Citibank Tries to Hush ATM Crypto Vulnerability 410
palme999 writes "Citibank is trying to get a gag order for new
vulnerabilities found in the cryptographic equipment commonly used to protect the PINs of ATM transactions. The vulnerabilities came to light during a court case involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure."
Fees... (Score:1, Interesting)
and only 15minutes ago.. (Score:2, Interesting)
Shut them up! (Score:2, Interesting)
This was covered at k5 also (Score:5, Interesting)
Read more here:
http://www.kuro5hin.org/story/2003/2/20/61350/054
Re:ATM? I don't need no stinkin' ATM! (Score:3, Interesting)
They should just give up... (Score:4, Interesting)
Now that it has been posted on
Re:How do banks secure ATM lines? (Score:5, Interesting)
ATMs are fallible in lots of ways (Score:5, Interesting)
I pulled out my wallet about an hour later. As I was thumbing through my cash to pay for something I discovered a ten dollar bill in the middle of my stack of twenties... HUH? Damned ATM machine ripped me off.
The next time I went by a Wells Fargo branch office, I reported the problem. They mentioned that there was some complicated method for submitting a complaint. I decided that it would cost me a lot more than $10 to try to get it back.
Am I missing something? (Score:3, Interesting)
Sure I could make a card, if I had the right equipment and had the card for long enough to make it, but in that case I could just as easily use the card.
I guess if I were super clever and I owned a business that used ATM's at the POS I could rig a line sniffer or something to save the ATM card info, then make some cards, then do this hack 15 times until I got the pin #, then I could steal 300.00 a day.
but if I owned a business why would I need to steal money?
Is there some easier way to use the pin #???
Re:Candid Camera (Score:3, Interesting)
I went to the ATM and tried to make a withdrawal. The machine tried to give me the cash, but something went wrong mechanically, and the money never came out.
I disputed the charge, but since their systems said that I did make the withdrawal, they didn't want to give me my money back.
I told them I wanted to see the surveilance tape for my personal records. Well, they didn't let me see the tape, but I'm assuming they looked at it and saw that no money came out of the machine. A few days later, i had a credit for the withdrawal.
An old vulnerability (Score:5, Interesting)
A student at my old school noticed once that the ATM machine had a problem and so voided the transaction he was making. He also noted that the ATM gave him his money before it gave the ATM card back.
He went up to an ATM one evening and slipped in his card. Pushed all the righ buttons to take out his daily limit. Took the cash. The ATM asked if he wanted to do anything else, he said no. As the ATM was about to eject his card, he put his hand in front of the slot. The ATM displayed that there was a jam. It voided the transaction and displayed that it was unavailable. He removed his hand and was able to grab the card by it's edge and pull it out. The ATM sensed the jam was cleared and displayed it was ready for business.
The procedure was repeated. and repeated. and repeated. Eventually the ATM was empty.
The next day he went into the bank, put down a pile of cash and explained to the manager that they had a problem.
Re:ATMs are fallible in lots of ways (Score:2, Interesting)
Re:Am I missing something? (Score:3, Interesting)
An imaginative person could come up with dozens of similar scenarios.
Who has access? (Score:2, Interesting)
From reading the article it would seem that the only people who could pull off something like this are "Bank Programmers," but there's a much bigger security hole that i can think of.
Here in Canada we have non-bank ATM machines proliferating across the countryside - it's basically a machine that performs an Interac (debit) transaction and spits out money. It runs over a telephone line, you can buy one for a few thousand dollars, and you plonk it down in the middle of a bar where people are too drunk to care that you're adding $2.00 to every transaction.
But who are the people making these machines? They have no certification that I'm aware of. I've seen at least a dozen varieties of these "mini-ATMs" from companies whose names I have never heard of. It seems to me that it would be very easy to build a few of these, rent them to bar owners or corner stores (also very common) and just log magnetic strips and PINs till the cows come home. What does the guy who owns the corner store know about security? He'll just be glad that he has an alternative in his store to offering debit himself, which costs him money on every transaction.
So anyway, if anybody has some plans or examples of how to build your own Interac-ATM please post them on the net ASAP and lets talk business.
Pin numbers aren't secure (Score:1, Interesting)
Re:Release the lawyers!!! (Score:3, Interesting)
Not suprising (Score:4, Interesting)
4 digits anyway (Score:3, Interesting)
How many morons we got on this ship?
Why bother to crack it when you can just read it? (Score:2, Interesting)
Re:RTFA! (Score:2, Interesting)
Yeah, I know that the DMCA is supposed to be about preventing illegal copying, but it gets stretched WAY beyond that sometimes. Maybe the banks would claim that the encrypted data in the ATM was copyrighted....
One other thing I forgot (Score:4, Interesting)
There are consultants that will analyze a banks customer transaction histories in order to recommend a fee structure that will retain the highest number of customers and generate the most revenue from fees while lowering costs.
They do this with the teller fee, minimum balance fee, account inactivity fee and the overdraft fee.
Recently the check cashing fee was added to both make money on both the check writer and the casher while discouraging face to face business at the bank which lowers costs.
The high growth of bank profits combined with growing negative public perception of the fees has recently sparked a few recommendations toward more reasonable structures that actually do help people and the bank without so much profit.
Try and find a couple of those. They get almost zero notice.
See how it works? Remember that the next time you read a shiny well produced brochure that 'assures' you that no other bank is working harder for you.