An interesting article followed by a respective blog on the Citibank PIN id theft

A big FYI...

Can globalization and free travel around the world continue without an effective, interoperable, strong authentication system? The key solution Citibank gives to its customer is to return to the US. The reason why? They cannot certainly authenticate the person - since there are no interoperable systems out there can strongly authenticate the person, only the authentication device/system. Work such as that being done presently by the Liberty Alliance Project and others will definitely help change this for the better through trusted interoperability of strong authentication devices. Moreover, what is truly needed are access control systems that are portable trusted devices that can digitize the user's inputs to authenticate the actual user and not the device, like most systems today do. Our authentication systems must represent as close as possibly the actual person along four main factors, token possession, knowledge challenge/responses, biometrics, and geolocation/time. Of course not all factors are needed at every point of authentication. Rather, based upon the policies of the asset being requested for access by the user, a unique challenge combination of these factors can be issued... (btw this is what Falkin Systems delivers...)

This is another example of how fragile and weak the current security technologies are. They were excellent when the system was first deployed - late 1970s. However, with the always advancing technology innovation track this becomes a cat-n-mouse game; the criminals have access to the same technologies and rate of technological change as those designing and putting these systems in. My beliefs are firm that within the next 2-5 years every business dealing with money, trust, and intellectual information property, will be in the business of strong authentication and access control - that is - identity sevice provider.

What impact will this PIN theft have on the economy within the next month? year? This news is just getting out...

hth,
/rob

--
Rob Marano
CTO & SVP R&D
Falkin Systems
rob@falkin.com
(skype) robmarano
(I-Name) http://public.xdi.org/=Rob.Marano
***
** Get your I-Name at http://2idi.com/grs/index.php?referral_code=falkinsystems
***
++
++ The NY Digital Identity MeetUp Group http://digitalid.meetup.com/3
++
Thomas J. Watson - "The way to succeed is to double your error rate."

PIN Scandal "Worst Hack Ever;" Citibank Only The Start

By Gregg Keizer, TechWeb News
March 09, 2006 (4:35 PM EST)
URL: http://techweb.com/wire/181502468

The unfolding debit card scam that rocked Citibank this week is far from over, an analyst said Thursday as she called this first-time-ever mass theft of PINs "the worst consumer scam to date."

Wednesday, Citibank confirmed that an ongoing fraud had forced it to reissue debit cards and block PIN-based transactions for users in Canada, Russia, and the U.K.

But Citibank is only the tip of the iceberg, said Avivah Litan, a Gartner research vice president. The scam -- and scandal -- has hit national banks like Bank of America, Wells Fargo, and Washington Mutual, as well as smaller banks, including ones in Oregon, Ohio, and Pennsylvania, all of which have re-issued debit cards in recent weeks.

"This is the worst hack ever," Litan maintained. "It's significant because not only is it a really wide-spread breach, but it affects debit cards, which everyone thought were immune to these kinds of things."

Unlike credit cards, debit cards offer an additional level of security: the password-like Personal Identification Number, or PIN.

"That's the irony, the PIN was supposed to make debit cards secure," Litan said. "Up until this breach, everyone thought ATMS and PINs could never be compromised."

Litan's sources in the financial industry have told her that thieves hacked into a as-yet-unknown system, and made off with data stored on debit cards' magnetic stripes, the associated "PIN blocks," or encrypted PIN data, and the key for that encrypted data.

The problem, she continued, is that retailers improperly store PIN numbers after they've been entered, rather than erase them at the PIN-entering pad. Worse, the keys to decrypt the PIN blocks are often stored on the same network as the PINs themselves, making a single successful hack a potential goldmine for criminals: they get the PIN data and the key to read it.

In this case, Litan said, the thieves used the information to crank out counterfeit debit cards, then emptied accounts at ATMs. She estimated that they absconded with "at least a couple of thousand records, maybe more" and have cashed out to the tune of "millions already."

The victim of the hack attack isn't yet known, although some banks have pointed fingers at OfficeMax, which has denied that its system was penetrated.

Litan believes it much more likely that a third-party processor or terminal supplier was involved; the silence about the victim could point to a processor, she said, because they have the most to lose by the negative publicity.

Last summer, credit card processor CardSystems was hit with a massive breach that involved millions of accounts; CardSystems essentially sank under the publicity, and was later bought by Pay By Touch. In February 2006, the FTC reached a settlement with CardSystems that require it to adopt more stringent security measures, but the company remains open to consumer lawsuits that could mean millions in payouts.

No matter who is to blame, the bank industry is only about halfway through cleaning up the breach, said Litan. And more of the same is on the way.

"This will become a trend with criminals," she bet. "Hackers will do this as much as they can" because it's far easier to empty checking accounts at ATMs than to buy goods with purloined credit cards, then sell the goods to generate cash.

So what's a consumer to do?

"Security is tight at the ATM, but point-of-sale is a whole other story," said Litan. "Look at your [debit card] account on a regular basis, and don't use a PIN-based debit card at point-of-sale," she recommended. "I never do."

BLOG reference

http://www.boingboing.net/2006/03/05/citibank_under_fraud.html

Sunday, March 5, 2006

Citibank under fraud attack, customers locked out of accounts
BoingBoing pal and Citibank customer Jake Appelbaum tried to withdraw some cash with his ATM card on Saturday night. He initiated his bank account long ago in the US, but was in Toronto, Canada yesterday. Jake explains:

To my surprise, the ATM machine rejected the transaction and urged me to contact my financial institution. The machine also reported on the receipt "INELIGIBLE ACCOUNT."

Jake called Citibank's international customer support number, and soon learned that the lockout was part of a much larger fraud crisis -- by no means the only data security issue at Citibank in recent months. Jake continues:

The supervisor identified herself as a manager named Carla ID#CRU194. I identified myself as an upset customer whose account was locked for some unknown reason. She asked me a few questions about my location, my issue and then informed me that my card was suspected of fraud.

Naturally, I perked my ears up and asked for details of any fraud. She informed me that there had been no direct fraudulent transactions on my account. Rather, she informed me that the ATM networks of Canada, Russia and the United Kingdom have been compromised. I used the term class break as a question and she repeated that there has been a class break [ Ed. note: definition here] of the ATM networks in those countries. The ATM network in Canada has been compromised and as a result, using my ATM card over the Canadian network locked my account automatically. She informed me that this has been an ongoing issue for the last two weeks. When I asked why there was no media attention, she said she wasn't sure. I said it was a pretty big deal and she agreed.

She informed me that I would have to return to the United States to change my pin number before my card would be valid and in a usable state again. When I informed her that I would be traveling outside of the United States for at least a few months, possibly up to six, she repeated that I would have to re-enter the United States to fix the problem.

In other words, if you're a US Citibank customer trying to use your ATM card in Canada, Russia, or the UK right now -- at ANY network, not just Citibank's -- you may find yourself totally fuxx0red. The call-and-response goes like this:

Citibank customer:
I'm stranded in a foreign country, I need cash, and I can't withdraw cash from my account.

Citibank drone:
d00d omfg we wuz 0wnz0red, it is teh suck!!!1!1 Go home and we'll re-issue a new card. Then be prepared to go through this all over again, and again, and again.

Citibank customer:
So even if I fly all the way back to the USA so you can issue me a new ATM card, you can't promise I won't be locked out the very next day?

Citibank drone:
yup! kthxbi!

Citibank didn't handle Jake's problem in a customer-friendly way at all, and this appears to be standard procedure.

Also, it seems this incident is receiving little media attention, which begs the question: for each massive security breach we do hear about at Citibank or other large financial institutions, how many more occur without our awareness?

This February 2 Fresno Bee article appears to be tangentially related, and here's a story about a criminal conviction related to another Citibank bogus ATM scheme from 2004. But you'd think a security incident with the potential to leave thousands of customers stranded overseas without cash would get more notice. WTF?

Link to the full text of Jake's account.

Reader comment: Anonymous says,

Just wanted to mention that it's not just ATM cards that have been hacked with Citi. I was forced to close my Citi Mastercard by Citibank earlier this week "because one of their 'affiliates' was hacked and my card was affected". I knew it had to be a bad hack since when that _same card_ was involved in the DSW member information theft, they didn't make me close the card then (they never even contacted me). Forcing me to close it now made me suspect it was Citi that had been hacked, and the article about the ATM hack pretty much confirms it.

Reader comment: "Byte" in Poland says,

Not only US customers of CitiBank have problems, Polish have also, but the nature of problems is different.

According to short article: "CitiBank Handlowy S.A was hiding information that it has been robbed" by Rafał Pawlak on hacking.pl (Link, unfortunately in Polish only) accounts of several hundred customers of CityBank Handlowy S.A has been robbed with use of Internet access to their accounts. Translation of fragment of above article:

Robbed bank has not informed its customers that their accounts have been cleaned from money. Today (2003/03/02), bank has been identified to be CitiBank, and it has been determined that stolen money has been transferred through agency in Szczecin.

Robbers have cleaned Internet accounts of several hundred customers of CityBank Handlowy S.A. In virtual robbery citizens of Szczecin have been involved and money have been withdrawn from bank accounts through agency in Szczecin. (...)

Few minutes earlier, the same author has posted article (also linked from above text): "Virtual bank robbery" ( Link ) with more details about the robbery, but the name of the bank was not known at that time. According to that article twenty citizens of Szczecin have stolen 3 million zlotys (approximately 950 thousand dollars.) Hackers have installed software on bank's customers computers, and used it to collect data, that was later used to transfer money. There were only two hackers, and other eighteen involved people provided their private accounts for transferring stolen money.

Hackers have been collecting and analyzing data, about customers, for longer time. When they finally have decided that they have enough data, they have started the action of robbery, which has taken them about seven days to conduct. Fortunately for bank customers all of robbers has been already arrested.

Since data used in robbery has been collected from computers belonging to bank customers, blaming bank may not be appropriate. Still the bank can be accused of hiding information that it is being robbed (robbery took 7 days!!!), until the sum of money stolen reached 3 million zlotys.

I should also mention that there is bigger article in "Głos szczeciński" ("Szczecin Voice"), unfortunately I have no access to that article which is only available in printed form.

Monday, March 6, 2006

http://www.boingboing.net/2006/03/06/citibank_security_br.html

Citibank security breach: undisclosed *internally*, let alone publicly?
Following up on yesterday's Boing Boing post about an alleged class break affecting Citibank networks in the US, UK, and Russia, an anonymous Citibank employee says (via Consumerist):

Apparently [us] employees have no details either. A client came into the branch late last week, she was travelling in Canada, and her card stopped working for no reason. She called up Citiphone (the consumer help line - they're terrible), and they gave her no reason as to why the card was blocked, and had a new card sent to our branch. Since she was in Canada, this really didn't help her out one bit.

Your article was the first that I heard of this. When she came into the branch to pick up her new card, there were no notes on her account stating why her card was blocked in the first place. There was no internal memo or email sent out regarding this fraud issue.

Link. What is a "class break?" In network security jargon, that's what happens when one breach leads to a whole new "class" of attacks on various systems, using similar methods. When it happens on a global banking network, it's also known as "really bad news." Update: Ben Popken at Consumerist reports that Citibank is now claiming that the breach was not a class break -- but acknowledges they've known about it for a month.