybody's PIN - if you can create duplicate cards, you can get the system to allow withdrawals. Of course, you wouldn't want the approval to automatically say "yes" to any withdrawal, because then it would be too obvious, and the "free money" machines would be reported by customers and stopped before long. A clever attacker would insert code that would be highly unlikely to trigger by accident, but easy to trigger on purpose. For example, a PIN that matches the current month and day, or a PIN that matches some function of the account number - either would be incredibly unlikely to be triggered except by someone who knew the approval hack was present. Once the code is inserted into the approval system, the attacker can make unlimited withdrawals from an account, regardless of the account balance.

Regardless of the mechanism, the attack demonstrates that banks can't simply pass the buck (so to speak) to their customers for protecting PINs - it's up to the banks themselves to monitor their servers, and ensure that they're hardened.


Post a Comment

Subscribe to Post Comments [Atom]

<< Home