Millions of Citibank Customers at Risk Due to Largest PIN Number Hacking in History   - 2,499 Views,

A breaking news report (why is it breaking in England, not here in the U.S.?) reveals that millions of Citibank customers’ accounts are at risk as a result of what the London Times is calling the “biggest and most effective remote PIN code theft scam in US banking history.”

According to the report, “Citibank machines in 7-Eleven convenience stores across America were the target,” and already more than $2million has been drained from Citibank customers’ accounts.

The situation came to light only because the original perpetrators have been caught, and are now in custody, and wending their way through the U.S. court system. But the hacking into accounts was continuing at least into this spring, and of course we all know that lists of PIN codes - like email addresses - can be sold. Meaning that there is a high probability that the stolen PIN numbers are still in the hands of someone who will use them maliciously - and, if you are a Citibank customer, it’s time to go over your statements for the last several months with a fine-toothed comb, and for goodness sake change your PIN number!

The report blames the situation on the fact that the ATM infrastructure “is now built on Microsoft’s Windows operating system, and the cash machines themselves can be remotely diagnosed and repaired online. Unfortunately, this means that PIN codes have started to “leak” along the way — suggesting that industry guidelines on encryption are not always being followed.”

Of course, we predicted this 3 1/2 years ago, when it was first announced that thousands of ATMs in the United States were being moved to a Windows platform, and again just four months later when Wells Fargo announced they had moved their ATMs to the Windows platform.

Apparently Citibank did too, much to the detriment of their users, it is now clear.

Of the news of the Citibank PIN exposure Gartner security analyst Avivah Litan said “PINs were supposed be sacrosanct. What this shows is that PINs aren’t always encrypted like they’re supposed to be. The banks need much better fraud detection systems and much better authentication.”

Ironically, it was Litan who said, back four years ago, that “the move to Windows-based ATM systems is “not great news for the security of the system. I’m sure there’s a lot of holes that will be created because of this.’ ”

According to the times, it is not yet clear exactly how many Citibank customers have already been affected by this. There are more than 5600 Citibank ATMs in 7-Eleven stores across the U.S..

According to Don Jackson, director of threat intelligence for the computer security company SecureWorks, the only thing that really makes the Citibank PIN hacking case unique is that the guys were caught. Citing an alarming spike in the number of such hacks in the past year, Jackson said that there are “a whole lot of other PIN compromises going on that aren’t reported.”

Citibank has refused to comment on the situation, other than to say “We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts.”

They had bloody well better not, given that it’s their fault for setting up their ATM network on such an inherently - indeed predictably - insecure platform.