Hackers attack Microsoft Windows-based ATM network; steal PIN codes and net millions

“Hackers broke into Citibank’s network of ATMs inside 7-Eleven stores and stole customers’ PIN codes, according to recent court filings that revealed a disturbing security hole in the most sensitive part of a banking record,” Jordan Robertson reports for The Associated Press.

“The scam netted the alleged identity thieves millions of dollars. But more importantly for consumers, it indicates criminals were able to access PINs — the numeric passwords that theoretically are among the most closely guarded elements of banking transactions — by attacking the back-end computers responsible for approving the cash withdrawals,” Robertson reports.

“The case against three people in U.S. District Court for the Southern District of New York highlights a significant problem,” Robertson reports.

“Hackers are targeting the ATM system’s infrastructure, which is increasingly built on Microsoft Corp.’s Windows operating system and allows machines to be remotely diagnosed and repaired over the Internet,” Robertson reports.

“A critical issue in the investigation is how the hackers infiltrated the system, a question that still hasn’t been answered publicly,” Robertson reports. “All that’s known is they broke into the ATM network through a server at a third-party processor, which means they probably didn’t have to touch the ATMs at all to pull off the heist.”

Full article here.

[Thanks to MacDailyNews Reader “HMCIV” for the heads up.]

ATM IT Doofus #1: “Let’s make an ATM network based on the world’s most insecure OS, okay?” ATM IT Doofus #2: “Sounds like a plan!”

—   —   —

Peter explained, “Um, the 7-Eleven, right? You take a penny from the tray.”

Joanna asked, “From the crippled children?”

Peter replied, “No, that’s the jar. I’m talking about the tray, the pennies for everybody.”


Joanna, “You’re just this penny-stealing… wanna-be criminal… man.”

Peter, “Yeah, well, that may be. But at least I never slept with Lumbergh.”


  1. I think ATM companies should be legally required to disclose the operating system their machines are running. That way, I could be sure to avoid Microsoft-based ATMs like the plague.

    Of course, this would put Microsoft’s ATMs at an immediate disadvantage, as criminals would know which ones are the easiest targets.

    Why any security-conscious company would choose Microsoft to safeguard their data is completely beyond me. Microsoft have already proven their incompetence in this area several times over.

  2. If AYM machines used OS X, then they would be targeted just the same.

    Obviously this will be harder for them to exploit, but it would only take one security hole, and OS X has had its fair share of security holes. There is no denying that.

    *takes cover from the onslaught of insults*

  3. This should read “The case against three people and Microsoft in U.S. District Court for the Southern District of New York highlights a significant problem,”

    The Court should hold Microsoft for this problem, the Court should take every dollar in Microsoft’s account and close them down. If the software was done correct all this hacking would not be going on.

  4. But… but…
    1. Microsoft Windows is enterprise ready. (Even crackers can use it)
    2. Our IT people said Microsoft Windows was secure. (Nobody gets in until it is cracked)
    3. There are lots of apps running on Microsoft Windows. (Including hackers’ apps)
    4. Microsoft Windows is cheaper. ($319.95 a copy, plus several millions of dollars)

  5. @Dave

    “Apple is no different. It was super easy to hack the iPhone which is based on OSX”

    Actually there’s a big difference. In the case of the iPhone you have physical access to the device for an extended piece of time. It’s unrealistic to expect that you could make a device like that totally unhackable. In the end it’s just a piece of hardware and with enough time and access to the decive you could hack just about any piece of hardware or software.

    This case is about being able to hack some software from a distance over the net. From what I’ve heard no one has yet been able to hack an iPhone over a network.

  6. Actually I want my ATMs to use something non-commercial (or at least the old-school VMS systems they used to use). It’s ridiculous for them to put all this sensitive information on any popular commercial OS… in particular Windows, which has proven to be a sieve.

    You reap what you sow, but it seems clients of the banks will take the worst fall.

  7. JAYGEE,

    No insults, your point is valid, but what I don’t understand is that companies knowingly use MS which by all accounts has more security holes than any other OS.

    So, even though OS X could theoretically be hacked just as Windows can be it is a well-known fact that it is more difficult to do so than Windows, yet companies don’t seem to care.

    And this is not a plug at all for OS X, you can replace OS X with Linux, Unix, Wii OS, Playstation OS and the statement would still be accurate.

    Oh and to the one that said that the iPhone was so easy to hack, well yes, that appears to be true, but that required that people have actual access to the device and its components. Don’t know of many hackers that have an ATM lying around.

    That doesn’t meant they couldn’t get one and hack into it, I just don’t think it would be “super easy” as you state.

  8. Reminds me of an attack a few years ago targeting MS SQL Server that took down bank systems scattered worldwide. Folks in South Korea, where the systems were widely used, couldn’t get money out of their ATMs the whole weekend until the systems were sanitized.

    Why critical systems are running Windows is beyond me. I mean really, one is warned against doing that right on the box!

Reader Feedback

This site uses Akismet to reduce spam. Learn how your comment data is processed.