CitiBank Card Numbers and PINS Stolen in Server Breach

Many years ago, (like ten or more) there was a major US bank (BoA, CitiBank I don’t remember) that had a major security breach. I don’t remember all the details, and Google has been less than helpful, but the bank in question was very forth coming, they announced the incident, released a press release, and detailed what happened. They then spent millions to revamp their entire security posture to prevent it from happening again. That bank lost millions of dollars of business afterwards despite the fact that after the breach it was probably the most secure bank in the country at that time.

Looks like banks have learned their lesson and now are keeping as quiet as possible about any and all compromises in their security.

Kevin Poulsen has written an excellent article over at Wired detailing the recent breach of ATM card numbers and their PINS. Seems that someone broke into a server that controlled CitiBank branded ATMs in various 7-11s across the country and then used the card numbers and PINs to create fake cards and drain bank accounts. There are a lot of unanswered questions about this case such as who was actually responsible for this server. Citibank is pointing the finger at a third party transaction processing company and that company seems to be denying any involvement. No one is being very forthcoming with the details, probably afraid of bad publicity and the loss of business that may result from it.

Consumers of course are protected by law from actual monetary losses but the hassle of having to get a new card number can’t be fun. Unfortunately there isn’t much the consumer can do to protect themselves against this sort of attack. You can try to avoid those stand alone ATM kiosks like those found in convenience stores and rely solely on ATMS at actual banks but in many cases that is just not practical. So keep a close eye on those statements, verify every line item and call your bank at the first sign of anything weird.

UPDATE: Thanks to NR for sending me a link to the CitiBank breach from 1995 that I referenced above.