vnunet.com Mobile channel

vnunet.comHome
News | Analysis | Comment | Features | Reviews
Dollar bills
A Russian gang may have stolen over $2m by making clones of debit cards

Thieves steal millions from Citibank customers

Gang hacked third-party ATM system to get Pins

Iain Thomson in San Francisco, vnunet.com, 03 Jul 2008

Three people have been charged with stealing millions of dollars from Citibank customers after finding a way to steal Pins.

The team, who were arrested by the FBI in March, managed to hack into an ATM transaction processing firm and collect the Pins from cards used in 7/11 stores.

The ATM machines carried the Citibank brand but were built and maintained by the 7/11 chain.

"Citibank's systems were not compromised in this incident, which ended in March. This had to do with 7/11's network," Rob Julavits, a spokesman for the bank, told vnunet.com.

"Earlier this year Citibank received notice from a third-party transaction processor for the ATM industry that the processor's systems were potentially compromised in late 2007.

"By March we had notified and reissued cards to all customers whom we believed may have been exposed to increased risk."

The precise details of the attack have not been released, as the trial of Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva has just begun in the US District Court for the Southern District of New York.

However, the fault may lie with the internet connections linking the ATMs to the payment processors or the servers that handle them.

The 7/11 network is run by two companies which operate the ATMs, Cardtronics and Fiserv Inc. Fiserv was unavailable for comment but is reportedly not involved with the case. Cardtronics has denied involvement.

"Cardtronics is not involved in this criminal prosecution and therefore does not anticipate that it will issue any statements with respect to this case or the alleged conduct of the defendants in this case," the firm said in a statement.

"All ATMs owned or operated by Cardtronics have encrypted Pin pads, as well as triple data encryption as required by the various electronic fund transfer networks."

Seven other people have been arrested in the case. It is believed that the gang may have stolen over $2m by making clones of cards and withdrawing money from legitimate cash machines.

On his arrest Biltse was reportedly found with $800,000 in cash at his home, so the final total may be much higher.

Early documents filed by the FBI suggest that the heist was managed by a leader in Russia, who supplied the information and took 70 per cent of the proceeds.

Twenty-five per cent went to the people withdrawing the cash, and five per cent covered expenses.

See also:

Chip and Pin
Researchers warn of chip and Pin flaws
Popular retail machines vulnerable to attack  28 Feb 2008
Banks failing on ATM security
Unencrypted messages open to abuse, claims report  22 Feb 2008
ATM celebrates 40th birthday
Radioactivity from first machines still around  27 Jun 2007
ATM passwords found online
Up to 70,000 US cash machines vulnerable  22 Sep 2006

All Hacking
Tags: Citibank, Ecommerce, Security

Like this story? Spread the news by clicking below:

Post this to Delicious del.icio.us    Post this to Digg Digg this    Post this to reddit reddit!

R E L A T E D   C O N T E N T

© Incisive Media Ltd. 2008
Incisive Media Limited, Haymarket House, 28-29 Haymarket, London SW1Y 4RX, is a company registered in the United Kingdom with company registration number 04038503