“Hackers broke into Citibank’s network of ATMs inside 7-Eleven stores and stole customers’ PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record,” Jordan Robertson reports for The Associated Press.
“The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs — the numeric passwords that theoretically are among the most closely guarded elements of banking transactions — by attacking the back-end computers responsible for approving the cash withdrawals,” Robertson reports.
“The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem,” Robertson reports.
“Hackers are targeting the ATM system’s infrastructure, which is increasingly built on Microsoft Corp.’s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet,” Robertson reports.
“A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn’t been answered publicly,” Robertson reports. “All that’s known is they broke into the ATM network through a server at a third-party processor, which means they probably didn’t have to touch the ATMs at all to pull off the heist.”
Full article here.
[Thanks to MacDailyNews Reader “HMCIV” for the heads up.]
ATM IT Doofus #1: “Let’s make an ATM network based on the world’s most insecure OS, okay?” ATM IT Doofus #2: “Sounds like a plan!”
— — —
Peter explained, “Um, the 7-Eleven, right? You take a penny from the tray.”
Joanna asked, “From the crippled children?”
Peter replied, “No, that’s the jar. I’m talking about the tray, the pennies for everybody.”
Later…
Joanna, “You’re just this penny-stealing… wanna-be criminal… man.”
Peter, “Yeah, well, that may be. But at least I never slept with Lumbergh.”
I think ATM companies should be legally required to disclose the operating system their machines are running. That way, I could be sure to avoid Microsoft-based ATMs like the plague.
Of course, this would put Microsoft’s ATMs at an immediate disadvantage, as criminals would know which ones are the easiest targets.
Why any security-conscious company would choose Microsoft to safeguard their data is completely beyond me. Microsoft have already proven their incompetence in this area several times over.
all security breach stories should reveal the OS
Apple is no different. It was super easy to hack the iPhone which is based on OSX
MDN Take : Greatest movie ever! Thanks that just brightened up my day!
If AYM machines used OS X, then they would be targeted just the same.
Obviously this will be harder for them to exploit, but it would only take one security hole, and OS X has had its fair share of security holes. There is no denying that.
*takes cover from the onslaught of insults*
This should read “The case against three people and Microsoft in U.S. District Court for the Southern District of New York highlights a significant problem,”
The Court should hold Microsoft for this problem, the Court should take every dollar in Microsoft’s account and close them down. If the software was done correct all this hacking would not be going on.
But… but…
1. Microsoft Windows is enterprise ready. (Even crackers can use it)
2. Our IT people said Microsoft Windows was secure. (Nobody gets in until it is cracked)
3. There are lots of apps running on Microsoft Windows. (Including hackers’ apps)
4. Microsoft Windows is cheaper. ($319.95 a copy, plus several millions of dollars)
@Dave
“Apple is no different. It was super easy to hack the iPhone which is based on OSX”
Actually there’s a big difference. In the case of the iPhone you have physical access to the device for an extended piece of time. It’s unrealistic to expect that you could make a device like that totally unhackable. In the end it’s just a piece of hardware and with enough time and access to the decive you could hack just about any piece of hardware or software.
This case is about being able to hack some software from a distance over the net. From what I’ve heard no one has yet been able to hack an iPhone over a network.
Actually I want my ATMs to use something non-commercial (or at least the old-school VMS systems they used to use). It’s ridiculous for them to put all this sensitive information on any popular commercial OS… in particular Windows, which has proven to be a sieve.
You reap what you sow, but it seems clients of the banks will take the worst fall.
JAYGEE,
No insults, your point is valid, but what I don’t understand is that companies knowingly use MS which by all accounts has more security holes than any other OS.
So, even though OS X could theoretically be hacked just as Windows can be it is a well-known fact that it is more difficult to do so than Windows, yet companies don’t seem to care.
And this is not a plug at all for OS X, you can replace OS X with Linux, Unix, Wii OS, Playstation OS and the statement would still be accurate.
Oh and to the one that said that the iPhone was so easy to hack, well yes, that appears to be true, but that required that people have actual access to the device and its components. Don’t know of many hackers that have an ATM lying around.
That doesn’t meant they couldn’t get one and hack into it, I just don’t think it would be “super easy” as you state.
To hack the iPhone, it took several WEEKS and soldering in order to break it free of AT&T;.
Dave, what color is the sky in your world, cause you have different facts there….
Reminds me of an attack a few years ago targeting MS SQL Server that took down bank systems scattered worldwide. Folks in South Korea, where the systems were widely used, couldn’t get money out of their ATMs the whole weekend until the systems were sanitized.
Why critical systems are running Windows is beyond me. I mean really, one is warned against doing that right on the box!
Why were the PINs stored (cached or whatever) in the ATM at all? I assume they didn’t steal the cash itself.
Seems the ATM security people thought that thieves would only come through the front door!
Don’t Diebold make Windows-based ATMs?
what next…. putting autopilot sw on Windows? Next time terrorists will be able to hijack planes from the comfort of their homes…
Today at my workplace I had to bring in my Mac because Windows XP running on VMWare was hosed (old legacy business application, in-house maintained, only Windows version existing).
The tech guy discovered that some crucial files had been deleted by the anti-virus they had installed on XP. I did not know anti-virus programs had finally got that clever: they recognize Windows itself is a kind of a virus!
Yeah! Diebold! They are infamous for the poor security of their voting machines. Anyone can rig an election with the things. So stoopid state governments like Maryland and Ohio buy them! And of course their resulting elections are fraught with fraud. Great.
So here we have Windows, the world renowned #1 INSECURE operating system commercially available. It would even be hard to find a less secure OS anywhere! So let’s run our ATMs on Windows! Let’s take the single most sensitive part of our banking business structure and run it on the single most insecure operating system. Great.
I for one would love to indicate with my financial accounts just how much I appreciate the thoughtfulness and technological intelligence of these banks. I’d love to say these banks get what the deserve. But the fact is that the customers are the ones who get hurt. The banks just clean up their mess and pass the cost of their moronic decisions on to their customers. Great.
@MCCFR
Yes but they’re used for counting votes, not important stuff like money.
When will banks (or any big biz) take security seriously? Isn’t Citibank one of the biggest banks in the States? You’d think they’d make security of people’s $ a bigger priority.
Didn’t a US Navy battleship run off of Windows NT years ago? That freaks me out.
This article reminds me of when Bill Gates publicly stated how Vista was so good, he’d trust it to run the life support machines in hospitals and in the space shuttle…
I wonder if they use Windows in the ICBM silos?
For many years, ATMs (and, in NYC, MetroCard vending machines for the NY subway system) used to run OS/2. If you haven’t heard of it, this was IBM’s rock-solid desktop and server OS. Much better, more stable and secure than Windows NT (and subsequently, 2000). IBM officially abandoned development in 2001; yet many banks are still using it in their ATMs, especially in Europe. I have never ever seen an screen error message on an OS/2 ATM. In my neighbourhood, there are many banks with ATMs. Several have moved ATMs to Windows. How do I know? I oftentimes see a Windows error message on the screen (with ‘OK’ to continue).
These people should better bring back the old OS/2. It just worked.
GD!!! I was going to send MDN this link this morning but couldn’t find an article that definitely linked to flaw to Winblows.
GD!!!
Another Winblows Sucks Story:
The computers at the 4 site clinic system that I work at were hosed last week by a virus that got into the server system and started chewing things up. Not good when you use an electronic medical record and not a paper chart in sight!
Dave, you are an idiot…
If hackers can figure this out why can’t Microsoft? !!