InsideTech

News >> Browse Articles >> Security

Citibank ATM Breach Reveals PIN Security Problems

Getting the PINs is a key step for identity thieves. It lets criminals encode stolen account information onto blank ATM cards and withdraw piles of cash from compromised accounts.

Don Jackson, director of threat intelligence for SecureWorks Inc., said he has seen an “alarming” spike in the number of attacks on back-end computers for ATM networks over the past year.

“This was fairly large, but I don’t think it’s anything out of the ordinary – these kinds of scams go on every day,” Jackson said. “What makes this case unique is the sheer luck of happening upon these guys and catching them red-handed. But there are a whole lot of other ATM and PIN compromises going on that aren’t reported.”

The alleged plot is outlined in court papers supporting the prosecution of three people – Yuriy Rakushchynets, Ivan Biltse and Angelina Kitaeva. They were indicted in March on two counts each of conspiracy and fraud. Prosecutors say their activities generated at least $2 million in illegal profits.

Defense lawyers for all three people did not return calls for comment, and it was not clear where they had been living. The main defendant, Rakushchynets, was described as having Michigan and Florida’s driver licenses in a February FBI affidavit for an arrest warrant.

Citibank, part of Citigroup Inc., has declined to comment on the technique or how many customers’ accounts were compromised. It said it notified affected customers and issued them new debit cards.

“We want our customers to know that, consistent with legal requirements, we do not hold them responsible for fraudulent activity in their accounts,” the bank said in a statement.

Cardtronics said it is cooperating with authorities but otherwise declined to comment. Fiserv spokeswoman Melanie Tolley said the intrusion didn’t happen on Fiserv’s servers.

“Fiserv,” she said, “is confident in the integrity and security of our system.”

© 2008, YellowBrix, Inc.