Citibank Tries to Hush ATM Crypto Vulnerability 410
palme999 writes "Citibank is trying to get a gag order for new
vulnerabilities found in the cryptographic equipment commonly used to protect the PINs of ATM transactions. The vulnerabilities came to light during a court case involving 'phantom' ATM transactions that users deny making but that banks still charge to customers accounts because they claim their systems are secure."
Release the lawyers!!! (Score:3, Insightful)
Does anybody smell a class-action for ATM users who have filed these complaints? It would probably work similarly to the CD price-fixing settlement that was in the news lately, since it would be hard to identify the specific members of the class.
dmca problems, again? (Score:3, Insightful)
This is SERIOUS (Score:5, Insightful)
From the article
What the bank is doing is very irresponsible. I hope they get lots of bad publicity for this. Getting on /. is a good start.
They Can't (Score:3, Insightful)
Tell 'em to prove it.
Well, as nice as it would be to have them prove the security, it is technically impossible to prove that a system is secure. It is only possible to prove that a system is not secure by exposing a flaw.
neurostarRe:Release the lawyers!!! (Score:3, Insightful)
It should be pointed out that this is a problem in the UK, but the US has saner legal rules. The article mentions that Citibank lost a similar case in the US, so apparently the US doesn't think that "our system is secure; it must be the user's fault" is sufficient defense.
Re:Shut them up! (Score:5, Insightful)
Citibank has no interest in "the best interest of its customers." Like any other megacorp, they don't give a shit about you. They're much more concerned about the embarrassment of admitting that their security is worthless than they are about actually keeping people's money safe. The only way to get them to fix this problem is to publicize it as loudly as possible, because then not fixing the problem becomes even more of an embarrassment for them.
Re:This is SERIOUS (Score:5, Insightful)
Last I checked, it's significantly illegal to be less than honest with the courts.
Re:This is SERIOUS (Score:2, Insightful)
Re:Fees... (Score:5, Insightful)
Re:Go back to sleep children (Score:5, Insightful)
When I think about this, the fact that this post was modded as "insightful" by someone is perhaps the most frightening thing I've seen in a long time.
Re:ATM with an eye (Score:3, Insightful)
Most ATMs in the US are under video survailance, too.
Of course, this won't prevent me from using a techincal exploit to rob them. All I need to do is find an ATM in a somewhat secluded place (not hard), put on a ski mask just before I go to work and not take it off while I'm robbing the thing blind.
Cameras != protection from crime. They just assist in catching stupid criminals.
Re:Go back to sleep children (Score:3, Insightful)
I agree. I'm frightened myself, and had a high level of sarcasm when I wrote it, but I feel that this basic sales pitch is done over and over again to the mass public and for the most part they buy it! The moderators probably picked up on that and agreed.
The real threat (Score:5, Insightful)
but then I thought, well where could you do this an not get caught? how about North Korea or Nigeria. North Korea already mints high tech conterfeit US 100 dollar bills on government printing presses. So this would be small but useful potatoes.
but more important than the money, It also would make a nice weapon: UN provokes N. Korea, N korea dumps 100,000 cards with pins written on them in say the NY subway system. Next day all ATM banking is halted world wide. Nice little panic. Travelers stranded. Runs on banks as people have to now go inside to get money and they run out of cash. Anyhow you get the idea.
or maybe just one of the millions of merchant accounts visa hands out is owned by
Yikes
Re:ATM? I don't need no stinkin' ATM! (Score:3, Insightful)
But, most people will chose to pay $1.00 for a loaf of bread instead of $1.50. In that case, they are giving up the "old way" for that $0.50. It's their choice. You can't blame it all on Walmart.
Re:This is SERIOUS (Score:3, Insightful)
Notice that one of the proposed fixes was to create an audit trail.
Re:A second ATM PIN crack in NEWS today (Score:1, Insightful)
Because you don't have the DES keys stored on the secure hardware device. I came to read comments hoping to gain some knowledge on the specifics of this attack by maybe reading some posts by slashdotters who work in the field, but I had once again overestimated the collective IQ of this assumption happy crowd. sigh..
You know what sucks about this? (Score:4, Insightful)
The banks current position is that everything works fine. Afterall, they do handle the world economy everyday, so your little small potatoes checking account is no big deal right?
Unless you can demonstrate a bank error that meets their criteria I might add, the bank basically says you must pay all fees like it or not.
So, let me tell you from experience, you are screwed. Either you pay even though you may not be totally in the wrong, or you don't.
If you pay, you will be out some cash, but the bank will be happy to let you continue doing business and will even screw you again later if you are willing.
If you don't pay, it gets worse. They charge off your account so they can get the tax benefit. They still send you to collections, and they report you to ChexSystems. This database will record your debt to your current bank and will be used as the reason you cannot get new accounts elsewhere. 95% of all banks use this. Getting a record removed is very difficult. The worst part is that even if you pay at this stage, your record will last for 7 years.
Big banks really suck right now. There are only a few laws they must follow, the rest are rules and regulations they get to set for us without our feedback. Big banks are greedy and are making more money each year. They charge fees for almost anything and have no reasonable appeal process. Currently the larger banks are even beginning to charge check cashing fees on their own checks!
You could write me a check for $5.00 and it could be worth nothing if I presented to the bank it was drafted on.
My advice to you would be to pay that bank, and realize that (1) you have no power here. --Trust me I tried hard to work through a problem with my bank and could not and (2) big banks are not working in your best interests.
Keep your banking record clean and look for a smaller bank that actually wants your business and will serve you as needed to keep it.
Things to look for:
- Low fees across the board.
- Daily caps on overdraft charges to prevent cascading fees. (This is what happened to me. $300 turned into $1100 in a couple of days !?!)
- Teller access without fees
- Reasonable ATM policy. No double dipping ATM transactions. Some bigger banks can and do charge you for use of a free ATM even though the ATM owner does not!
For those wondering, the banks that I have found particularly nasty are:
US Bank
Beginning to impose check cashing fees, highest overdraft charge with no daily cap, poor deposit policy. They hold every check they can for three days. Their own tellers advise you to cash your check then deposit cash.
Key Bank
Very strict on transaction type. Will freeze accounts for very little reason. A disagreement with a teller is enough for this. Check cashing fees with no daily cap. Poor deposit policy combined with their allowed transaction types make some common deposits very difficult.
Both banks guilty of transaction ordering with intent to charge fees. Basically they will clear large checks in order to let many smaller ones bounce. They say it is for your own good, but realistically which is better? Personally, I would rather reissue the larger check, pay the fees and use the rest of my money to cover the damage as cheap as I can. You decide.
Both banks guilty of issuing dangerous check cards by default. Check card works like credit, but with none of the protections.
All this talk of PIN theft is one thing, losing one of these cards is way worse. They can use it any number of places without a PIN and you have to pay.
Personally, the errors are likely to be unstated fees for transactions. Many places charge a fee when you use a debit card. Not all of them let you know about it even though they should. Another error comes from charges when you pay for dinner out. Remember the little place on the receipt for tips? If you don't fill it out, they can later. Problem here is that you don't always get to see the amount they key into the little visa machine. Your copy says one thing, theirs says another..
Seriously, if you are banking with a larger bank, ditch it and go shopping and tell your friends when you are done. You will be better for it.